Recent Discussions
Secure Linux Logins with Azure Entra ID: MFA, Hello, Device Compliance & SSO with Himmelblau
As organizations adopt Azure Entra ID and Intune to secure their fleets, Linux has often been left behind — especially for modern authentication requirements like MFA, Conditional Access, and device compliance. Traditional Linux frameworks (PAM, NSS) were never designed for cloud identity or Zero Trust. Himmelblau is an open-source project that bridges this gap by integrating Linux systems directly with Entra ID. With Himmelblau, you can: Join Linux machines to Azure Entra ID, creating a device object in Entra ID to establish device identity and enable Conditional Access checks tied to trusted devices. Enroll Linux systems into Microsoft Intune (currently in beta), so they participate fully in compliance policies alongside Windows. Enforce MFA at the Linux login prompt, using your existing Entra ID Conditional Access configurations. Offer secure Hello for Business PIN authentication on Linux, providing end-users with a familiar, strong second factor that’s backed by hardware-bound credentials. Integrate Linux with SSO in Firefox and Chrome, allowing seamless access to Entra-protected web apps once the user is logged in. Manage Linux users and groups via Entra ID, with robust caching for reliable offline operation. Leverage TPM-backed certificates and secure key storage, so device credentials remain protected even if the system is compromised. For many IT teams, this means finally bringing Linux endpoints under the same Zero Trust umbrella as Windows — without compromising user experience or compliance. Get started: https://himmelblau-idm.org https://himmelblau-idm.org/landing.html https://github.com/himmelblau-idm/himmelblau We’d love your feedback — especially from organizations managing hybrid fleets. What other Entra scenarios would you like to see better supported on Linux?
Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app. Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones. Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated! Thanks in advance!
Moving small business from local domain to Entra
I'm planning on moving a company of about 50 users and around 75 computers, from our local domain (2016 server) to 365/Entra. My biggest hurdle is that the company is heavy into Google Workspace, all our documents, email, etc., and our owners/management are heavy users and very comfortable with it. My initial plan was to set up MS 365 Business Standard and move the whole company over a long weekend, cloud migration from Google to 365, computers all in Entra, etc. However, I now think this a lot for even a long weekend and I was hoping to maybe do this in stages. Perhaps get us going with Microsoft Entra ID P1, move our domain computers to it and get my feet wet with Entra management, etc. Stage two would likely be hiring a company with experience to migrate us over from Workspace. So basically just looking for advice, would this work at all without also migrating users/email as well? Is it possible to just unhook our domain workstations and add them into Entra under a single, admin account? Thanks for any help, Andy
External ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!
Adding PIM enabled security group to an Access Package
Hi, Recently a new feature has gone in preview, it's now possible to add PIM enabled security group to an access package. explained here: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview) I followed the instruction exactly on 2 different tenants, one tenant has Entra ID Governance licence, another has the Entra Suite licence. The result on both tenants was the same. When adding a PIM enabled group to an access package. I am presented only with 2 roles (member or owner) and not with the expected 4 roles. (member, owner, eligible member, eligible owner). The group I add is created for test purpose couple of weeks ago, and really is PIM enabled (discovered ). Is this a preview that has to be activated on a tenant? (its not in the "Entra -> Identity -> settings -> Preview features" list). Am i missing something? Cheers!
Invitation Redemption modifying DisplayName attribute
Hi All, Haven't found much on this, other than someone with the same issue ~6 years ago and no further details. I'm generating guest user invites through Graph and configure the display name in a particular way. I've noticed that when that guest logs in for the first time, the display name changes, removing my custom configuration. I can see this in audit logs for the user account, corresponding to their login to the tenant for the first time where the account is moved from PendingAcceptance to Accepted. Activity Type: Update User Category: User Management Type: Application Display Name: Microsoft Invitation Acceptance Portal Is there a setting or flag to block this, ideally, they keep the same display name I set in the first place. Thanks!
Entra ID External - Custom Claims Provider help
Hi, I'm working with Entra ID External identities, trying to get a 'Token Issuance Start' event in a Custom Claims Provider working correctly. I've got all the pieces in place (SPA, web api with endpoint set and configured, app registrations, basic login working successfully, etc). I just can't get the claims provider to call my claims endpoint. Tried so many different ways, get all different errors, all kinds of hours with and without ChatGPT, and still not working. I'm to the point where I'm ready to pay a consultant to help me get past this. But I'm just a solo dev working on a personal side project, I can't call an enterprise consulting company asking for an hour or two on a Zoom call, they don't deal with such miniscule jobs, at least none that I've called. I'm well past the point of making a stack overflow post or something like that, I need a one-on-one with someone familiar with Entra ID custom claims providers for External identities. But I'm guessing most folks with that knowledge are working for some big consulting firm that won't give me the time of day. Can anyone suggest a small company that could help me, or maybe a place to post online for someone that might want to make a few bucks moonlighting on the side? I'm not looking for a handout, I'll pay a reasonable rate, I just can't afford (and pretty sure I won't need) more than a couple hours. If anyone knows of some site (or anyone interested yourself) please let me know, I'd be forever grateful, I'm at my wits end :) Thanks, Andy
Understanding Sign-In logs - password hash sync from another country?
Gday Had a couple users show up today at risk - failed logins from the US, while we're in Canada. Users are not in the US, not using VPNs, logins are to Microsoft services (Office Home, One Outlook Web). The useragent is the axios client, the auth method is 'password in the cloud' - which as i understand it, means the password is being auth'd directly against Entra. However, one of them is Azure AD sync'd. The auth method on this is 'password hash sync' - as I understood it, this means the password is going to the DC first, then the resulting hash is being passed to the cloud. This is what we have on our Hybrid 1-way tenants. But I don't really understand what's going on when I see a Password Hash Sync attempt, from another country. Is that random person passing a (wrong) password to my closed-off server? Or... is it just that the hash that Entra has to authenticate with, is from the DC? Is the 'password to DC, to Cloud' the 'passthrough' auth method? Thanks
Force Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? ThanksEmail Address in Entra ID not reflected to OpenLearning
We've configured SSO with OpenLearning but when a new user tries to login, the email address is not being passed on to OpenLearning. It says "It seems you already have an OpenLearning account" when it is his/her first time joining in. The OpenLearning support said to contact Microsoft support. Then the Microsoft support is passing the issue somewhere. Does anyone have encountered and resolved this issue?
Edge Warning when clicking on Links in Entra
I am in the Entra portal looking at the latest recomendations to improve the Identity Secure Score. When you select an option, and the fly-out windows shows on the right, you have the 'Get Started' link at the bottom. Upon clicking on that, Edge will warn you that something doesn't look right. I know that the URLs were changed a while ago now for the various portals, but it looks like Edge didn't get the message on this one, hence the warning showing in the browser Can this be addressed as I constantly get this alerted to myself from other users.Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join)
I still find it hard to understand the differences between Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join). I know Azure AD Registration (Workplace Join) is supposed to be nest for Personal devices (BYOD) but if you have security as an important part of your business why would you want to allow this? You could end up with a billion random machines in your Entra. What's the benefit of this? Also, if I have a Hybrid environment and I have booth cloud and on prem apps that do auth via both on prem (for on prem apps linked to AD) and Entra for cloud do I need to be Hybrid Azure AD Joined to support on prem an cloud? Or will a person working from a Azure AD Joined machine still be able to access on prem resources like file servers and any app that uses AD groups for auth, access provisioning etc?Users is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabledGuest users in tenant enforcing phishing resistant MFA
If a tenant uses a third party MFA .. I.E. Okta or similar, and users are guests in a another tenant via B2B trust and the tenant accepting guest accounts is enforcing MS Phishing resistant MFA ... Will the tenant recognise "Okta" authenticated guests as Phishing resistant ? Or will guest accounts need a Conditional Access Policy applied to allow the guest users access to tenant enforcing MS Phishing resistant MFA ?Strengthening Enterprise Identity Security with Country Based Blocking in Conditional Access
In a Zero-Trust world, identity is the foundational security perimeter. Securing access begins with full visibility and control over authentication activity - including where login attempts originate. By continuously validating the context of every access request, organizations can detect threats early and enforce least privilege with precision. For public sector agencies and global enterprises alike, defending against unauthorized sign-ins from foreign locations is a top priority, especially when those locations fall outside the boundaries of legitimate business activity. Why Country-Based Blocking Matters Not every foreign login attempt is malicious but when your organization has no employees, contractors, or systems operating out of certain countries, any authentication activity from those regions should be treated as suspicious by default. We’ve seen organizations use this capability to: Block access from countries where they have no personnel or partnerships Reduce exposure to credential stuffing or token replay attacks from known threat regions Enforce geo compliance policies related to data sovereignty or regional restrictions This helps reduce risk without interfering with legitimate business operations—and it’s surprisingly easy to configure. Fortunately, Microsoft Entra ID (formerly Azure Active Directory) provides a powerful, often overlooked feature in Conditional Access: the ability to block authentication attempts by country using Named Locations. 🔧 Step by Step: How to Block Access by Country Using Conditional Access 1. Create a Named Location for the Country Go to the Microsoft Entra admin center (Entra Portal). Navigate to Protection > Conditional Access > Named locations. Click + Country location. Name the location (e.g., Blocked - China). Check the box for the country or countries you want to block (e.g., North Korea). Click Create. 2. Create the Conditional Access Policy Still in Conditional Access, click + Create New policy. Name your policy, e.g., Block Sign-ins from Forbidden Countries. Under Assignments: Users: Choose All users (or specific groups), and exclude your break glass accounts. Target resources: Select All resources (or target specific apps). Under Network: Set Configure to Yes. Include: Selected networks and locations, Choose the Named Location(s) you created earlier (e.g., Blocked - North Korea). This setup tells Conditional Access to apply the policy unless the sign-in is from an excluded location i.e., from a blocked country. Under Access controls > Grant: Select Block access. Enable the policy (set to On) or test it first by setting it to Report-only. Click Create. 🛡️ Best Practices Begin with Report-only mode to simulate the effect of your policy before enforcement. Exclude break-glass (emergency) accounts to avoid accidental lockout. Monitor sign-in activity in Microsoft Entra sign-in logs to validate the policy’s effect. Combine with sign-in risk policies or device compliance to further refine access decisions. Consider the service limits for Named Locations and IP address ranges. While these limits are generous and unlikely to affect most organizations, it is good practice to review them to ensure your design remains scalable. More details can be found in the Microsoft Entra service limits documentation. Final Thoughts Blocking access from foreign countries where your organization has no legitimate activity is one of the most straightforward and effective Conditional Access strategies available. It strengthens your authentication perimeter and supports a zero trust approach to identity security. However, it is important to remember that Named Locations should be part of a broader defense-in-depth strategy. Sophisticated attackers can use VPNs or proxy services to disguise their location, so country-based controls alone are not enough. For stronger protection, combine them with additional signals such as sign-in risk, device compliance, and multi-factor authentication. Whether you're protecting a government agency or a multinational enterprise, adding country-based controls to your Conditional Access policy set remains a simple but powerful step forward. 🧭 Ready to get started? Dive into the official docs here: ➡️ Block access by location using Conditional Access ➡️ Simplify Conditional Access policy deployment with templates - Microsoft Entra ID | Microsoft LearnMFA claim expired - Breaking web apps
Hi All, Testing: - Passwordless (Phone Sign-in baseline) - Sign in Frequency (Shorter than tenant setting) - Desktops are hybrid, receiving their PRT but no not use WH4B - Tenant still has Remember Trusted device for X Days enabled I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state. Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues? Thanks!
Recent Blogs
- August 4-7, 2025: Learn to unify access controls, streamline employee lifecycle, secure access to on-prem and AI apps, and govern internet resources.Jul 02, 2025
- 10 MIN READLearn about the latest features and change announcements across Microsoft Entra.Jul 01, 2025
