Forum Widgets
Latest Discussions
Warning: PIM disconnects users from Teams Mobile
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble. Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying "Open Teams to continue receiving notifications for <email address>", or "<email address> needs to sign in to see notifications". Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles. Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users' tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep: "When a user's role changes (either due to activation or expiration), Skype AAD[?] will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior and is working as designed. These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well." Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this.
Graph API for Entra App Launchers
Hi, We are currently rolling out hundreds of App Proxy apps and want to use the MyApps portal as a dynamic Start Menu for our users. For now there is a possibility to manually add apps to App Launchers for users to click on, but i cannot find any possibility to do this using any sort of pipeline or automation. Is there somebody over here that has managed to add Applications to App Launchers / Categories programmatically ? And if yes, can you please share how? Kind regards, RenéUnable to modify SSO with External Member account
Hi everyone, Our client is using their Work force tenant accounts to manage the External ID tenant. The accounts are initially created as External Guests on the External tenant and then converted to External Members. However, they encounter the following error when attempting to modify SSO for some applications: When we convert the admin account back to a guest account, it works. This issue doesn't occur with all applications, only some of them. Additionally, we have a test tenant where we cannot reproduce the issue. Do you have any idea why this is happening? Also, is it possible to open support tickets for External ID? Under the "New support request" option, I can only see options for Billing and Subscription management. Thanks a lot, Dario
RDP Issue when connecting to remote client
Has anyone else experienced an issue where they are connecting to a remote client through Microsoft secure access and it takes multiple (between 5 and 10 ) times to get the connect to prompt for credentials? I am part of a team and my 2 other colleagues on different machines are having the exact same issue with connecting via rdp to a remote desktop.
Kid finds a way into my account using an old PIN
I have set up parental controls. Somehow my sone managed to find the password logged in the Microsoft Familly app and changed the settings at will. I have changed my password in the meantime but he found an easy way around it as he selects use other methods to sign in and then selects PIN, inputs my old PIN and he is back in. How is this possible? I have changed the password, I have changed the PIN, turned on 2FA and reset Windows Hello and he just goes around all this in one go by introducing my old PIN. Is there a fix for this ?
Global Secure Access client - connection problems
We have permanent problems connecting our Windows Clients with the GSA Client. The Health Check shows among other things, "No Hyper-V external virtual switch detected. : False" The Client has no Hyper-V Network adapter or Service installed. Very strange. Other Windows event Log entries are: - Device token acquisition failed with the following error: Failed receiving token due to network unreachable. - User token acquisition failed with the following error: WTSQueryUserToken failed with error code 1008. - Error occurred while requesting a new forwarding profile: Der angegebene Host ist unbekannt. (aps.globalsecureaccess.microsoft.com:443). Request Parameters: Microsoft Entra Device ID:Disable Windows Hello AND Remove Existing PIN
Previously, after setting up Windows for an Azure AD user, it would give me a prompt saying that my organization requires a PIN for Windows Hello. I would hit next, then close the dialog asking for the PIN, and it would say there was an error or something, I'd hit OK and I'd be in Windows with no further Windows Hello harassment until I restarted. Once I got the device enrolled in Intune, it would apply the policy I have a policy that disables Windows Hello. However, a recent update to Windows seems to have made it impossible to bypass setting up a PIN. Because I can't enroll the device in Intune during the Windows Setup, the disable policy doesn't apply until after the PIN is established on the account. Once the PIN is set up on a Windows Account, it is not removed when Windows Hello is disabled via Intune/GPO, and it is seemingly impossible to remove manually. The only lead I've been able to find is to delete this folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\. However, Windows simply is not letting that happen, even after taking full ownership of the folder as a local admin. My only workaround is to first setup the device authenticating with my own account which will have the PIN. Then enroll in Intune with the user's account to their policies applied and Hello disabled. Then create the local admin account. Then add the users account. Then log into the local admin account and delete my account. Finally, log into the users account to create shortcuts and do QA. We use Bitlocker with a PIN that effectively does the same thing as Windows Hello with a PIN, except it also encrypts the disk. So I really don't see what it brings to the table besides a redundant password for users to memorize and extra help desk work when they forget it? How do I get devices configured without adding a bunch of work to get around Windows Hello?Passwordless failing on Work Profile Authenticator
Seeing an odd issue when attempting to enable passwordless using the Microsoft Authenticator app on an Android phone. The policy is definitely applying as we're seeing other indicators such as geo location and app information in the MFA request, but when we attempt to enable passwordless for that account it returns "Device not registered". Device is corporate in Intune and showing recent last checking time. When we use the Authenticator App outside of the work profile it works fine. Possibly an App Protection policy causing it to fail? Although I don't see Microsoft Authenticator in the list of apps targeted by App Protection policy. Also our CA policy indicates "one of" for corporate or require app protection policies and the device is definitely enrolled using work profile. Anyone else come across this or have ideas?Prefill Username for Authentication
Good morning, We have a landing page for two different tenants with different domains. For example, xyz.com and other.xyz.com. I want to create logic for a landing page where the user enters their name as email address removed for privacy reasons and is routed to the authentication for the appropriate tenant. That part is fairly trivial. The user is then presented with a dialog asking for their username and password by the EntraID IDP. Is there a way to prefill the username to eliminate the need to enter the password twice? Best regards, Scott
