Forum Widgets
Latest Discussions
Prefill Username for Authentication
Good morning, We have a landing page for two different tenants with different domains. For example, xyz.com and other.xyz.com. I want to create logic for a landing page where the user enters their name as email address removed for privacy reasons and is routed to the authentication for the appropriate tenant. That part is fairly trivial. The user is then presented with a dialog asking for their username and password by the EntraID IDP. Is there a way to prefill the username to eliminate the need to enter the password twice? Best regards, Scottpossible to prevent users from selecting security groups?
We have some AD synced and cloud only security groups with large memberships (think 'all employees', 'all contractors' etc) that are used for various administrative purposes. Is it possible to hide those groups or prevent users from selecting them to 'secure' their objects such as SharePoint sites and Power Apps?
Conditional Access with Cloud PC?
Hi, Has anyone solved this, I have a CAP that allows users to login only from compliant devices. But we have a strategy that we can use our cloud PC's in azure when we are working from home on our personal devices. I therefor want to exclude cloud pc from compliant device but i cannot get it to work. Any solutions to this?
Reset guest redemption status not possible after creating Multitenant Organization (MTO)
Hi all, we're on the path to creating a Multitenant Organization (MTO) for our global organization. We already have a relationship with one partner tenant which has B2B Collaboration and B2B Direct Connect set-up and is working well. We took the step of creating a Multitenant Organization in our 365 admin center and started testing with a sandbox tenant, which has since been removed. The issue we are having now, is that guest users which are not part of B2B Collaboration or an MTO cannot have their redemption status reset. I first found this wasn't possible from the error in a Power Automate workflow using Microsoft Graph, then confirmed I got the same error in Entra ID. The documentation for MTO was updated a few days ago and includes this, saying that as part of a multitenant organization, reset redemption for an already redeemed B2B user is currently disabled. But should this be the case for guest users not part of B2B Collaboration or Multitenant? Is this an error or expected behaviour, I wonder? Thanks!
Issues with Passkey Login Hanging on "Connecting to Your Device"
Hi everyone, I'm currently working on enabling passkey login for some users. I have a test account where I enabled the passkey and enrolled it in Microsoft Authenticator. However, when I try to log in and scan the key, it hangs on "connecting to your device." Has anyone encountered this issue before? How can I find the root cause, and which log would show what might be blocking me? Thanks in advance for your help!
Entra ID FIDO2 with multiple accounts returns "something went wrong" for the first sign-in attempt
I am finding there seems to be a bug possibly with Entra ID authentication when using FIDO2. In a scenario where a user has multiple accounts registered on their FIDO2 security key or Microsoft Authenticator in the same tenant, the first time they sign in the authentication process only sees one account. For example, an IT staff member may have a separate account used for administrative access. The first authentication attempt returns Something went wrong, trying again shows both accounts registered on the FIDO2 device, and the login is successful. I am able to consistently reproduce this with both a hardware FIDO2 token and using Microsoft Authenticator Cross-Device authentication on Android. This happens when authenticating to the Azure Admin portal, some Microsoft 365 PowerShell modules and some 3rd party applications. Interestingly it seems that possibly a newer authentication library for developers fixes the problem. I used to have the behavior in Exchange Online PowerShell, but the most current version of it never has the problem. Does anyone else see this behavior?Using Conditional access to create a geo-fence - not applying policy
Good day community. In our tenant, we are getting login attacks on some of our accounts. We have enabled MFA, but would like to stop these attacks before authentication starts. Our employees mostly work from a single country, so geo-fencing should be a good solution to implement. Some examples of the attacks below: We implemented conditional access policy for all our accounts in our organisation. We created Named Locations for where it is safe to work from (our country) and created another location for all other countries. Example of this below: The conditional access policy should block all connections from the rest of the world to authenticate to our tenant: Unfortunatly, the attacks on our account(s) are still coming through and the logs says conditional access is not being applied. The "view policy impact" report also shows that 100% is not applied. What are we missing? Thanks!
Two Severity A Cases Ignored for Days
Hello, We are trying to understand the status of the Azure support department. We currently have two Severity A issues open; one has been pending for 6 days without a response, and the other for 11 hours without a reply. We are on the STANDARD support plan, which promises responses within a few hours at most, but this has not been the case. Any advice would be greatly appreciated.Passwordless failing on Work Profile Authenticator
Seeing an odd issue when attempting to enable passwordless using the Microsoft Authenticator app on an Android phone. The policy is definitely applying as we're seeing other indicators such as geo location and app information in the MFA request, but when we attempt to enable passwordless for that account it returns "Device not registered". Device is corporate in Intune and showing recent last checking time. When we use the Authenticator App outside of the work profile it works fine. Possibly an App Protection policy causing it to fail? Although I don't see Microsoft Authenticator in the list of apps targeted by App Protection policy. Also our CA policy indicates "one of" for corporate or require app protection policies and the device is definitely enrolled using work profile. Anyone else come across this or have ideas?Cross-tenant synchronization and resource access
Hello My company is investigating options pertaining to the separation of a splitting a set of users into a separate Entra ID tenant. This is being driven from a political and governance perspective whereby a portion of the organisation is looking to split away from the conglomerate for their cloud identifies only (not the on-premises AD). They effectively want their users and Entra ID identities to be moved to a new Entra ID tenant however still want to maintain access to the source tenant resources and applications for a period of time (potentially ongoing). For the purpose of my questions, assume that: existing on-premises domain is orga.internal existing EntraID tenant is OrgA.onmicrosoft.com new EntraID tenant is OrgB.onmicrosoft.com Ultimately the goal is to migrate user identities, their M365 license and mailbox to OrgB.onmicrosoft.com whilst still enabling them to access the cloud resources attached to OrgA.onmicrosoft.com. Looking at the capabilities of the cross-tenant synchronisation service to sync users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com, I'm not sure if this will meet my requirements as it will effectively sync the users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com as B2B guests. Is that correct? If my understanding is correct what we really need to do is: Migrate EntraId identities and mailboxes to OrgB.onmicrosoft.com, removing the OrgA.onmicrosoft.com account in the process Use cross-tenant synchronisation to sync the new OrgB.onmicrosoft.com identities back to OrgA.onmicrosoft.com as B2B guests whereby access to resources is provided to the guest account. If this is correct then is it technically supported to have multiple instances of Entra ID Cloud Sync synchronsing a subset of the orga.internal users to Entra ID OrgB.onmicrosoft.com whilst another instance of the Cloud Sync continues to sync orga.internal users to the existing OrgA.onmicrosoft.com EntraID tenant? I can't seem to find any reference to this architecture in the MS doco. I can see this scenario references in the legacy Cloud Connect doco but not the newer Cloud Sync agent doco. Any advise is appreciated.
