Recent Discussions
Blocking email in outlook mobile application via conditional access and Intune
Hello, all. We’re currently experiencing an issue where corporate email remains accessible in the Outlook mobile app on personally owned iOS devices, even after the device either falls out of compliance or undergoes an enterprise wipe. These devices are managed through Intune. Additionally, some users may have personal email accounts configured within the Outlook mobile app already. Below is the conditional access policy currently applied to mobile devices. Any assistance would be appreciated.
NPS Extension for azure MFA and multiple tenants?
Hi, is it possible to setup one NPS server with the Extension for Azure MFA to authenticate against multiple tenants? The onprem AD has azure ad connector for each domain and the users are in sync with there tenants. Its a RDS setup with one RD Gateway and one NPS server and multiple RD servers. I need email address removed for privacy reasons and email address removed for privacy reasons etc. to authenticate with MFA, but i can only get the users on the tenant thats linked in the NPS Extension for Azure MFA to work. I dont think its possible to setup more than one tenant in one NPS server (Extension for azure MFA). I get this error in the NPS log NPS Extension for Azure MFA: CID:xxxxxxxxxxxxxxx : Access Rejected for user email address removed for privacy reasons with Azure MFA response: AccessDenied and message: Caller tenant:'xxxxxxxxxxxxxxxxxxxxxxx' does not have access permissions to do authentication for the user in tenant:'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',,,xxxxxxxxxxxxxxxxxxxxxx The ID in the Caller tenant and the user tenant in the error is correct, so something have to work? I cat find a way to allow the Caller tenant to access users in the user tenant.
Need Powershell Script for consolidated report of Active Directory users
Dear Experts, I need a consolidated report for the following instances for Active Directory users --> 1) All LIVE AD Users with “CREATED ON” header 2) Inactive Users (No Login in 90+ Days) 3) Users with “Password Never Expires” Mark 4) Users Who Never Logged In – Users never logged on 5) Users with Old Passwords (Not Changed in 90+ Days) 6) Disabled User Accounts with “Disabled ON” header 7) Inactive Computers (No Logon in 60+ Days) 8) Disabled Computer Accounts 9) Last User Logged in, on computers 10) ALL Users' with Last Password Change Date Kindly share the powershell script for the same ASAP. ..Ajit
Token Protection Conditional access policy is blocking access to PowerShell Modules.
Hi Everyone, Recently we have started implementing Microsoft token protection via CAP. We have created the policy based on the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection Everything is working fine for regular users, but for our admin accounts that require access to Powershell modules, they get this error when trying to access: I've confirmed this is linked to the token protection policy and no other policy is causing this behavior. The policy is configured in the following way: My question here is: How can I keep our admin accounts included on this policy without affecting Powershell access? Thank you for your help.Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!Entra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!
Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure
We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data. Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can: Flag apps as restricted from accessing PII/PHI. Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.” Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data. Generate alerts and audit logs when apps approach or violate these boundaries. If not, are there plans to introduce these protections? Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs."sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?
AZURE AD Contacts problem
Heloo, I've been looking for an online solution and nothing works. I have a hybrid Active Directory on-premise and Azure AD system since 2021. Users created in Active directory on-premise deleted since 2021-2022 still appear in my Azure AD contacts, and when I synchronize the contacts from AzureAD with other applications, those users are also visible. The users no longer exist in AD, from there they are automatically deleted after 180 days anyway, I checked. They are no longer found in Azure AD, M365 Admin, the only place where they are still found is Azure AD contacts, it seems they are not in the GAL either because they do not appear in outlook. - I tried Online PowerShell - Get-User | Format-List DisplayName, UserPrincipalName, PrimarySmtpAddress , It only shows me active users - I tried Microsoft Graph , ditto, it only shows me active users. I don't know how to identify those users, and their number is increasing. Please help, some other Ideas?
Workplace Benefits Program (earlier meaning: home Use)
Hello, let me describe our current situation: Tenant A: our first tenant, should be decom. soon Tenant B: our new productive tenant On Tenant A we are able to use the Workplace Benefits Program. Unfortunatelly we have to decom this tenant. so we have created an new one, Tenant B. Enterprise Agreement was transfered well to the new, but one topic is missing, we couldn't transfer the existing workplace benefits from A to B. Perhaps someone here has been in the same situation and has found a solution? Thanks a lot. best regards, Markus
Migration from Microsoft Entra Connect Sync to Entra Cloud Sync
Hello, I am migrating my organization from Microsoft Entra Connect Sync to Microsoft Entra Cloud Sync, from On-Premise AD to Microsoft Entra ID only. I divided the migration (change) into phases, created roles for all synchronized OUs separately, according to this tutorial (https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp), everything was going well until I discovered that if the users OU is synced with connect sync and the mail groups OU - with cloud sync, the cloud sync cannot perceive the changes coming from on-premise and, for example, cannot join a specific group to a user who is in one of the groups in on-premise AD. I have licensing groups that automatically assign the appropriate license to a user when they are in this group in Entra. Is there any solution that I can use to avoid or avoid all this? Or do I have to synchronize all OUs at once? Has anyone had a similar incident? Thanks, I will accept any advice.Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?Windows Authentication for Entra ID for SQL MI
Hi Team, I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql There are two options. Options 1 Modern interactive flow Options 2 Incoming trust-based flow Proceeding with Option 2 (Incoming trust-based flow) the authentication flow works some as the following Step Action From To Network Connection 1 Initiate Connection Client (Windows Server 2016) - - 2 Request Kerberos TGT Client Domain Controller (Windows 2012) On-premises network 3 Issue TGT Domain Controller Client On-premises network 4 Request Service Ticket via Kerberos Proxy Client Microsoft Entra ID (via proxy) ExpressRoute (Microsoft peering) 5 Issue Service Ticket Microsoft Entra ID Client ExpressRoute (Microsoft peering) 6 Submit Service Ticket Client Azure SQL Managed Instance ExpressRoute (private peering) 7 Validate Ticket and Exchange for Token Azure SQL Managed Instance Microsoft Entra ID Azure internal network 8 Authenticate User and Grant Access Azure SQL Managed Instance Client ExpressRoute (private peering) If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server Many Thanks !Sharing Best Practices and Experiences
Hi everyone! I’m opening this space for us to discuss everything related to Microsoft Entra — implementation, management, and best practices. The goal is to create a community where we can share experiences, exchange tips, and discuss procedures that make working with Entra ID, Entra Permissions Management, Entra ID Governance, and the rest of the Entra ecosystem easier. 🔹 What challenges have you faced in identity and access management? 🔹 Any configuration, automation, or integration tips worth sharing? 🔹 How are you applying Microsoft’s recommended security practices? If you’re just getting started, check out this Microsoft Learn article on the Microsoft Entra fundamentals. Let’s build an active and collaborative community around Microsoft Entra!Identity, access, and agent governance—Microsoft Entra at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across identity and access management to the forefront, with sessions focused on Zero Trust, agent governance, and securing AI-powered apps. Featured sessions: BRK243: Microsoft Entra: What's new in secure access on the AI frontier Strengthen your Zero Trust foundation, manage and govern the rising tide of agents, and enable AI to accelerate your success. BRK265: Secure access for AI agents with Microsoft Entra Discover, manage, govern, and protect agent identities and access—just as you do for human identities. LAB549: Strengthen your identity security posture with Conditional Access Learn safe rollout patterns and use the CA Optimization Agent (Security Copilot in Entra) to find and fix gaps with one-click and phased enforcement. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions Why attend: Ignite is the best place to learn about new Microsoft Entra capabilities for agentic AI, identity governance, and secure access. We will also share its vision for the future of identity and agent management. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?Add members to a dynamic sec-grp excluding users with a specific "serviceplanid" assigned license
Hello, I am trying to populate dynamically a security group that shoud contain all members with a specific attribut value and trying to filter the groupe membership based on a serviceplanId assigned to members (user.extensionAttribute9 -startsWith "83") -and (user.accountEnabled -eq True) -and (user.mail -ne null) -and (User.AssignedPlans -any (assignedPlan.servicePlanId -ne "818523f5-016b-4355-9be8-ed6944946ea7" -and assignedPlan.capabilityStatus -eq "Enabled")) How to exclude members with the ServicePlanId : "818523f5-016b-4355-9be8-ed6944946ea7" from the list of the groupe members ?
Recent Blogs
- Get ready for Microsoft Ignite by reading Alex's reflections on how to ride the wave of AI agent innovation instead of splashing around in the foam.Nov 10, 2025
- 3 MIN READSimplify hybrid complexity and strengthen your security posture by managing users and groups natively in the cloud.Nov 04, 2025
