Recent Discussions
SCIM provisioning - custom app authentication
Hi, in the documentation for handling endpoint authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments."? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?Group writeback doesn't sync back to Entra
Hi all Can't find documentation on this if this should actually work or not. I enabled group writeback, which works fine. Now if I add a user to one of those groups in local Active Directory and sync the user to Entra, the user isn't a member of the group here. Might be just normal behavior, but would be nice if it did sync.
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed tohttps://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com) Support conditional access for MyApps.microsoft.com · Community (azure.com) Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabledPasswordless app notification not pushing into iOS notifications (app must be opened manually)
When switching to passwordless authentication, the Microsoft authenticator app does not generate a push notification in the iOS notification center. When I open the Microsoft authenticator app, the number matching prompt is displayed, so the sign-in works as expected, but I don't get a push notification from the app. The strange thing is, when I disable the passwordless method, and fallback to password + push notification with number matching, then the Microsoft authenticator generates the push notification in the iOS notification center. How could I troubleshoot that issue?
Exception in conditional access policy for "Windows app - macOS"
Hi, I'm trying to restrict all Enterprise resources to Cloud-PC's only and therefore have a CAP in place that restricts access to all apps to cloud-pc's only. Naturally I have to provide an exception for the Remote desktop app so that end users can connect from their private endpoints to the cloud-PC. Here's the problem though. While I can find an exception for the Windows Remote Desktop app this exception doesn't apply to macOS and when looking at the sign-in logs the policy locks out "Windows App - macOS" with the app-id63896e48-3d27-4ce2-9968-610b4af62c5d. Neither "Windows App - macOS" nor63896e48-3d27-4ce2-9968-610b4af62c5d is findable in the application list for CAP exceptions. Is there a workaround or will this be made available? Maxim
Guest accounts and MFA via Conditional Access in MS Entra
Hi experts, trying to get some help on my scenario and issue that external users started to experience since I've enabled MFA for external identities & guest users via Conditional Access. We have lots of external partners that we share some documentation with from our SharePoint. Some time ago, I have enabled "MS Entra B2B Integration for SharePoint and OneDrive" so that any external user that access shared files/folders in our SharePoint gets a GUEST account created in our tenant. This was also preparation for enabling MFA for External users via Conditional Access. I believe these are called "B2B Collaboration guests" Now, few days ago, I have enabled MFA via Conditional Access for all external users and guests, enabled for all cloud apps and require MFA to grant access. Until now, I got feedback from two external partners that their existing access doesnt work anymore - and they need to go through MFA (which is expected). The problem is that when they go through MFA set up, it ends up in a "loop" - meaning, they go through all steps but when completing the last step they are returned back to the very 1st step again. So they: scan QR code successfully authenticate get the page that it was successful get back to the 1st step asking to install or use MS Auth app The user tried different browsers also with Incognito tabs... When I am checking sing-in logs: guest account is created fine the status is: "Interrupted" additional details: The user was presented options to provide contact options so that they can do MFA. conditional access forcing MFA is marked as FAILED as MFA was not completed Both external partners that reported this are using MS Entra and I see their IDENTITY as ExternalAzureAD. Have not heard back from anyone else using other than ExternalAzureAD so not sure if there is something extra that needs to be configured. Anyone experienced this issue? Any idea what can be wrong? I do not have any cross-tenant collaboration etc configured...
Failed authentication with SAML Certificate
When I create a new Enterprise application, and I set up SAML-based SSO. The token signing certificate (Base64) I get fails to login my user into my application. I have to re-upload the certificate for successful login request. This has started happening often.User and Permissions Management Issues in Microsoft Entra ID (Assigned Roles)
Hello everyone, I’m encountering some challenges with user and permission management in Microsoft Entra ID. Here are the main issues I'm facing: Revoking Local Administrator Permissions: After removing a user from the Local Device Administrator group in Microsoft Entra, the device continues to recognize the user as an administrator, even after multiple synchronization attempts. What’s the recommended procedure to force a permissions update on the associated devices? Device Join Issue via PowerShell: I'm trying to join a device to Microsoft Entra ID using PowerShell with the command dsregcmd /join to force a policy update, but I'm encountering the following error: Error 0x80041326: "Failed to schedule Join Task. Error: 0x80041326." Does anyone know how to resolve this issue or have suggestions for an alternative approach to join the device or enforce the policy? I’ve checked permissions and task scheduling services, but the problem persists. Has anyone experienced similar issues or have suggestions on how to address these challenges? Any advice would be greatly appreciated! Thanks so much in advance!
Can I configure authentication to be application specific?
Hi Community, I've been searching but could not get an answer. Here's my scenario which I hope someone can point me in the right direction or documentation. The organisation's Microsoft Office 365 uses an external IdP (let's say Okta) for federated login. Now I have a separate application registered via Entra admin centre using App registration and the requirement is to have it use Microsoft passwordless authentication method for login. After I done all the necessary OIDC config for this new app, testing the application login led me to the external IdP for authentication. I guess that's because the Microsoft tenant is configured to use the external IdP as default. Is there any way I can configure application specific authentication? e.g. O365 uses external IdP for authentication while my custom app uses Microsoft passwordless login, and other apps may use some other login mechanisms. Users for all apps are company's employees. Any guidance is much appreciated. Thank you.OTP Code via SMS from non microsoft number
Hi Microsoft Team, Good day! For a few weeks now, many people around me have been receiving their OTP code for MFA via SMS often from unknown senders (non-Microsoft phone number). The sender of the SMS doesn't use an official Microsoft phone number and "Microsoft" is not displayed as the sender. I would like to request assistance on how to verify that these numbers are legitimately from Microsoft. 41 79 998 76 61 and 4915758307532. Many thanks for your help. Kind regards, RosineDynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group: user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf']) The group is an Active Directory group that is represented in Entra with the stated Entra group object Id. The validation fails for every user and looks like this: It seems that all out dynamic groups are affected and stopped working. Have you seen this before? Thanks.
Conditional policies to access to SharePoint and Files (not Apps)
Hi Team!! I'm looking for a way to restrict SharePoint access from outside of my office network (typically using the static public IP address). My understanding is that to do so, I require configuring conditional access policies in Azure (which in turn requires Entra ID P1 license for each user). Is my understanding correct? If so, do I have to licenses each and every user to do so? And the other clarifications I'm looking for is; Does conditional access policy apply universally to all users when enabled? or only to those with Entra ID P1 license? Reason for this clarification is that I tried applying this using a trial license by setting up a policy to block SharePoint access outside our office network but it ended up applying to all users instead of the ones with trial license assigned. Further I noticed that, when setting this policy blocks the entire Microsoft Teams app as well, where as my objective is to limit access to the files in Teams as they are part of the SharePoint. Is there a way to control access to SharePoint files in Teams without blocking the whole Teams app? Do let me know if I'm doing something wrong here?Report conditional access policies and sign in logs
I would like to create a PowerShell report about the relation between sign in logs and the conditional access policies. For me it is important to see the effects of the conditional access policies (in reporting mode) on the user signs. Thank you for your supportNew role recommendation: Read Only Exchange Admin
To fully leverage PIM, we are transitioning to Entra roles wherever possible. We wish we could get off of customized Exchange RBAC roles, but the Exchange Recipient Admin role, lacks access to information like mail flow rules, which is essential for troubleshooting mail delivery issues. We would appreciate the introduction of a read-only role that allows viewing all information in Exchange without the ability to make changes.Members of a privileged access group cant validate dynamic group membership
Hi All, Does anyone know when this ability will be rolled out to members of a PAG with the group administrator role. Currently we are rolling out a PIM implementation using access packages to control PIM roles using privileged access groups using the least privileged model. Although this has worked well so far, we have an issue with admins who have the group administrator role via a PAG not being able to validate a dynamic group membership role. I know this feature is currently in preview, but was wondering if this is on Microsoft's roadmap to resolve it before it the preview is completed? As our admins use this feature a lot, we are currently having to assign this role as eligible to a user via PIM, which defeats the object of using the entitlement management access packages controlled via PAG's. Rgds LeeEnable MFA for external idetnities in MS Entra
Hi all, I am planning to enable MFA for guest accounts and external identities using Conditional Access in MS Entra. I am however wondering how I can select what Authentication methods can they use - or what would be the default behaviour. Currently, I am still using legacy MFA for internal users. I will migrate MFA to MS Entra later this year however, not sure how this is working when enabling MFA for external users. As I do use legacy MFA, my setting in " Authentication methods > Policies" have MS Authenticator set to NO. Now, do I need to switch MS Authenticator to YES if I want guests to use that app? And if I enable it, how do I assign it to External identities only? I do not see that kind of option there at all... I can assign it to all, for example, but I am not yet ready to migrate internal users as well... Would be happy to get some clarification on this. Thank you
License for Multi Tenant Setup
Scenario: User R is part of Tenant A and have M365 License. Tenant A & B are cross sync. Whether User R would need M365 license from Tenant B to operate on files stored in Tenant B? Scenario: User M is the external guest to Tenant B. Whether User M would need M365 license from Tenant B to operate on files stored in Tenant B?New Blog | Manage Microsoft Entra ID role assignments with Microsoft Entra ID Governance
ByJoseph Dadzie I’m excited to announce that we now support Microsoft Entra role assignments in Microsoft Entra ID Governance's Entitlement Management feature! To ensure least privilege, many of you are usingPrivileged Identity Managementto provide IT administrators just-in-time (JIT) access to theleast privileged role assigned. This approach allows you to minimize the attack surface in your organization by reducing the number of permissions IT administrators have. However, some admins in your organization may require long-standing permissions coupled with other resources, like specific applications. Read the full post here:Manage Microsoft Entra ID role assignments with Microsoft Entra ID GovernanceNew Blog | Meet Microsoft Entra at Ignite 2024: November 18-22
ByIrina Nechaeva Microsoft Ignite is just around the corner, taking place from Monday, November 18, 2024 through Friday, November 22, 2024, in Chicago, Illinois anddigitally.This event is the ultimate gathering for IT and Security professionals, developers, and business leaders from every corner of the world. During Ignite, dive into the latest AI innovations for AI transformation to learn from the brightest minds in the industry. Plus, discover solutions to help modernize and manage intelligent apps, protect your data, supercharge productivity, and expand your services. You’ll also have endless opportunities to network with partners and grow your community or business. While in-person passes are sold out,you can still register to participate online. This year, we're thrilled about our sessions on Microsoft Entra. These breakouts are your all-access pass to not only hear about the cutting-edge advancements in identity and access management (IAM), but also to engage with Microsoft Entra experts and team members behind these innovations. Whether you're curious about advancing your Zero Trust architecture with identity and network, delving into the latest advancements in generative AI for securing access, or exploring our unified approach to identity and network access controls, we've got you covered! Read the full post here:Meet Microsoft Entra at Ignite 2024: November 18-22EntraID account on Windows 11 being started under a TEMP user profile
I have a EntraID user on Windows 11 (Intune Managed). User is the "primary user". The user started experiencing login issues where "user name or password not recognized". Password was reset in EntraID. PC recognized the new password and allows the user to login BUT the account profile is mapped to C:\Users\TEMP and not to their normal C:\Users\<UserName> profile. How do I reconnect the user with their profile?
Recent Blogs
- Special licensing and pricing for business guest use.Nov 19, 2024
- With Microsoft Ignite 2024 kicking off in Chicago, we’re excited to share the latest updates to our identity-centric Security Access Service Edge (SASE) ecosystem, which accelerates your Zero Trust i...Nov 19, 2024
