Recent Discussions
Windows Live Custom Domains causes Entra account lockout
Hi everyone, we have an on-prem AD connected with EntraConnect to EntraID since about 3 years. We only sync users and groups, no password hash or anything else. Since a few days 4 (out of about 250) users are constantly being locked out due to failed login attempts on an Application called "Windows Live Custom Domains". All 4 users are locked out not at the same time but within 30 min to an hour. This happens multiple times a day. As far as I was able to investigate Windows Live Custom Domains is a service no longer offered by MS or has been replaced with something else. How am I able to find out where this failed login attempts come from? If someone could point me in the right direction I would be very happy. Thanks DanielJoin Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
MFA breakglass account recommendations?
Hi folks. Looking at the new Authentication Methods settings, and trying to consider the scenario where someone disables all of these methods by accident. We require MFA on all accounts (using the 'require MFA' param of Conditional Access). If these are all disabled, there's no MFA method available... Trying to think of ways around this, for that situation. Things I've considered - cert based auth, telephone auth, etc - all require the corresponding auth method to be enabled. How should this be handled?
Access Package Assignment Issue
Hello, We have an access package that was functioning properly in the past, but the assignment process has stopped working. The issue started on August 22; the last successful assignment was on July 29. When attempting to manually assign the access package to an external user, we receive the following error: "You don't meet policy requirements to request this entitlement." Additional details: The configuration of the policy has not been changed. Users who can request access is set to “None (administrator direct assignments only)”. Changing the “Enable new requests” setting (enabled/disabled) does not resolve the issue. Expiration is set to 90 days. This access package is intended for external users, but I tested assigning it to an internal user and it works correctly. At this point, I do not have additional information about what might be causing the issue. Could you please help us identify the root cause and suggest next steps? Thank you for your assistance. Kind regards,
Email OTP not working for guest users
We have to enable MFA using Email for some guest users accessing some of our Entra applications. Guest users are from other Microsoft tenants, B2B collaboration users. We have it all set up in the Authentication methods and in Conditional access policies. Also excluded this user's security group from System-preferred multifactor authentication. When the guest user connects to the application or to the tenant portal, it's still prompting to register for MFA using authenticator App. how can we make it to use an email one-time code please ? Issue: Screenshots of the settings below:Conditional Access - Block all M365 apps private Mobile Device
Hello, Ive try to block all private mobile phone from accessing all apps from m365, but it wont work. Im testing it at the moment with one test.user@ I create a CA rule: Cloud Apps Include: All Cloud Apps Exclude: Microsoft Intune Enrollment Exclude: Microsoft Intune Conditions Device Platforms: Include: Android Include: iOS Include: Windows Phone Filter for Devices: Devices matching the rule: Exclude filtered devices from Policy device.deviceOwnership -eq "Company" Client Apps Include: All 4 points Access Controls Block Access ----------------------- I take a fresh "private" installed mobile android phone. Download the Outlook App and log in with the test.user@ in the outlook app and everything work fine. What im doing wrong? Pls help. PeterHow to resolve "AADST55203" error: Multi-factor authentication configuration blocked
{ "error": "access_denied", "error_description": "AADSTS55203: Configuring multi-factor authentication method is blocked. Trace ID: Correlation ID: Timestamp: 2025-09-17 20:48:30Z", "error_codes": [ 55203 ], "timestamp": "2025-09-17 20:48:30Z", "trace_id": "", "correlation_id": "", "suberror": "provider_blocked_by_rep" } SMS authentication method was previously configured in our B2C Entra and was functioning correctly until last week, when it suddenly stopped working. Currently, users can only authenticate via email. Conditional Access policy is also in place that requires Multi-Factor Authentication (MFA).
Exclusion of Copilot App (for O365) from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude "Microsoft 365 Copilot"/ "Copilot App" so no Reauthentication is necessary for Copilot in the frame of accessing O365 content. Exclusion has been made for a range of identified Copilot applications that are shown in Sign-in logs. However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!Microsoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereExclusion of Microsoft Edge Browser from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude Microsoft Edge Browser so no Reauthentication is necessary for MS Edge Browser. Exclusion has been made for the "Microsoft Edge" application with the following App ID: ecd6b820-32c2-49b6-98a6-444530e5a77a However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!Microsoft Entra Connect connecting always to old DC
We are planning on demoting old DC server. When doing checkups I noticed that Entra Connect keeps connecting to this specific DC we'ew planning to demote everytime it connect to Active Directory. So now I'm wondering does this need any additional configuration to keep sync working after DC Demote. I found out that there is option to "Only use preferred domain controllers" but I'm not sure if that's what I want do do. There were the red line is is the old DC to be demoted. "Only use preferred domain controllers" setting. If I enable this setting I got this kind of notice. I don't feel like this is the right way to do it so I canceled at this point.Invite external user - error 'Primary SMTP address is an invalid value'
I'm using Entra Id to invite external users to my domain. Their email is of form: mailto:email address removed for privacy reasons Sending the invite generates the error: There is no error if I send an invitation to the same domain without the '+' sign, so I assume this is causing an issue with Entra Id. Is there a workaround for this?
Windows Authentication for Entra ID for SQL MI
Hi Team, I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql There are two options. Options 1 Modern interactive flow Options 2 Incoming trust-based flow Proceeding with Option 2 (Incoming trust-based flow) the authentication flow works some as the following Step Action From To Network Connection 1 Initiate Connection Client (Windows Server 2016) - - 2 Request Kerberos TGT Client Domain Controller (Windows 2012) On-premises network 3 Issue TGT Domain Controller Client On-premises network 4 Request Service Ticket via Kerberos Proxy Client Microsoft Entra ID (via proxy) ExpressRoute (Microsoft peering) 5 Issue Service Ticket Microsoft Entra ID Client ExpressRoute (Microsoft peering) 6 Submit Service Ticket Client Azure SQL Managed Instance ExpressRoute (private peering) 7 Validate Ticket and Exchange for Token Azure SQL Managed Instance Microsoft Entra ID Azure internal network 8 Authenticate User and Grant Access Azure SQL Managed Instance Client ExpressRoute (private peering) If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server Many Thanks !Sign In Error 90072 with On Prem Accounts - How to mitigate?
We receive weekly reports from one of our security vendors regarding login failures across our environment. As of recent, we've noticed a spike in interactive login failures, particularly with Microsoft services. The application that produces many of these logs is Microsoft Office. Upon investigation, we've determined that many of these sign ins procure error code 90072 with the following error message: "User account '{user}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{application}'({appName}) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account" As a disclaimer, I did not edit this message to insert the unfilled variables in brackets - that's how the error message appears in our Entra portal. We currently run a hybrid environment, and all of the users with high volumes of failed sign ins with the given error code and message are on-prem accounts. These logs produce a lot of noise that we would rather not have polluting our reports. Do you have any information we can use to help remediate this issue?👉 Microsoft Entra in Action: From Conditional Access to Identity Protection
One of the areas I’m most passionate about is identity-driven security. Microsoft Entra makes it possible to apply Zero Trust principles directly at the identity layer. ⚡ Conditional Access – the backbone of modern access policies. 👤 Privileged Identity Management (PIM) – ensuring just-in-time, least privilege for admins. 🛡️ Identity Protection – risk-based policies to stop compromised sign-ins in real time. In my labs, I’ve seen how these features transform security posture without adding friction for users. Coming soon: - Step-by-step breakdown of a risky user detection scenario. - A visual guide to Conditional Access controls for critical apps. Would love to exchange insights with others experimenting in this space — what Entra features are you finding most impactful? #MicrosoftEntra | #ConditionalAccess | #IdentityProtection | #MicrosoftLearn | #PerparimLabsShape the future of our communities! Take this survey to share your practitioner insights. 💡 ✏️ 🔓
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839Help with Expression
I am trying to build an expression in the cloud sync config. I'm writing entra groups back on prem and I want to send them to different OUs based on the displayName as per this example: Under Target container select Edit attribute mapping. Change Mapping type to Expression. In the expression box, enter: Switch([displayName],"OU=Groups,DC=contoso,DC=com","Marketing","OU=Marketing,DC=contoso,DC=com","Sales","OU=Sales,DC=contoso,DC=com") Change the Default value to be OU=Groups,DC=contoso,DC=com. Problem with that approach is Id have to have a switch statement for every single displayName! what Id really like to do is direct my groups to an OU based the the first few sections of the display name. So my groups would be named "APP-APPNAME-USERS" for example and Id want the APPNAME section to be used in the switch function to send the groups to their respective OUs. The documentation says I can use nested expressions, so I have been trying to SPLIT the displayName in the switch expression but it isnt working at all. Switch(Item(Split([displayName], "-"), 1), "APP1", "OU=APP1,OU=Application,OU=Groups,DC=contoso,DC=net", "APP2", "OU=APP2,OU=Application,OU=Groups,DC=contoso,DC=net", "APP3", "OU=APP3,OU=Application,OU=Groups,DC=contoso,DC=net", "OU=Application,OU=Groups,DC=contoso,DC=net") Is anyone able to help with this?Cloud-First Attribute Ownership for Synced Users in Entra ID Is Not Supported
📝 Description As an enterprise architect working to modernize identity provisioning, I’ve encountered a major limitation in Microsoft Entra ID’s hybrid identity model. While Microsoft promotes a cloud-first strategy, the current architecture forces reliance on on-premises Active Directory for attribute ownership when users are synced via Entra Connect. Key issues: Directory extension attributes, even when created in the cloud, are read-only for synced users. Custom security attributes are not queryable and cannot be used in dynamic groups or claims. There is no supported mechanism to allow cloud apps (e.g., Workday provisioning) to own or update specific attributes for synced users. Breaking sync to convert users to cloud-only is disruptive and not scalable for large enterprises. This creates a conflict between cloud-first provisioning goals and technical limitations, making it difficult to fully transition away from on-prem AD. ✅ Requested Improvements Attribute-Level Ownership Delegation Allow cloud apps to own and update specific attributes for synced users, even if the user is still managed by AD. Writable Directory Extensions for Synced Users Enable Graph API write access to cloud-created directory extensions for hybrid users. Dynamic Query Support for Custom Security Attributes Make custom security attributes usable in dynamic groups, claims, and app filtering. Clear Guidance and Tooling for Cloud-First Identity Models Provide supported patterns and tools for transitioning identity provisioning and attribute management to the cloud. 🙏 Why This Matters Organizations are actively trying to reduce reliance on legacy infrastructure and embrace cloud-first identity. The current limitations in Entra ID make this transition unnecessarily complex and inconsistent with Microsoft’s cloud-first messaging. ---copiloted response for sure after many days of trying to work a solution that does not create more tech debt...
Recent Blogs
- 3 MIN READExplore how new logging updates in Microsoft Entra bring agent visibility and enriched logs for deeper, more actionable sign-in insights.Sep 22, 2025
- While System for Cross-domain Identity Management (SCIM) is the best foundation for agent identity provisioning, key enhancements are needed, says Alex Simons, Corporate Vice President of Identity an...Sep 16, 2025
