Recent Discussions
Limitations on Modifying Enterprise Applications in Azure AD
Hi All, I'm curious about the limitations on modifying Enterprise Applications in Azure AD. Specifically, are there any restrictions on how frequently we can make changes to attributes, ACS, or reply URLs? I understand that modifying these settings can impact user access, but I'm concerned about potential rate limits or other restrictions that might prevent frequent updates. Any insights or best practices for managing these changes would be greatly appreciated. Post Script We don't have a dedicated QA environment, so understanding these limitations will help us plan our changes carefully.
Issue: Invitations from SharePoint and Teams Redirect to Incorrect Page
I hope you're doing well! I’m reaching out to seek some guidance regarding an issue we’ve encountered with guest invitations in SharePoint and Teams. When we send invitations to guests from SharePoint and Teams, they are redirected to the Entra ID "My Applications" page instead of directly to SharePoint or Teams. We do not want guests to be redirected to the "My Applications" page in the directory but rather directly to the respective service/application. Is this a configuration setting, and if so, where can this be adjusted? I have been unable to locate such a setting in Entra ID. Another notable issue is that invitations take 1 to 2 hours to reach the invited guest. Thank you in advance for your assistance.
Can we enroll MFA to the users through POSTMAN
Hi Team, I am learning about MS Entra and planning to replace OneLogin with SSO. I can find all the API details of user enrollment in OneLogin, but I am struggling to get all the details to manage MFA enrollment for MS EntraID. I appreciate your valuable and kind support on this.
Microsoft Entra Hybrid Join Issue Despite Setting Up All Essentials
I’m facing an issue where my client computer is unable to join Hybrid Azure AD, even though I’ve already set up all the essential steps, I downloaded that Microsoft Entra Connect Sync tool from the official site and did all the necessary steps. including configuring the SCP (Service Connection Point). Our main server is in New York, and our branch office is in Asia region, I want to have Microsoft Entra Hybrid Joined to all of my office PC in order to apply some conditional access policies. Despite these setups, the device fails at the discovery phase, and I can’t figure out what’s missing. This is what it says when I try to manually add the client PC TenantInfo::Discover: Failed reading registration data from AD. Defaulting to autojoin disabled 0x800706ba DsrCmdJoinHelper::Join: TenantInfo::Discover failed with error code 0x801c001d. Has anyone encountered a similar issue? Any guidance or troubleshooting tips would be greatly appreciated. Thanks!Microsoft Entra Hybrid Join Issue Despite Setting Up All Essentials
I’m facing an issue where my client computer is unable to join Hybrid Azure AD, even though I’ve already set up all the essential steps, I downloaded that Microsoft Entra Connect Sync tool from the official site and did all the necessary steps. including configuring the SCP (Service Connection Point). Our main server is in New York, and our branch office is in Asia region, I want to have Microsoft Entra Hybrid Joined to all of my office PC in order to apply some conditional access policies. Despite these setups, the device fails at the discovery phase, and I can’t figure out what’s missing. This is what it says when I try to manually add the client PC TenantInfo::Discover: Failed reading registration data from AD. Defaulting to autojoin disabled 0x800706ba DsrCmdJoinHelper::Join: TenantInfo::Discover failed with error code 0x801c001d. Has anyone encountered a similar issue? Any guidance or troubleshooting tips would be greatly appreciated. Thanks!
Account Linking Alexa with Entera ID
I am trying to use Entra ID as idp for Alexa Account Linking and run into issues with the token refresh. The original Account Link works fine, but after an hour or so (when the refresh is happening probably) the account link breaks. Amazon is no help, they just state that "possibly" the refresh fails. But I find no logs on any side. Any ideas what I could do to narrow it down or solve this?Multitenant collaboration - share users - can't choose groups
Hi all, I am configuring the new multitenant collaboration now that it's out of preview. When I last was testing it in preview, when I clicked "Share users" I was able to select an Entra ID group of users to share. Now the behaviour is different, it's only allowing me to select users', not groups. Am I missing something obvious here? Thanks!
keep ui_locales param in custom policy sign in flow
Hi, I'm having some trouble with the language customization of our AD B2C based authentication pages. In my country (Greece) even though the local language is greek, it's very common to use english as the default language for web tools and specifically browsers. In our business we do want to show english translations but only when user needs it. There is a language switch added in a custom html template that changes the ui_locals param and refreshes the page. We have added LocalizedStrings to our custom policies and initially force the ui_locals=el param in order to override the default browser language and set it to greek. This works fine in the first screen where users are asked to add their email address but as long as they proceed to the next step, the ui_locals param is lost and the password screen is shown with strings in english. Is there a way to tell to a custom policy to respect the ui_locals param when moving from one screen to another?API-driven provisioning field mapping changes resynchronize all users and groups
We have configured API-driven provisioning for on-premises Active Directory, along with Azure AD Connect, to synchronize on-premises AD users with Azure Entra ID. As part of the provisioning setup, we have used a separate Organizational Unit (OU) in on-premises AD (designated as the default OU for new users) while configuring API-driven provisioning. We are attempting to make some changes to the API field mapping, specifically the ‘UserPrincipalName’ regular expression (custom domain) and the ‘manager’ field, and saving the configuration. Upon attempting to save, a prompt appears (as highlighted below screenshot), indicating that this action will resynchronize all users and groups. Could you please clarify: Will this resynchronization update any existing users outside the default provisioning Organizational Unit (OU)? Specifically, what does the resynchronization operation update? For instance, will it modify the 'UserPrincipalName' and 'manager' attributes for all users including old users outside of provisioning Organizational Unit (OU)? Screen Shot - While Saving Mapping.Unable to setup Microsoft Global Secure Access
Firstly I am not getting any login prompt to login to the GSA client on any of my devices and when I navigate thru to the advanced diagnostics area and the health check area I get : ( I dont belive i am logged in ) Im not very sure if I've set it up correctly so an input on this would be much appreciated Thanks, Rhythm
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
[Global Secure Access] Private DNS Cache TTL
Dear all, We are currently in the process of testing the global secure access solution. During Ignite, I attended a session where John Savill discussed the service and its architecture. He mentioned a caching mechanism within the Private DNS feature of the SSE solution. I am curious about the frequency at which this cache is refreshed or updated, as I have not found details regarding the cache lifetime in the documentation. This may be due to its public preview status. If any of you have insights on this matter, your response would be much appreciated. Kind regards, Pascal
Conditional Access and Global Secure Access
I'm testing Entra's Global Secure Access. I have a CA policy that basically says, I can't access any cloud resources unless I'm on a compliant network. I need to sign into a device with a licensed user to connect to the GSA client. If I turn off all cloud apps, I can sign into the Edge browser just fine, which then associates my user with a license that will enable the GSA client. Here's what I really don't understand. If I target ALL cloud apps and literally exclude every cloud app available, it will not give me access. Basically, I was just trying to figure out which cloud app is blocking me from signing in, but it appears as though there is something else going on. Any help would be greatly appreciated.App Proxy Pre-Authentication
Hi there, I just setup a NDES + SCEP on our infrastructure and all is working well so far but I was wondering If it is possible to allow only Entra Joined devices (intune managed) to it instead of Entra ID auth (user auth) or passthrough. I tried with conditionnal access policies with no luck so far. Thanks !WTF is going on in these logs?
I had a user phished the other day but they realized and changed their password straight away. Not before the bad actor collected his credentials so I checked the logs and what I see makes no sense. First i looked at the sign in logs (Sign in logs.png). You can see a failed login attempt from Jacksonville Florida. You can see they used the old password (invalid passowrd.png). Looks good right? Then why the hell is there a follow up attempt (approved.png) that says Password via pass-through succeeded? Yes, it's now waiting for MFA but if it's the wrong password as seen prior why now is it saying succeeded? Plus, another one 10 mins later from another IP (probably trying to get around location blocking) with the same thing. Pass Through succussed and now waiting for MFA. If the password is wrong, why even request MFA?Access Review on multiple Management Groups and Subscriptions
Hi everyone, We are facing the challenge of managing numerous Subscriptions and Management Groups in Azure. Our goal is to make Access Reviews more efficient by conducting them at a higher level, such as the Tenant Root or a central Management Group. Additionally, it would be ideal if roles like "Global Administrator" or "Owner" could be centrally configured for such structures (Tenant Root => All Management Groups => Subscriptions) to reduce administrative effort. Does anyone have experience or tips on how to optimize Access Reviews and role configurations for large and complex Azure environments? Thanks in advance for your help!Entra Hybrid Join - Problems with Server 2016 and userCertifiate
Dear Community, I am having some troubles with the hybrid join of a group of servers (Windows Server 2016). The basic problem is that Windows is not creating the required self signed certificate and therefore the AD attribute “userCertificate” is empty. As we now, while it is empty, the objects are not getting synced to EntraID. (A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute) And I don’t find out, why this certificate is not created. As mentioned, it affects only some Server 2016, which are our RDS Terminal Server. All other Windows Server and Clients are successful synced and have a userCertificate (including other Server 2016). All our servers are VM, based on VMWare. Some more words about these RDS Server: They are cloned from a VMWare template The deployment process is as follows: o On a Master VM we install all updates / software It is domain joined and has a userCertificate o Master VM gets converted into a VMWare template o New RDS TS are created from this template With a configuration to reset SID and automatic domain join The have no userCertificate Test lab for troubleshooting I created some new VMs to test and verify the behavior. Here is what I did: Installed a new Windows Server 2016 VM from DVD Installed all latest updates Converted it into a VMWare Template -> Srv2016_Template This should be my new template for Server 2016 Created new VM from this template: Srv2016RDSMaster Used a configuration to generate new SID and automatic domain join This should simulate my Master template for new Terminal Server --> It has a “userCertificate” in its AD Object Converted it into a VMWare Template Created new VM from this template: Srv2016RDS01 Used a configuration to generate new SID and automatic domain join --> It hasno “userCertificate” in its AD Object Troubleshooting steps Networking No proxy, direct Internet No DENY on our firewall -> Internet available Verified that these URLs are accessible https://enterpriseregistration.windows.net https://login.microsoftonline.com https://device.login.microsoftonline.com https://autologon.microsoftazuread-sso.com Active Directory and Infrastructure Service Connection Point (SCP) is set in the forest and has the tenant name and ID (otherwise no computer would be synced) GPOs are not linked to the OU in which the computers are Local troubleshooting on the VM Scheduled Task for “Workplace Join” is enabled and runs dsregcmd /status EventLog – “Application and Service protocols” -> “Microsoft” -> “Windows” -> “user Device Registration” Two errors, each time the Workplace Join task starts: Sysprep Also tried on the VM a sysprep, rebooted, manually joined it to AD --> Still no userCertificate Tried the same again and deleted also the AD object --> Still no userCertificate Activated TLS 1.2 Enable TLS 1.2 on servers - Configuration Manager | Microsoft Learn -> no affect Articles I read and verified Plan your Microsoft Entra hybrid join deployment - Microsoft Entra ID | Microsoft Learn Configure Hybrid Azure AD Join - Everything you need to know A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute Troubleshoot Microsoft Entra hybrid joined devices - Microsoft Entra ID | Microsoft Learn My conclusion I guess it has something to do with Server 2019. Why I am saying this: I have tested the same setup with an old, existing Server 2019 template (created “Master VM” -> converted into template -> created VM from this template) --> all VMs have userCertificates in their AD object So I would be glad if someone has ideas about it. Thanks, Chris
Group writeback doesn't sync back to Entra
Hi all Can't find documentation on this if this should actually work or not. I enabled group writeback, which works fine. Now if I add a user to one of those groups in local Active Directory and sync the user to Entra, the user isn't a member of the group here. Might be just normal behavior, but would be nice if it did sync.
Recent Blogs
- We’re excited to provide an update on timing and billing clarifications for the Microsoft Entra ID Governance for guests add-on, following up on our previous blog post about Microsoft Entra ID Govern...Dec 20, 2024
- Read the latest announcements on the deprecation of Azure AD PowerShell and MS Online modules.Dec 19, 2024
