Recent Discussions
Creating SSO Application using Microsoft Graph
I'm attempting to create SSO applications using Microsoft Graph to migrate from ADFS. "Microsoft.Graph.Models.Application requestBody = new Microsoft.Graph.Models.Application { IdentifierUris = new List<string>() { appURL }, DisplayName = appName, Web = new Microsoft.Graph.Models.WebApplication { RedirectUris = new List<string> { appURL }, } }; retVal = await graphClient.Applications.PostAsync(requestBody);" My URI requires a trailing slash. When I try to use the trailing slash I get the error: "Application alias 'https://xxxx/aspx/xxxx/' value is invalid." I tried editing my realm to remove the trailing slash, and the redirect URI, e.g. https://xxxx/aspx/xxxx, but removing them causes sign-in issues. If I edit the the Identifier URI in the Entra ID portal, to add the trailing slash, I am able to sign in and use the application. Though it is a solution, I need to use the application to enter close to 240 applications total between all of our environments. Anyone run into this and have ideas I can try? Thanks.
Fetch Email of Login User Using Command or Script
Dear Team, We are working on retrieving email address of the user joined to Entra ID from Entra-joined Windows devices, specifically while running in a system context.The whoami /upn command successfully returns the joined user’s email address in a user context, but it does not work in a system context, particularly when using an elevated terminal via the psexec utility. We also tested the dsregcmd /status command; however, in a system context, the User Identity tab in the SSO State section only appears when there is an error in AzureAdPrt. Under normal, healthy operating conditions, this command does not provide the user identity or the full domain username. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context, especially from those with prior experience in this area. Thank you for your support.
Windows Live Custom Domains causes Entra account lockout
Hi everyone, we have an on-prem AD connected with EntraConnect to EntraID since about 3 years. We only sync users and groups, no password hash or anything else. Since a few days 4 (out of about 250) users are constantly being locked out due to failed login attempts on an Application called "Windows Live Custom Domains". All 4 users are locked out not at the same time but within 30 min to an hour. This happens multiple times a day. As far as I was able to investigate Windows Live Custom Domains is a service no longer offered by MS or has been replaced with something else. How am I able to find out where this failed login attempts come from? If someone could point me in the right direction I would be very happy. Thanks Daniel
Exclusion of Copilot App (for O365) from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude "Microsoft 365 Copilot"/ "Copilot App" so no Reauthentication is necessary for Copilot in the frame of accessing O365 content. Exclusion has been made for a range of identified Copilot applications that are shown in Sign-in logs. However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!
External ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!Access Package Assignment Issue
Hello, We have an access package that was functioning properly in the past, but the assignment process has stopped working. The issue started on August 22; the last successful assignment was on July 29. When attempting to manually assign the access package to an external user, we receive the following error: "You don't meet policy requirements to request this entitlement." Additional details: The configuration of the policy has not been changed. Users who can request access is set to “None (administrator direct assignments only)”. Changing the “Enable new requests” setting (enabled/disabled) does not resolve the issue. Expiration is set to 90 days. This access package is intended for external users, but I tested assigning it to an internal user and it works correctly. At this point, I do not have additional information about what might be causing the issue. Could you please help us identify the root cause and suggest next steps? Thank you for your assistance. Kind regards,
Email OTP not working for guest users
We have to enable MFA using Email for some guest users accessing some of our Entra applications. Guest users are from other Microsoft tenants, B2B collaboration users. We have it all set up in the Authentication methods and in Conditional access policies. Also excluded this user's security group from System-preferred multifactor authentication. When the guest user connects to the application or to the tenant portal, it's still prompting to register for MFA using authenticator App. how can we make it to use an email one-time code please ? Issue: Screenshots of the settings below:
MFA breakglass account recommendations?
Hi folks. Looking at the new Authentication Methods settings, and trying to consider the scenario where someone disables all of these methods by accident. We require MFA on all accounts (using the 'require MFA' param of Conditional Access). If these are all disabled, there's no MFA method available... Trying to think of ways around this, for that situation. Things I've considered - cert based auth, telephone auth, etc - all require the corresponding auth method to be enabled. How should this be handled?Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community HubHow to resolve "AADST55203" error: Multi-factor authentication configuration blocked
{ "error": "access_denied", "error_description": "AADSTS55203: Configuring multi-factor authentication method is blocked. Trace ID: Correlation ID: Timestamp: 2025-09-17 20:48:30Z", "error_codes": [ 55203 ], "timestamp": "2025-09-17 20:48:30Z", "trace_id": "", "correlation_id": "", "suberror": "provider_blocked_by_rep" } SMS authentication method was previously configured in our B2C Entra and was functioning correctly until last week, when it suddenly stopped working. Currently, users can only authenticate via email. Conditional Access policy is also in place that requires Multi-Factor Authentication (MFA).Exclusion of Microsoft Edge Browser from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude Microsoft Edge Browser so no Reauthentication is necessary for MS Edge Browser. Exclusion has been made for the "Microsoft Edge" application with the following App ID: ecd6b820-32c2-49b6-98a6-444530e5a77a However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!API-driven provisioning field mapping changes resynchronize all users and groups
We have configured API-driven provisioning for on-premises Active Directory, along with Azure AD Connect, to synchronize on-premises AD users with Azure Entra ID. As part of the provisioning setup, we have used a separate Organizational Unit (OU) in on-premises AD (designated as the default OU for new users) while configuring API-driven provisioning. We are attempting to make some changes to the API field mapping, specifically the ‘UserPrincipalName’ regular expression (custom domain) and the ‘manager’ field, and saving the configuration. Upon attempting to save, a prompt appears (as highlighted below screenshot), indicating that this action will resynchronize all users and groups. Could you please clarify: Will this resynchronization update any existing users outside the default provisioning Organizational Unit (OU)? Specifically, what does the resynchronization operation update? For instance, will it modify the 'UserPrincipalName' and 'manager' attributes for all users including old users outside of provisioning Organizational Unit (OU)? Screen Shot - While Saving Mapping.Microsoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereMicrosoft Entra Connect connecting always to old DC
We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory. So now I'm wondering does this need any additional configuration to keep sync working after DC Demote. I found out that there is option to "Only use preferred domain controllers" but I'm not sure if that's what I want do do. There were the red line is is the old DC to be demoted. "Only use preferred domain controllers" setting. If I enable this setting I got this kind of notice. I don't feel like this is the right way to do it so I canceled at this point.Restrict access to Microsoft Entra admin center
Hi, I know that setting this to Yes isn't considered a Security measure by Microsoft, but I really think that they need to rethink this and give a better warning Entra>Users>User Settings>Restrict access to Microsoft Entra admin center If this is left to, No, which is the default, then any user (Admin or Standard User) is able to access Entra, and for certain things this may be required, but it leaves a huge door open as well for the egress of data. For example, a Standard user can access Entra, select Users and or Devices from the left hand side and export a .csv file with all devices listed and or all Users in the estate listed with a lot of other information in this as well that is included in the exported file. Is there another way to allow users access to the portal to manage Groups or Apps that they are an Owner on (which is one of the reasons that I see for allowing any user to access the portal) but also to dramatically reduce the risk to the business for users also being able to see a lot of other information in Entra that we would not wish users to be able to see or indeed interact with, such as downloading a file of all Devices and Users in the estate.
Recent Blogs
- Accelerate access reviews with the newest Security Copilot agent in Microsoft Entra—now in public preview.Sep 30, 2025
- 3 MIN READExplore how new logging updates in Microsoft Entra bring agent visibility and enriched logs for deeper, more actionable sign-in insights.Sep 22, 2025
