Recent Discussions
Conditional access, Persistant Browser sessions and Azure File shares in Storage Accounts
Hello, I am in the process of doing a POC for Azure file sync from DFS to Azure file shares with a end goal of using Azure files shares and getting rid of DFS. I want to use Entra for identity access. One of the changes I need to make is set Persistant browser session in our MFA all user policy to "Never" so that the storage enterprise app does not get targeted for MFA, otherwise it wont work. How do I go about doing this without effecting any other users as it's a global policy. I know I need to do this because I get this error when I add the Storage Account ent app to the targeted resources (formerly cloud apps) exclusion list; "Message from server: The server could not process the request because it is malformed or incorrect. 1032: ConditionalActionPolicy validation failed due to InvalidConditionsForPersistentBrowserSessionMode." Any ideas of how to get around this without affecting anyone else and only target the storage account ent app. Cheers
Global Secure Access Per App segmentation
Hi, We are running a POC with Global Secure access and have the following situation. We have defined a traffic forwarding profile for Private Access and a Quick Access policy to allow access to certain applications. I have now create a seperate enterprise application and assigned it a different group then the quick access policy. for example an RDP/http to specific server. The following seem to be happening. When I check the private access rules on the GSA clients they are receiving all rules quick access + enterprise application rules even if they don't have a group assignment in the application segment. (default behaviour i am guessing) When a users defined in quick access only attempts to access the enterprise application het get's a prompt on his GSA client action required please sign in , when i then signs in he get's access denied message as expected. However he also get denied to the other quick access segment. To resolve this again i have to enable disable the client. Is this normal behaviour and is there a way around this? Can we for example not include the enteprise application in the private access rule if the group is not assigned. Any help would be appreciated.Guest users in tenant enforcing phishing resistant MFA
If a tenant uses a third party MFA .. I.E. Okta or similar, and users are guests in a another tenant via B2B trust and the tenant accepting guest accounts is enforcing MS Phishing resistant MFA ... Will the tenant recognise "Okta" authenticated guests as Phishing resistant ? Or will guest accounts need a Conditional Access Policy applied to allow the guest users access to tenant enforcing MS Phishing resistant MFA ?
Users is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled
Force Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? ThanksSecure Linux Logins with Azure Entra ID: MFA, Hello, Device Compliance & SSO with Himmelblau
As organizations adopt Azure Entra ID and Intune to secure their fleets, Linux has often been left behind — especially for modern authentication requirements like MFA, Conditional Access, and device compliance. Traditional Linux frameworks (PAM, NSS) were never designed for cloud identity or Zero Trust. Himmelblau is an open-source project that bridges this gap by integrating Linux systems directly with Entra ID. With Himmelblau, you can: Join Linux machines to Azure Entra ID, creating a device object in Entra ID to establish device identity and enable Conditional Access checks tied to trusted devices. Enroll Linux systems into Microsoft Intune (currently in beta), so they participate fully in compliance policies alongside Windows. Enforce MFA at the Linux login prompt, using your existing Entra ID Conditional Access configurations. Offer secure Hello for Business PIN authentication on Linux, providing end-users with a familiar, strong second factor that’s backed by hardware-bound credentials. Integrate Linux with SSO in Firefox and Chrome, allowing seamless access to Entra-protected web apps once the user is logged in. Manage Linux users and groups via Entra ID, with robust caching for reliable offline operation. Leverage TPM-backed certificates and secure key storage, so device credentials remain protected even if the system is compromised. For many IT teams, this means finally bringing Linux endpoints under the same Zero Trust umbrella as Windows — without compromising user experience or compliance. Get started: https://himmelblau-idm.org https://himmelblau-idm.org/landing.html https://github.com/himmelblau-idm/himmelblau We’d love your feedback — especially from organizations managing hybrid fleets. What other Entra scenarios would you like to see better supported on Linux?Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app. Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones. Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated! Thanks in advance!Moving small business from local domain to Entra
I'm planning on moving a company of about 50 users and around 75 computers, from our local domain (2016 server) to 365/Entra. My biggest hurdle is that the company is heavy into Google Workspace, all our documents, email, etc., and our owners/management are heavy users and very comfortable with it. My initial plan was to set up MS 365 Business Standard and move the whole company over a long weekend, cloud migration from Google to 365, computers all in Entra, etc. However, I now think this a lot for even a long weekend and I was hoping to maybe do this in stages. Perhaps get us going with Microsoft Entra ID P1, move our domain computers to it and get my feet wet with Entra management, etc. Stage two would likely be hiring a company with experience to migrate us over from Workspace. So basically just looking for advice, would this work at all without also migrating users/email as well? Is it possible to just unhook our domain workstations and add them into Entra under a single, admin account? Thanks for any help, Andy
External ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!
Adding PIM enabled security group to an Access Package
Hi, Recently a new feature has gone in preview, it's now possible to add PIM enabled security group to an access package. explained here: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview) I followed the instruction exactly on 2 different tenants, one tenant has Entra ID Governance licence, another has the Entra Suite licence. The result on both tenants was the same. When adding a PIM enabled group to an access package. I am presented only with 2 roles (member or owner) and not with the expected 4 roles. (member, owner, eligible member, eligible owner). The group I add is created for test purpose couple of weeks ago, and really is PIM enabled (discovered ). Is this a preview that has to be activated on a tenant? (its not in the "Entra -> Identity -> settings -> Preview features" list). Am i missing something? Cheers!
Invitation Redemption modifying DisplayName attribute
Hi All, Haven't found much on this, other than someone with the same issue ~6 years ago and no further details. I'm generating guest user invites through Graph and configure the display name in a particular way. I've noticed that when that guest logs in for the first time, the display name changes, removing my custom configuration. I can see this in audit logs for the user account, corresponding to their login to the tenant for the first time where the account is moved from PendingAcceptance to Accepted. Activity Type: Update User Category: User Management Type: Application Display Name: Microsoft Invitation Acceptance Portal Is there a setting or flag to block this, ideally, they keep the same display name I set in the first place. Thanks!Entra ID External - Custom Claims Provider help
Hi, I'm working with Entra ID External identities, trying to get a 'Token Issuance Start' event in a Custom Claims Provider working correctly. I've got all the pieces in place (SPA, web api with endpoint set and configured, app registrations, basic login working successfully, etc). I just can't get the claims provider to call my claims endpoint. Tried so many different ways, get all different errors, all kinds of hours with and without ChatGPT, and still not working. I'm to the point where I'm ready to pay a consultant to help me get past this. But I'm just a solo dev working on a personal side project, I can't call an enterprise consulting company asking for an hour or two on a Zoom call, they don't deal with such miniscule jobs, at least none that I've called. I'm well past the point of making a stack overflow post or something like that, I need a one-on-one with someone familiar with Entra ID custom claims providers for External identities. But I'm guessing most folks with that knowledge are working for some big consulting firm that won't give me the time of day. Can anyone suggest a small company that could help me, or maybe a place to post online for someone that might want to make a few bucks moonlighting on the side? I'm not looking for a handout, I'll pay a reasonable rate, I just can't afford (and pretty sure I won't need) more than a couple hours. If anyone knows of some site (or anyone interested yourself) please let me know, I'd be forever grateful, I'm at my wits end :) Thanks, Andy
Understanding Sign-In logs - password hash sync from another country?
Gday Had a couple users show up today at risk - failed logins from the US, while we're in Canada. Users are not in the US, not using VPNs, logins are to Microsoft services (Office Home, One Outlook Web). The useragent is the axios client, the auth method is 'password in the cloud' - which as i understand it, means the password is being auth'd directly against Entra. However, one of them is Azure AD sync'd. The auth method on this is 'password hash sync' - as I understood it, this means the password is going to the DC first, then the resulting hash is being passed to the cloud. This is what we have on our Hybrid 1-way tenants. But I don't really understand what's going on when I see a Password Hash Sync attempt, from another country. Is that random person passing a (wrong) password to my closed-off server? Or... is it just that the hash that Entra has to authenticate with, is from the DC? Is the 'password to DC, to Cloud' the 'passthrough' auth method? ThanksEmail Address in Entra ID not reflected to OpenLearning
We've configured SSO with OpenLearning but when a new user tries to login, the email address is not being passed on to OpenLearning. It says "It seems you already have an OpenLearning account" when it is his/her first time joining in. The OpenLearning support said to contact Microsoft support. Then the Microsoft support is passing the issue somewhere. Does anyone have encountered and resolved this issue?
Edge Warning when clicking on Links in Entra
I am in the Entra portal looking at the latest recomendations to improve the Identity Secure Score. When you select an option, and the fly-out windows shows on the right, you have the 'Get Started' link at the bottom. Upon clicking on that, Edge will warn you that something doesn't look right. I know that the URLs were changed a while ago now for the various portals, but it looks like Edge didn't get the message on this one, hence the warning showing in the browser Can this be addressed as I constantly get this alerted to myself from other users.Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join)
I still find it hard to understand the differences between Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join). I know Azure AD Registration (Workplace Join) is supposed to be nest for Personal devices (BYOD) but if you have security as an important part of your business why would you want to allow this? You could end up with a billion random machines in your Entra. What's the benefit of this? Also, if I have a Hybrid environment and I have booth cloud and on prem apps that do auth via both on prem (for on prem apps linked to AD) and Entra for cloud do I need to be Hybrid Azure AD Joined to support on prem an cloud? Or will a person working from a Azure AD Joined machine still be able to access on prem resources like file servers and any app that uses AD groups for auth, access provisioning etc?
Recent Blogs
- 9 MIN READThe Conditional Access Optimization Agent and Security Copilot in Microsoft Entra are now generally available—bringing AI-powered simplicity to identity, access management, and security.Jul 14, 2025
- August 4-7, 2025: Learn to unify access controls, streamline employee lifecycle, secure access to on-prem and AI apps, and govern internet resources.Jul 02, 2025
