Forum Widgets
Latest Discussions
Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all, We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective. The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap. Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures. We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?Buckets84Feb 09, 2025Copper Contributor10Views0likes1CommentIntroducing the Azure Roadmap
We launched the Azure Roadmap on Azure.com in June of this year and have received a tremendous response from our customers. For the first time in one place, customers can see what we are working on for future releases, see related feedback, and subscribe to updates. The Roadmap is also integrated with Azure Updates so that customers can see how we are delivering against our plans. We are excited to start working with the Microsoft Tech Community to further reach customers. You can now find the link to the Azure Roadmap under More Resources in the community. We are always looking to improve and would love to hear from you. Please e-mail azroadmapfeedback@microsoft.com with your comments and questions. Below are FAQs to help you get started exploring the roadmap! What is the Azure Roadmap? The Azure roadmap provides a central place where Azure customers can see what’s new and what’s coming next for Azure Where is the public Azure Roadmap? You can find it under More Resources in the community or you can go directly to https://azure.microsoft.com/en-us/roadmap/ or http://aka.ms/azureroadmap What kind of posts can I expect on the Azure Roadmap? The posts you will see on the Azure Roadmap are the key features and services that have launched or are coming soon. For details on incremental updates and/or improvements to features and services, please visit Azure Updates - https://azure.microsoft.com/en-us/updates/ How do I find a specific post on the Azure Roadmap? The Azure Roadmap page provides filters (by Product Category and/or Status), tags, and search functionality to help you quickly navigate to your area of interest. What do the different Statuses (In development, In preview, Now available) mean? In development – updates that are currently in development and testing In preview – preview; updates in preview that may not be available broadly and to all customers Now available – generally available; fully released updates How can I learn about changes in the Azure Roadmap? You can subscribe to notifications so you’ll always be in the know. Where can I find service availability by region? On the right navigation menu under “Explore” there is a link to “Check product availability in your region.” You may also find this detail by visiting: https://azure.microsoft.com/en-us/regions/68KViews2likes2CommentsDevice registration issue in Entra
Log Name: Microsoft-Windows-User Device Registration/Admin Source: Microsoft-Windows-User Device Registration Date: 2/4/2025 1:12:48 AM Event ID: 304 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Servername.domain.com Description: Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c03f3 Server error: The device object by the given id (b1aa9a2c-e64c-4c8e-bfb9-1aaab093f9ff) is not found. Tenant type: Managed Registration type: sync Debug Output: joinMode: Join drsInstance: azure registrationType: sync tenantType: Managed tenantId: 5432c24e-7d1f-4efc-9410-01b73ea021e7 configLocation: undefined errorPhase: join adalCorrelationId: 043451f3-ad83-4b52-b48a-e9be735a446f adalLog: undefined adalResponseCode: 0x0 Log Name: Microsoft-Windows-User Device Registration/Admin Source: Microsoft-Windows-User Device Registration Date: 2/4/2025 1:12:48 AM Event ID: 204 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Servername.domain.com Description: The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f3. Activity Id: 9d9f9396-134e-471e-8fc2-b16871520149 The server returned HTTP status: 400 Server response was: {"code":"invalid_request","subcode":"error_missing_device","message":"The device object by the given id (b1aa9a2c-e64c-4c8e-bfb9-1aaab093f9ff) is not found.","operation":"DeviceRenew","requestid":"9d9f9396-134e-471e-8fc2-b16871520149","time":"02-04-2025 6:12:52Z"}Ajit TerdalkarFeb 05, 2025Copper Contributor51Views0likes1Comment'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com) Support conditional access for MyApps.microsoft.com · Community (azure.com) Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabledsecure-logicFeb 04, 2025Copper Contributor14KViews1like14CommentsAzure AD SCIM Validator is in General Availability (GA) Status
You can now validate the compatibility of your SCIM provisioning endpoint and Azure AD code base using our Azure AD SCIM Validator. This tool can be used by ISVs who want to build SCIM compatible servers either for gallery app or generic app and developers building their line of business SCIM apps. https://learn.microsoft.com/azure/active-directory/app-provisioning/scim-validator-tutorialowinoakeloFeb 03, 2025Microsoft15KViews2likes56CommentsOpen Port Issue Exists after implementing Entra Id containers
Hi All, We are currently in PeopleSoft 8.61.07(FSCM) and recently implemented Entra ID containers for SSO. We see ports sometimes remain open between Entra ID container and Weblogic. Are there any recommendations to fix the open port issue ? Currently, we are bouncing the container when the open port count is going high (when TCP count goes more than 1000) Looking for recommendations to fix the open port issue as it creates more manual work to monitor the count and bounce it periodically. Please do let me know if you need any further information Thank you! Ramya Sivasubramanianrsj8466Feb 03, 2025Copper Contributor44Views0likes3CommentsConditional Access Policy - Only allow EntraID Joined devices to access SharePoint Online
Hi I have a cloud-only Microsoft 365 Tenant, 40 devices all EntraID joined and I want to only allow users to access SharePoint Online from the EntraID devices and not for example from their home computers. Is this achievable through Conditional Access policies? I see an option for hybrid joined but not EntraID joinedchrissystemagicJan 31, 2025Copper Contributor777Views0likes3CommentsMigration to Cloud Sync (passwords)
We want to migrate from AAD Connect Sync to Cloud Sync. When provisioning new users we could use temporarily passwords in AAD Connect Sync, through this feature: Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true Is this feature still available in Cloud Sync? If not what is the workaround?bart_vermeerschJan 29, 2025Steel Contributor58Views1like5CommentsGSA client exclamation mark, Forwarding policy dosen't exist in registry
Good day, Have difficult time getting Entra Private Access working. Entra portal --------------- GSA > Dashboard > Device Status says : 0 have the Global Secure Access Client installed: 0.0% The client pc is entra joined and is compliant, the client user has Entra ID Suite Trail license assigned. Traffic forwarding > Private access is enabled, have Quick Access application configured for SMB access. User and group assigments is set to a group where the user resides. Microsoft traffic profile and Internet access profile = disabled (as for now i just want to make the Private acces profile working) Enterprise applications = 1 active Connectors are online with status active. Client PC ------ Event log of client pc says the understated: Error occurred while requesting a new forwarding profile: The SSL connection could not be established, see inner exception.. Request Parameters: Microsoft Entra Device ID: 61ma02-9453-1277-98gz-hkdhksa3d0, Correlation vector: kdfhkshfkashdJ.0, APS URL: https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0. The client will continue working with the existing forwarding profile. GSA Advanced diagnostics: Username : empty Tenant ID : empty Forwarding profile ID: empty Client version 2.8.45.0 Health check = is green till Policy server is reachable, after that exclamation mark. https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0 if i try the above url in the browser then i get invalid request, this means that the client is able to reach the server, which means network or DNS issues are unlikely and the The SSL handshake is successful, and the certificate is valid. Need guidance as to understand why the client is not able to retreive profiles, i am using windows 11. Tried with disabling firewall too. Thanks!141Views1like4CommentsReset guest redemption status not possible after creating Multitenant Organization (MTO)
Hi all, we're on the path to creating a Multitenant Organization (MTO) for our global organization. We already have a relationship with one partner tenant which has B2B Collaboration and B2B Direct Connect set-up and is working well. We took the step of creating a Multitenant Organization in our 365 admin center and started testing with a sandbox tenant, which has since been removed. The issue we are having now, is that guest users which are not part of B2B Collaboration or an MTO cannot have their redemption status reset. I first found this wasn't possible from the error in a Power Automate workflow using Microsoft Graph, then confirmed I got the same error in Entra ID. The documentation for MTO was updated a few days ago and includes this, saying that as part of a multitenant organization, reset redemption for an already redeemed B2B user is currently disabled. But should this be the case for guest users not part of B2B Collaboration or Multitenant? Is this an error or expected behaviour, I wonder? Thanks!AlasdairJan 25, 2025Copper Contributor1.2KViews1like1Comment
Resources
Tags
- Azure Active Directory (AAD)1,541 Topics
- Identity Management588 Topics
- Access Management415 Topics
- microsoft 365360 Topics
- Azure AD B2B219 Topics
- Active Directory (AD)170 Topics
- Conditional Access142 Topics
- Azure AD Connect118 Topics
- Authentication113 Topics
- azure106 Topics