Forum Widgets
Latest Discussions
Cloud Kerberos Trust with 1 AD and 6 M365 Tenants?
Hi, we would like to enable Cloud Kerberos Trust on hybrid joined devices ( via Entra connect sync) In our local AD wie have 6 OUs and users and devices from each OU have a seperate SCP to differnt M365 Tenants. I found this Article to configure the Cloud Kerberos Trust . Set-AzureADKerberosServer 1 2 The Set-AzureADKerberosServer PowerShell cmdlet is used to configure a Microsoft Entra (formerly Azure AD) Kerberos server object. This enables seamless Single Sign-On (SSO) for on-premises resources using modern authentication methods like FIDO2 security keys or Windows Hello for Business. Steps to Configure the Kerberos Server 1. Prerequisites Ensure your environment meets the following: Devices must run Windows 10 version 2004 or later. Domain Controllers must run Windows Server 2016 or later. Install the AzureADHybridAuthenticationManagement module: [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12 Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber 2. Create the Kerberos Server Object Run the following PowerShell commands to create and publish the Kerberos server object: Prompt for All Credentials: $domain = $env:USERDNSDOMAIN $cloudCred = Get-Credential -Message 'Enter Azure AD Hybrid Identity Administrator credentials' $domainCred = Get-Credential -Message 'Enter Domain Admin credentials' Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred As I understand the process, a object is created in local AD when running Set-AzureADKerberosServer What happens, if I run the command multiple times, for each OU/Tenant. Does this ovveride the object, or does it create a new objects?Solved237Views0likes3Comments
Priority between CIDR and FQDN rules in Microsoft Entra Private Access (GSA)
Hello Question about prioritization between CIDR and FQDN rules in Microsoft Entra Private Access (GSA) Question: Hello everyone, I have a question about how rules are prioritized in Microsoft Entra Private Access (Global Secure Access). In my environment, I configured the following: I created an Enterprise Application using a broad CIDR range (10.10.0.0/16) to represent the entire data center. Within the same environment, I created other Enterprise Applications using specific FQDNs ( app01.company.local, app02.company.local) with specific ports. All rules are in the same Forwarding Profile. I noticed that in the GSA client rules tab there is a “Priority” field, and apparently the rules are evaluated from top to bottom. My question is: When there is an overlap between a broad CIDR rule and a more specific FQDN-based rule, which one takes precedence? Is there some internal technical criterion (DNS resolution first, longest prefix match,), or is the evaluation purely based on the order displayed? Is there a risk that the CIDR rule will capture traffic before the FQDN rule and impact granular access control? I want to make sure my architecture is correct before expanding its use to production. Could someone clarify the actual technical behavior of this prioritization?SolvedKandrikFeb 28, 2026Copper Contributor163Views0likes3Comments
Extract telephoneNumber/businessPhones in Graph via PowerShell
Hi all, I am trying to extract the telephoneNumber from the businessPhones attribute in Entra via a PowerShell script. I call Get-MgUser, list the properties including businessPhones. No matter what I try I either get a System.String[] or a blank. I can extract all the extensionAttribute values using the dot operator, but no luck with telephoneNumber. After much searching and reading of the Learn documentation, I am rather stumped. Any guidance will be appreciated. BruceSolvedBBachtell6982Jan 12, 2026Copper Contributor206Views0likes2Comments
Force user to reset password in hybrid
Hi, we work in a hybrid environment at the moment, and it has been discovered that if you are using classic AD and reset a user's password and leave the tick-box saying user must change password at next logon, the password reset works! But, if you were to select the tick-box with the intention to make the user change their password, the password does not get reset and the user never gets asked to reset their password? Also, if you try and reset the user's password on AAD, you get the following error message: Because we cannot force the user to reset their password by AD or AAD, we have to tell the user to do it themselves by the classic Ctrl-Alt-Del method or set their personal password for them over the phone. So, what my question is, is why can I not force the user to change their password from either AD or AAD?SolvedBrendon_HannahJan 11, 2026Copper Contributor353Views0likes2CommentsBreak-glass Account Prompted for Authenticator App Despite Exclusions
We have a break-glass account configured with two FIDO2 security keys as the only authentication method. The account is: Excluded from Microsoft Authenticator in Authentication Methods policy Also, the included target is a dynamic group that includes all users but the break glass account. Excluded from the MFA Registration Campaign Also, the included target is a dynamic group that includes all users but the break glass account. Excluded from all Conditional Access policies However, whenever we test the account, it still gets prompted to set up the Microsoft Authenticator app during sign-in. We can skip the setup, but ideally, the prompt should not appear for this account. How can we prevent the Authenticator setup prompt entirely for this break-glass account?Solved622Views1like4CommentsDo the Entra sync/connect apps ever successfully update themselves?
Last week I had to download and install version 2.5.79.0 of the Entra Connect Sync Agent app on our Entra Connect server because I discovered the installed version was 2.4.21.0 and that version reaches end of support on November 15. Today, I happened to check on the version of the Entra Private Network Connector app on the two servers where we have that installed, and both are running version 1.5.3925.0, which was the latest available version at the time I installed it back in March. That version was from July 2024, and there have been three new releases since then, two of which "may perform auto-update of your connector". One of those servers was a new install, but the other one was an upgrade of the installed version of the Azure Application Proxy client, and while I don't recall which version specifically was installed, I know it was quite out of date. I'm curious: Has anyone ever actually seen either the Entra Connect Sync Agent or Entra Private Network Connector successfully upgrade themselves automatically?SolvedRyanSteele-CoVOct 20, 2025Steel Contributor186Views1like1CommentCustomize Synchronization Rule in Entra Connect Sync
Hi Everyone, I want to create a sync rule in Entra Connect Sync client so that only users based on a specific attribute sync to Entra ID and stop all other users in AD from syncing to Entra, how can I do that? Can someone here help me out!Solved130Views0likes2CommentsConditional Access - Non Entra Devices - Exclude from CA
Hey, We are running CA. Everythings runs good. We have one problem. We have a RDS Terminal Server 2022. Employees log from homeoffice into this server to work with our erp or outlook. So here is the problem. Outlook doesnt have access, because this terminal server isn't hybrid joined. Any idea how i can exclude this server from CA? Only idea from me is to exclude OSVersion, but thats not so good solution for me. PeterSolvedGodCordialOct 01, 2025Copper Contributor121Views0likes2Comments
Workload ID Premium, CAP policies with multitenant apps
Hi everyone This is a quote from the documentation at https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity Note Policy can be applied to single tenant service principals that are registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. My question - how is this to be understood: Is there a technical limitation that makes it impossible to protect multitenant apps (meaning service principals in all but the home tenant can not be protected by CAP, even with premium licence) Is this strictly licensing perspective - single licence cover the SP in home tenant, while a separate licence is required in each additional tenant where related Service Principal is present ThanksSolvedOggySep 30, 2025Copper Contributor289Views0likes3CommentsConditional Access - Block all M365 apps private Mobile Device
Hello, Ive try to block all private mobile phone from accessing all apps from m365, but it wont work. Im testing it at the moment with one test.user@ I create a CA rule: Cloud Apps Include: All Cloud Apps Exclude: Microsoft Intune Enrollment Exclude: Microsoft Intune Conditions Device Platforms: Include: Android Include: iOS Include: Windows Phone Filter for Devices: Devices matching the rule: Exclude filtered devices from Policy device.deviceOwnership -eq "Company" Client Apps Include: All 4 points Access Controls Block Access ----------------------- I take a fresh "private" installed mobile android phone. Download the Outlook App and log in with the test.user@ in the outlook app and everything work fine. What im doing wrong? Pls help. PeterSolved347Views0likes5Comments
Tags
- Azure Active Directory (AAD)1,567 Topics
- Identity Management616 Topics
- Access Management439 Topics
- microsoft 365380 Topics
- Azure AD B2B221 Topics
- Conditional Access171 Topics
- Active Directory (AD)170 Topics
- Authentication140 Topics
- Azure AD Connect131 Topics
- azure117 Topics