Recent Discussions
Exclusion of Microsoft Edge Browser from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude Microsoft Edge Browser so no Reauthentication is necessary for MS Edge Browser. Exclusion has been made for the "Microsoft Edge" application with the following App ID: ecd6b820-32c2-49b6-98a6-444530e5a77a However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!
Microsoft Entra Connect connecting always to old DC
We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory. So now I'm wondering does this need any additional configuration to keep sync working after DC Demote. I found out that there is option to "Only use preferred domain controllers" but I'm not sure if that's what I want do do. There were the red line is is the old DC to be demoted. "Only use preferred domain controllers" setting. If I enable this setting I got this kind of notice. I don't feel like this is the right way to do it so I canceled at this point.
Restrict access to Microsoft Entra admin center
Hi, I know that setting this to Yes isn't considered a Security measure by Microsoft, but I really think that they need to rethink this and give a better warning Entra>Users>User Settings>Restrict access to Microsoft Entra admin center If this is left to, No, which is the default, then any user (Admin or Standard User) is able to access Entra, and for certain things this may be required, but it leaves a huge door open as well for the egress of data. For example, a Standard user can access Entra, select Users and or Devices from the left hand side and export a .csv file with all devices listed and or all Users in the estate listed with a lot of other information in this as well that is included in the exported file. Is there another way to allow users access to the portal to manage Groups or Apps that they are an Owner on (which is one of the reasons that I see for allowing any user to access the portal) but also to dramatically reduce the risk to the business for users also being able to see a lot of other information in Entra that we would not wish users to be able to see or indeed interact with, such as downloading a file of all Devices and Users in the estate.👉 Microsoft Entra in Action: From Conditional Access to Identity Protection
One of the areas I’m most passionate about is identity-driven security. Microsoft Entra makes it possible to apply Zero Trust principles directly at the identity layer. ⚡ Conditional Access – the backbone of modern access policies. 👤 Privileged Identity Management (PIM) – ensuring just-in-time, least privilege for admins. 🛡️ Identity Protection – risk-based policies to stop compromised sign-ins in real time. In my labs, I’ve seen how these features transform security posture without adding friction for users. Coming soon: - Step-by-step breakdown of a risky user detection scenario. - A visual guide to Conditional Access controls for critical apps. Would love to exchange insights with others experimenting in this space — what Entra features are you finding most impactful? #MicrosoftEntra | #ConditionalAccess | #IdentityProtection | #MicrosoftLearn | #PerparimLabs
The salt sizes required for signing with RSAPSS do not match those used by TPM.
Good evening everyone. I'm getting this error when I try to perform the first sync on my Windows Server 2022. I'm trying to sync the entire directory to manage my employees' licenses. I already have a tenant with users who can stay there without any problems. I had already synced the tenant with my old server in the past. For business reasons, the infrastructure has changed, and so has the server. In Entra ID, I don't see any old syncs, but in Admin Center, I do. Could this be the problem? Any advice is invaluable, as I'm at my wits' end.
Unable to add Azure Virtual Desktop Client Enterprise App to Conditional Access
We currently use conditional access to allow certain contractors to sign into VMs, and from these VMs, access other MS Apps. Currently we block all applications from outside the VM ip range, but exclude the Virtual desktop applications to allow the users to do the initial signin to the VM. When contractors are using the Virtual Desktop app, it seems to work ok. However, recently when signing in via the browser only and launching from there, the conditional access rule is blocking them as the application ID isn't in the exclude list, and we are unable to add it: a85cf173-4192-42f8-81fa-777a763e6e2c The documentation: https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd shows that web signins may originate from this application ID, but without the ability to add this to the exclusion apps, we cannot find another workaround that allows access via the browser. I also tried adding this app in to the policy via GraphAPI, but I get an error saying that this first party application isn't allowed. I need to know if there is another workaround or if Microsoft are planning to add this to the CA compatibility list? I'm not sure why some of the Virtual desktop apps are there but this one is not.
Invite external user - error 'Primary SMTP address is an invalid value'
I'm using Entra Id to invite external users to my domain. Their email is of form: mailto:email address removed for privacy reasons Sending the invite generates the error: There is no error if I send an invitation to the same domain without the '+' sign, so I assume this is causing an issue with Entra Id. Is there a workaround for this?
Windows Authentication for Entra ID for SQL MI
Hi Team, I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql There are two options. Options 1 Modern interactive flow Options 2 Incoming trust-based flow Proceeding with Option 2 (Incoming trust-based flow) the authentication flow works some as the following Step Action From To Network Connection 1 Initiate Connection Client (Windows Server 2016) - - 2 Request Kerberos TGT Client Domain Controller (Windows 2012) On-premises network 3 Issue TGT Domain Controller Client On-premises network 4 Request Service Ticket via Kerberos Proxy Client Microsoft Entra ID (via proxy) ExpressRoute (Microsoft peering) 5 Issue Service Ticket Microsoft Entra ID Client ExpressRoute (Microsoft peering) 6 Submit Service Ticket Client Azure SQL Managed Instance ExpressRoute (private peering) 7 Validate Ticket and Exchange for Token Azure SQL Managed Instance Microsoft Entra ID Azure internal network 8 Authenticate User and Grant Access Azure SQL Managed Instance Client ExpressRoute (private peering) If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server Many Thanks !
External ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!Sign In Error 90072 with On Prem Accounts - How to mitigate?
We receive weekly reports from one of our security vendors regarding login failures across our environment. As of recent, we've noticed a spike in interactive login failures, particularly with Microsoft services. The application that produces many of these logs is Microsoft Office. Upon investigation, we've determined that many of these sign ins procure error code 90072 with the following error message: "User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{application}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account" As a disclaimer, I did not edit this message to insert the unfilled variables in brackets - that's how the error message appears in our Entra portal. We currently run a hybrid environment, and all of the users with high volumes of failed sign ins with the given error code and message are on-prem accounts. These logs produce a lot of noise that we would rather not have polluting our reports. Do you have any information we can use to help remediate this issue?Shape the future of our communities! Take this survey to share your practitioner insights. 💡 ✏️ 🔓
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
Help with Expression
I am trying to build an expression in the cloud sync config. I'm writing entra groups back on prem and I want to send them to different OUs based on the displayName as per this example: Under Target container select Edit attribute mapping. Change Mapping type to Expression. In the expression box, enter: Switch([displayName],"OU=Groups,DC=contoso,DC=com","Marketing","OU=Marketing,DC=contoso,DC=com","Sales","OU=Sales,DC=contoso,DC=com") Change the Default value to be OU=Groups,DC=contoso,DC=com. Problem with that approach is Id have to have a switch statement for every single displayName! what Id really like to do is direct my groups to an OU based the the first few sections of the display name. So my groups would be named "APP-APPNAME-USERS" for example and Id want the APPNAME section to be used in the switch function to send the groups to their respective OUs. The documentation says I can use nested expressions, so I have been trying to SPLIT the displayName in the switch expression but it isnt working at all. Switch(Item(Split([displayName], "-"), 1), "APP1", "OU=APP1,OU=Application,OU=Groups,DC=contoso,DC=net", "APP2", "OU=APP2,OU=Application,OU=Groups,DC=contoso,DC=net", "APP3", "OU=APP3,OU=Application,OU=Groups,DC=contoso,DC=net", "OU=Application,OU=Groups,DC=contoso,DC=net") Is anyone able to help with this?Cloud-First Attribute Ownership for Synced Users in Entra ID Is Not Supported
📝 Description As an enterprise architect working to modernize identity provisioning, I’ve encountered a major limitation in Microsoft Entra ID’s hybrid identity model. While Microsoft promotes a cloud-first strategy, the current architecture forces reliance on on-premises Active Directory for attribute ownership when users are synced via Entra Connect. Key issues: Directory extension attributes, even when created in the cloud, are read-only for synced users. Custom security attributes are not queryable and cannot be used in dynamic groups or claims. There is no supported mechanism to allow cloud apps (e.g., Workday provisioning) to own or update specific attributes for synced users. Breaking sync to convert users to cloud-only is disruptive and not scalable for large enterprises. This creates a conflict between cloud-first provisioning goals and technical limitations, making it difficult to fully transition away from on-prem AD. ✅ Requested Improvements Attribute-Level Ownership Delegation Allow cloud apps to own and update specific attributes for synced users, even if the user is still managed by AD. Writable Directory Extensions for Synced Users Enable Graph API write access to cloud-created directory extensions for hybrid users. Dynamic Query Support for Custom Security Attributes Make custom security attributes usable in dynamic groups, claims, and app filtering. Clear Guidance and Tooling for Cloud-First Identity Models Provide supported patterns and tools for transitioning identity provisioning and attribute management to the cloud. 🙏 Why This Matters Organizations are actively trying to reduce reliance on legacy infrastructure and embrace cloud-first identity. The current limitations in Entra ID make this transition unnecessarily complex and inconsistent with Microsoft’s cloud-first messaging. ---copiloted response for sure after many days of trying to work a solution that does not create more tech debt...Services I had no understanding of being used against me.
First of all, I want to apologize for the lack of technical knowledge, I was backed into a corner by a complete lockout of all my accounts and devices as a result of individuals using Azure resources and a Microsoft 365 admin account. They put the Azure services into play in early 2022 and were using an old Android to access my accounts and lock me out by changing passwords. This situation is unique because it was a homeless couple (Or so I thought) that I opened my home to in late 2021. When I had lost access to all my accounts that had been mine for over a decade I tried moving on and creating new accounts. I was creating a recovery email account for my new primary email and fell asleep before I finished. I woke to discover it had been completed, and the password was set. When unsuccessful with the .aspx recovery form I wrote it off because the account was new and I did not believe it was a danger. Maybe I finished setting it up as I drifted off and forgot. A few weeks later I was still having issues with unauthorized access to my new primary email, and when investigating noticed the email I never had access to had been assigned as admin over my Microsoft 365 apps. I tried for a month to address the issue and failed. I was fine with not being able to recover the account but if it was not mine it had no business being admin over my personal accounts. I had also discovered the people in my home running a scam on Azure using my credentials from another account, and I reported this to Microsoft. There are a lot of factors that go into this and in 2022 I had zero understanding of all of it. Only when I found myself completely locked out of everything with my personal accounts being used to request and receive an EIN from the IRS, and file a fraudulent business return, and more did I really begin troubleshooting to determine the best course of action. I was still not receiving the escalation I had requested in early 2022, and things had gone beyond too far so I created a business profile to gain an understanding of Azure services, roles and permissions, and more. Now granted when this began in September of 2024, I still had zero IT experience, admin experience or developer experience. I am still a novice at these at best in my opinion, but I have been combatting those with advanced system knowledge and developer skills the entire time. I found developer portals that had been set up using my credentials with anything associated to me. HP for my PCs, Microsoft, Google Cloud, Norton, and more. I would be directed to update drivers with HP to a site that must have been some developer's sandbox because eventually Norton flagged all HP sites as malicious. My passwords were being scraped out of my Norton Password Vault and more. This has all been quite an ordeal since 2022, and I still do not understand most of it, but I am doing my best. I already had the issue that it was my Microsoft account, and my problems crossed various platforms, and when I created my own business accounts to investigate I began having significant success seeing what was happening, but I cannot export the data in my head to a .csv about my personal accounts to share with 365 Business support or vice versa about my business accounts to personal support, so I am the only one that can see both sides. Cross platform communication on tickets is hard enough let alone crossing the business and personal threshold. I had just found myself in a position that it was my best investigative option. It has been successful on my end, however communicating what the criminals were doing has been a challenge. My lack of technical knowledge and the fact I am on a Microsoft Learn as I go system makes this quite demanding on my part. The logs and screenshots from my original investigation in 2022 exist in my photographic memory but nowhere else. And I can pick out details in logs and reports that will go unnoticed and flagged as "not me" by AI". But because of my attention to detail, I see the names associated with the activity and know that it is where the fraud began.Disabling Sign in for Shared accounts
I have been reading that Microsoft recommends disabling Sign ins for shared 365 accounts. As per below: Signing in: A shared mailbox is not intended for direct sign-in by its associated user account. You should always block sign-in for the shared mailbox account and keep it blocked. Which is lifted from the following link: https://learn.microsoft.com/en-us/microsoft-365/admin/email/about-shared-mailboxes?view=o365-worldwide This leaves me with a few questions. I have always assumed that as a shared mailbox don't have sign in credentials, that they COULD NOT be signed into, but the above statements suggest otherwise? If Microsoft recommends that sign ins for shared mailboxes are blocked, the statement "a shared mailbox is not intended for direct sign ins", begs the question... why is there a way to sign in to shared mailboxes that needs blocking? Why aren't shared mailbox acccounts setup with "sign ins" blocked by default? Why would have to perform another task (blocking sign ins), every single time i create a shared mailbox? How can people sign into shared mailboxes directly and what access will they have? Thanks for any help
Recent Blogs
- 1 MIN READYour voice matters. Take our quick survey to shape how Microsoft Entra serves identity and network security practitioners.Aug 28, 2025
- Discover the latest AI for Security innovations in Microsoft Entra—investigate faster, manage identities smarter, and automate protection with ease.Aug 28, 2025
