Forum Widgets
Latest Discussions
Workload ID Premium, CAP policies with multitenant apps
Hi everyone This is a quote from the documentation at https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity Note Policy can be applied to single tenant service principals that are registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. My question - how is this to be understood: Is there a technical limitation that makes it impossible to protect multitenant apps (meaning service principals in all but the home tenant can not be protected by CAP, even with premium licence) Is this strictly licensing perspective - single licence cover the SP in home tenant, while a separate licence is required in each additional tenant where related Service Principal is present ThanksOggyOct 01, 2025Copper Contributor19Views0likes1CommentConditional Access - Non Entra Devices - Exclude from CA
Hey, We are running CA. Everythings runs good. We have one problem. We have a RDS Terminal Server 2022. Employees log from homeoffice into this server to work with our erp or outlook. So here is the problem. Outlook doesnt have access, because this terminal server isn't hybrid joined. Any idea how i can exclude this server from CA? Only idea from me is to exclude OSVersion, but thats not so good solution for me. PeterGodCordialOct 01, 2025Copper Contributor23Views0likes1CommentConditional Access - Block all M365 apps private Mobile Device
Hello, Ive try to block all private mobile phone from accessing all apps from m365, but it wont work. Im testing it at the moment with one test.user@ I create a CA rule: Cloud Apps Include: All Cloud Apps Exclude: Microsoft Intune Enrollment Exclude: Microsoft Intune Conditions Device Platforms: Include: Android Include: iOS Include: Windows Phone Filter for Devices: Devices matching the rule: Exclude filtered devices from Policy device.deviceOwnership -eq "Company" Client Apps Include: All 4 points Access Controls Block Access ----------------------- I take a fresh "private" installed mobile android phone. Download the Outlook App and log in with the test.user@ in the outlook app and everything work fine. What im doing wrong? Pls help. PeterSolved110Views0likes5CommentsWindows Live Custom Domains causes Entra account lockout
Hi everyone, we have an on-prem AD connected with EntraConnect to EntraID since about 3 years. We only sync users and groups, no password hash or anything else. Since a few days 4 (out of about 250) users are constantly being locked out due to failed login attempts on an Application called "Windows Live Custom Domains". All 4 users are locked out not at the same time but within 30 min to an hour. This happens multiple times a day. As far as I was able to investigate Windows Live Custom Domains is a service no longer offered by MS or has been replaced with something else. How am I able to find out where this failed login attempts come from? If someone could point me in the right direction I would be very happy. Thanks DanielHuman_BeingOct 01, 2025Copper Contributor212Views1like5CommentsApplication Owners Pushback to Entra
Hi All I'm running an Entra ID integration and facing a pushback from Application owners to migrate Does anyone have a punchy deck to get the App owners back onboard and willing to migrate Any support is greatly appreciated Best regards BrianBMclearSep 26, 2025Copper Contributor31Views0likes1CommentExclusion of Copilot App (for O365) from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude "Microsoft 365 Copilot"/ "Copilot App" so no Reauthentication is necessary for Copilot in the frame of accessing O365 content. Exclusion has been made for a range of identified Copilot applications that are shown in Sign-in logs. However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!25Views0likes1CommentExternal ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!reedepactSep 25, 2025Copper Contributor372Views4likes7CommentsAccess Package Assignment Issue
Hello, We have an access package that was functioning properly in the past, but the assignment process has stopped working. The issue started on August 22; the last successful assignment was on July 29. When attempting to manually assign the access package to an external user, we receive the following error: "You don't meet policy requirements to request this entitlement." Additional details: The configuration of the policy has not been changed. Users who can request access is set to “None (administrator direct assignments only)”. Changing the “Enable new requests” setting (enabled/disabled) does not resolve the issue. Expiration is set to 90 days. This access package is intended for external users, but I tested assigning it to an internal user and it works correctly. At this point, I do not have additional information about what might be causing the issue. Could you please help us identify the root cause and suggest next steps? Thank you for your assistance. Kind regards,Julien4Sep 24, 2025Copper Contributor126Views1like8CommentsEmail OTP not working for guest users
We have to enable MFA using Email for some guest users accessing some of our Entra applications. Guest users are from other Microsoft tenants, B2B collaboration users. We have it all set up in the Authentication methods and in Conditional access policies. Also excluded this user's security group from System-preferred multifactor authentication. When the guest user connects to the application or to the tenant portal, it's still prompting to register for MFA using authenticator App. how can we make it to use an email one-time code please ? Issue: Screenshots of the settings below:ZSAdminSep 23, 2025Copper Contributor47Views0likes1CommentMFA breakglass account recommendations?
Hi folks. Looking at the new Authentication Methods settings, and trying to consider the scenario where someone disables all of these methods by accident. We require MFA on all accounts (using the 'require MFA' param of Conditional Access). If these are all disabled, there's no MFA method available... Trying to think of ways around this, for that situation. Things I've considered - cert based auth, telephone auth, etc - all require the corresponding auth method to be enabled. How should this be handled?56Views0likes1Comment
Resources
Tags
- Azure Active Directory (AAD)1,560 Topics
- Identity Management604 Topics
- Access Management428 Topics
- microsoft 365374 Topics
- Azure AD B2B221 Topics
- Active Directory (AD)170 Topics
- Conditional Access161 Topics
- Authentication129 Topics
- Azure AD Connect128 Topics
- azure113 Topics