Microsoft Entra | Microsoft Community Hub

Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Widgets

Latest Discussions

Windows Hello for Business: Internet Requirement for On-Premises Login Using Cloud Kerberos Trust
Hello everyone, I've recently begun testing Windows Hello for Business in our environment, where we utilise Microsoft Entra hybrid join authentication with cloud Kerberos trust. I suspect that our on-premises physical firewall may be contributing to several issues we're experiencing, and I would like to clarify my understanding of hybrid join authentication using cloud Kerberos trust. To access the internet, we use SSO with our firewall, meaning that after validating local AD credentials, the user gains access to the public network. My question is: Is internet access required for on-premises logins when using Windows Hello for Business? From my research on Microsoft's documentation, it appears that if you're using cloud Kerberos trust and the PC is blocked from the internet, the Windows Hello for Business sign-in will fail. Essentially, the on-premises Domain Controller can only issue the final Ticket Granting Ticket (TGT) after receiving a valid Partial TGT from Microsoft Entra ID. This would imply that if the machine cannot reach Microsoft Entra ID due to firewall restrictions, the user will be unable to log in. In our case, the user successfully enrolled the device on-premises, but the next morning they encountered the error "PIN isn't available: 0xc000005e 0x0." Could anyone confirm whether my understanding is correct? Thank you for your assistance!
Solved
EricBBB
Copper Contributor
Mar 13, 2025
Active Directory
Authentication
microsoft entra
passwordless
78Views
0likes
1Comment
Entra Connect AutoUpdate Issues
Hi, We're using the latest version of Entra Connect. Is it common for it to do an Auto Update check every night? Lately we have got an alert that the sync service is down and then it recovers. The emails are 30 mins apart which I think is the default check time? It seems to do an AutoUpdate check and then the sync service will briefly stop, we get these errors and then it recovers. Azure AD Connect Upgrade - 904 Password Reset Services - 31034 It does seem to fix itself so more of an annoyance, but still curious if it is meant to check every night?
Solved
DaithiG
Steel Contributor
Mar 10, 2025
Azure AD Connect
125Views
0likes
2Comments
Can global administrator create a new Azure subscription
Hi, I'd like to know if a Global Administrator can create a new Azure subscription.
Solved
Galaxy876
Copper Contributor
Oct 25, 2024
Access Management
azure
309Views
0likes
2Comments
B2B Direct Connect + cross tenant access enables switch tenants functionality?
We have set up a b2b direct connect connection with another company. We have enabled the cross-tent sync settings. We want to use Shared channels in Teams. This works fine. It is now possible for the other company to switch tenants in Teams and log into our tenant and then they see the entire team and not just the shared channel. The can also access SharePoint sites. Is this works as designed because I can't find this functionality in the Microsoft documentation.
Solved
Admin18253
Copper Contributor
Oct 22, 2024
Azure AD B2B
365Views
0likes
2Comments
Enterprise Application AWS IAM Identity Centre
Hi Can someone please help... I have configured AWS IAM Identity Centre Enterprise Application, this works fine for internal users but I can not get external users working correctly as the username keeps looking at UPN rather e mail In the Enterprise Application i have set claim conditional But when I look into AWS under users I still see the guest users have there username set as the UPN in Entra not there E Mail address. Any ideas as to what i can do to sort this out?
Solved
IanaMac
Brass Contributor
Oct 21, 2024
Active Directory (AD)
Administrator
335Views
0likes
4Comments
Double entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?
Solved
woelki
Iron Contributor
Oct 21, 2024
Active Directory (AD)
Authentication
Azure Active Directory (AAD)
Azure AD Connect
Configuration
286Views
1like
1Comment
Is it possible to disallow proxyAddress as Sign-In Identifier?
As part of a revised naming scheme for user accounts we're planning to roll out, I'd like to disallow Exchange Online email addresses and proxyAddresses from being used instead of the User Principal Name as an alternative identifier when users sign in to their accounts. This is supposed to strengthen security as users don't share one of the authentication factors with every email they send and the user names can't be easily guessed because they don't use the actual first or last name of the user behind them. This is the only Microsoft Learn article I found that was describing something similar: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin Basically I want to do the opposite of what the article is describing and I'm not synching my users using Microsoft Entra Connect. I disabled the "Email as alternate login ID" option described in the article anyways but unsurprisingly, that didn't have the desired effect. Does anyone know if this is even possible and if so, how to do it? Thanks in advance! This is my first post in this community. If I did something wrong (like choosing the wrong label) please be kind, tell me, and I'm going to adapt my post.
Solved
brahm415
Copper Contributor
Oct 18, 2024
Azure Active Directory (AAD)
Azure AD B2B
Identity Management
379Views
0likes
2Comments
Entra Cloud Sync - Will Creating a New Configuration Sync Immediately With Defaults
Setting up a new Entra Cloud sync agent for a customer who already has an established on-prem AD and Azure AD with a mess of non-synced accounts and passwords between them. So I need to do a slow roll on this thing and filter syncing by OUs in AD. I know I have to create a new configuration in the Azure portal but what are the risks of the default config kicking in and doing a sync of all my users before I have a chance to filter it down to just the OUs I want to sync? Should I disable the on-prem agent before creating a config in the cloud? That "Create" button is giving me anxiety 😐 thanks, Dan
Solved
DanWheeler
Brass Contributor
Oct 15, 2024
Azure AD Connect
417Views
0likes
2Comments
AAD application proxy : access from external issue
Hello, I have published an application with SAML SSO. from internal, it works fine. When I connect to https://myapp, all is ok. I have set up an external Url : https://myapp.my_custom_external.com When i try to access, i get error AADSTS50011. I added https://myapp.my_custom_external.com on redirected URI as this article mentionned : https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/app-integration/error-code-aadsts50011-redirect-uri-mismatch But now when i try to access https://myapp.my_custom_external.com, i get a timeout. Can you help me? Thanks. Regards.
Solved
ARAIMBAULT
Copper Contributor
Sep 27, 2024
azure ad application proxy
SSO
1.1KViews
0likes
14Comments
What's next for existing dynamic groups if there are no enough Entra P1 and we still need this group
We've noticed on 24' Sep. 9, Microsoft gave such heavy update. This update asks all dynamic group members to be equipped with Entra P1 to stay in the group. We have many dynamic groups for group licensing, and don't want to buy this license for all internal users (we're using Business Basic mostly). We can fully automate this process by ourselves, but there is no option to remove existing dynamic membership rule, we can't predict how these old dynamic groups act in the future. Does anyone know how to turn these "dynamic groups" into "assigned groups"? Sep. 9, what a horrible day, the PnPOnline cmdlet changed, dynamic membership rule changed...... nearly all PowerShell scripts have to change. My WLB is broken. Boeingnization ?
Solved
Eddison0001
Copper Contributor
Sep 26, 2024
licensing
microsoft 365
631Views
0likes
3Comments

Resources

Tags

Azure Active Directory (AAD)1,545 Topics
Identity Management592 Topics
Access Management418 Topics
microsoft 365363 Topics
Azure AD B2B220 Topics
Active Directory (AD)170 Topics
Conditional Access144 Topics
Azure AD Connect121 Topics
Authentication117 Topics
azure106 Topics

Share