Recent Discussions
Token Protection Conditional access policy is blocking access to PowerShell Modules.
Hi Everyone, Recently we have started implementing Microsoft token protection via CAP. We have created the policy based on the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection Everything is working fine for regular users, but for our admin accounts that require access to Powershell modules, they get this error when trying to access: I've confirmed this is linked to the token protection policy and no other policy is causing this behavior. The policy is configured in the following way: My question here is: How can I keep our admin accounts included on this policy without affecting Powershell access? Thank you for your help.Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!Entra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!
Need Powershell Script for consolidated report of Active Directory users
Dear Experts, I need a consolidated report for the following instances for Active Directory users --> 1) All LIVE AD Users with “CREATED ON” header 2) Inactive Users (No Login in 90+ Days) 3) Users with “Password Never Expires” Mark 4) Users Who Never Logged In – Users never logged on 5) Users with Old Passwords (Not Changed in 90+ Days) 6) Disabled User Accounts with “Disabled ON” header 7) Inactive Computers (No Logon in 60+ Days) 8) Disabled Computer Accounts 9) Last User Logged in, on computers 10) ALL Users' with Last Password Change Date Kindly share the powershell script for the same ASAP. ..Ajit
Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure
We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data. Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can: Flag apps as restricted from accessing PII/PHI. Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.” Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data. Generate alerts and audit logs when apps approach or violate these boundaries. If not, are there plans to introduce these protections? Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs."sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?
AZURE AD Contacts problem
Heloo, I've been looking for an online solution and nothing works. I have a hybrid Active Directory on-premise and Azure AD system since 2021. Users created in Active directory on-premise deleted since 2021-2022 still appear in my Azure AD contacts, and when I synchronize the contacts from AzureAD with other applications, those users are also visible. The users no longer exist in AD, from there they are automatically deleted after 180 days anyway, I checked. They are no longer found in Azure AD, M365 Admin, the only place where they are still found is Azure AD contacts, it seems they are not in the GAL either because they do not appear in outlook. - I tried Online PowerShell - Get-User | Format-List DisplayName, UserPrincipalName, PrimarySmtpAddress , It only shows me active users - I tried Microsoft Graph , ditto, it only shows me active users. I don't know how to identify those users, and their number is increasing. Please help, some other Ideas?
Workplace Benefits Program (earlier meaning: home Use)
Hello, let me describe our current situation: Tenant A: our first tenant, should be decom. soon Tenant B: our new productive tenant On Tenant A we are able to use the Workplace Benefits Program. Unfortunatelly we have to decom this tenant. so we have created an new one, Tenant B. Enterprise Agreement was transfered well to the new, but one topic is missing, we couldn't transfer the existing workplace benefits from A to B. Perhaps someone here has been in the same situation and has found a solution? Thanks a lot. best regards, Markus
Migration from Microsoft Entra Connect Sync to Entra Cloud Sync
Hello, I am migrating my organization from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync, from On-Premise AD to Microsoft Entra ID only. I divided the migration (change) into phases, created roles for all synchronized OUs separately, according to this tutorial (https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp), everything was going well until I discovered that if the users OU is synced with connect sync and the mail groups OU - with cloud sync, the cloud sync cannot perceive the changes coming from on-premise and, for example, cannot join a specific group to a user who is in one of the groups in on-premise AD. I have licensing groups that automatically assign the appropriate license to a user when they are in this group in Entra. Is there any solution that I can use to avoid or avoid all this? Or do I have to synchronize all OUs at once? Has anyone had a similar incident? Thanks, I will accept any advice.Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
Windows Authentication for Entra ID for SQL MI
Hi Team, I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql There are two options. Options 1 Modern interactive flow Options 2 Incoming trust-based flow Proceeding with Option 2 (Incoming trust-based flow) the authentication flow works some as the following Step Action From To Network Connection 1 Initiate Connection Client (Windows Server 2016) - - 2 Request Kerberos TGT Client Domain Controller (Windows 2012) On-premises network 3 Issue TGT Domain Controller Client On-premises network 4 Request Service Ticket via Kerberos Proxy Client Microsoft Entra ID (via proxy) ExpressRoute (Microsoft peering) 5 Issue Service Ticket Microsoft Entra ID Client ExpressRoute (Microsoft peering) 6 Submit Service Ticket Client Azure SQL Managed Instance ExpressRoute (private peering) 7 Validate Ticket and Exchange for Token Azure SQL Managed Instance Microsoft Entra ID Azure internal network 8 Authenticate User and Grant Access Azure SQL Managed Instance Client ExpressRoute (private peering) If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server Many Thanks !Sharing Best Practices and Experiences
Hi everyone! I’m opening this space for us to discuss everything related to Microsoft Entra — implementation, management, and best practices. The goal is to create a community where we can share experiences, exchange tips, and discuss procedures that make working with Entra ID, Entra Permissions Management, Entra ID Governance, and the rest of the Entra ecosystem easier. 🔹 What challenges have you faced in identity and access management? 🔹 Any configuration, automation, or integration tips worth sharing? 🔹 How are you applying Microsoft’s recommended security practices? If you’re just getting started, check out this Microsoft Learn article on the Microsoft Entra fundamentals. Let’s build an active and collaborative community around Microsoft Entra!Identity, access, and agent governance—Microsoft Entra at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across identity and access management to the forefront, with sessions focused on Zero Trust, agent governance, and securing AI-powered apps. Featured sessions: BRK243: Microsoft Entra: What's new in secure access on the AI frontier Strengthen your Zero Trust foundation, manage and govern the rising tide of agents, and enable AI to accelerate your success. BRK265: Secure access for AI agents with Microsoft Entra Discover, manage, govern, and protect agent identities and access—just as you do for human identities. LAB549: Strengthen your identity security posture with Conditional Access Learn safe rollout patterns and use the CA Optimization Agent (Security Copilot in Entra) to find and fix gaps with one-click and phased enforcement. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions Why attend: Ignite is the best place to learn about new Microsoft Entra capabilities for agentic AI, identity governance, and secure access. We will also share its vision for the future of identity and agent management. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?Add members to a dynamic sec-grp excluding users with a specific "serviceplanid" assigned license
Hello, I am trying to populate dynamically a security group that shoud contain all members with a specific attribut value and trying to filter the groupe membership based on a serviceplanId assigned to members (user.extensionAttribute9 -startsWith "83") -and (user.accountEnabled -eq True) -and (user.mail -ne null) -and (User.AssignedPlans -any (assignedPlan.servicePlanId -ne "818523f5-016b-4355-9be8-ed6944946ea7" -and assignedPlan.capabilityStatus -eq "Enabled")) How to exclude members with the ServicePlanId : "818523f5-016b-4355-9be8-ed6944946ea7" from the list of the groupe members ?
How to recover or re-add device
Hi, To try and make a long story short, I have 2 devices, Device 1 one belonged to me and Device 2 belonged to someone previously. I had taken Device 2 because the specs we're better and am giving Device 1 to a new-hire. My initial thought was to delete Device 1 and just re-add it to Azure AD under the new owner. After I had done that I came across an extremely simple PowerShell cmdlet that made adding a new owner and removing the old owner very fast and painless. I used this cmdlet to add me as the new owner of Device 2 but had already deleted Device 1. I'm now stuck trying to figure out how to get Device 1 back into AD and change the owner. How can I do this? ThanksCreating SSO Application using Microsoft Graph
I'm attempting to create SSO applications using Microsoft Graph to migrate from ADFS. "Microsoft.Graph.Models.Application requestBody = new Microsoft.Graph.Models.Application { IdentifierUris = new List<string>() { appURL }, DisplayName = appName, Web = new Microsoft.Graph.Models.WebApplication { RedirectUris = new List<string> { appURL }, } }; retVal = await graphClient.Applications.PostAsync(requestBody);" My URI requires a trailing slash. When I try to use the trailing slash I get the error: "Application alias 'https://xxxx/aspx/xxxx/' value is invalid." I tried editing my realm to remove the trailing slash, and the redirect URI, e.g. https://xxxx/aspx/xxxx, but removing them causes sign-in issues. If I edit the the Identifier URI in the Entra ID portal, to add the trailing slash, I am able to sign in and use the application. Though it is a solution, I need to use the application to enter close to 240 applications total between all of our environments. Anyone run into this and have ideas I can try? Thanks.
Recent Blogs
- 3 MIN READSimplify hybrid complexity and strengthen your security posture by managing users and groups natively in the cloud.Nov 04, 2025
- Discover how Microsoft Entra is shaping the future of identity and access at Ignite 2025. Connect with our experts and explore what’s next!Oct 29, 2025
