Recent Discussions
Looking for a way to set up mail moderation using Entra dynamic group
Our organization is working on shifting from a hybrid AD-Entra environment to Entra only. We currently use mail-moderated dynamic distribution lists using Extension Attributes to set the rules for mass internal company emails. In conjunction with us migrating to Entra only, we are also planning to use an API integration to manage our Entra account creation and updates. This integration does not have the ability to populate the Extension Attribute fields. Because of these changes we will no longer be able to use the existing dynamic distribution lists we have, and we have not had luck finding a solution for it yet. Has anyone else gone through this or have any experience solving for this same problem?
Entra Risky Users Custom Role
My customer implemented unified RBAC (Defender Portal) and removed the Entra Security Operator role. They lost the ability to manage Risky Users in Entra. Two options explored by the customer - Protected Identity Administrator role (licensing unclear) or create a custom role with microsoft.directory/identityProtection/riskyUsers/update, which they couldn't find under custom role. Do you know if there are other options to manage Risky Users without using the Security Operator role?Request to enable preview feature - Face Check with CAP
Dear Microsoft, I am on a business premium plan for my home test tenant. I cannot raise ticket nor do I have an account manager. I know this is in private preview. I would like my tenant to be enabled to test this new Verified ID feature to have "Face Check" in CAP as one of the Grant conditions. tenant id: bc85b508-0107-4472-a49c-fc8cefd4f0d7 Thank you.
Global Secure Access - Conditional Access Require GSA - Android Blocked
Hello all, I am currently working on deploying Global Secure Access client with Microsoft Forward Traffic profile and a conditional access policy to block access to M365 services unless connected through the GSA client. I have this working as I want it for Windows and mobile devices in a tenant we use for development. However, when I set this up at our live tenant, I cannot get the Android device to work. My setup is a Personally Owned Work Profile with the Defender app deployed and configured to enable GSA. I can connect to Global Secure Access and it does show some traffic tunneling to Microsoft. However, when I go to login to another app like Outlook, it blocks the sign-in. This is not the case for an iPhone I have personally enrolled and my Entra Joined laptop. Upon investigation of any differences between our development tenant (working fully) and our tenant (Android not working) I found that in the GSA section under Services, there is an extra service called “Microsoft Entra Channel Access”. This service does not show up when I am logged in our developer tenant. Even on the same phone by removing work profiles and signing in to both tenants, our live tenant shows the new channel, and the developer tenant does not have it. I did some log review with the advanced diagnostics feature and the app and noted a few things I am lead to believe that the issue is with this new Entra Channel that has been deployed to our live tenant and not to our dev tenant yet. When I go to sign-in to the Outlook application in the work profile for the developer tenant, I can see the authentication traffic being tunneled through the Microsoft 365 profile. (login.live.com, login.microsoftonline.com, and aadcdn.msftauth.net). However, in our production tenant when doing the same test I do not see those destinations being tunneled at all. I do see the traffic being collected in the “Hostname” section, but is not being tunneled. Another interesting point with this is that on an iPhone I am testing; I do see the authentication destinations being tunneled through the Entra Channel. Here are the screenshots of my findings. https://imgur.com/a/82r3HQC I have an open Microsoft support case and hoping to get the attention of a Microsoft employee or MVP who may be able to get this in front of the Entra product team to see if this is a bug.Break-glass Account Prompted for Authenticator App Despite Exclusions
We have a break-glass account configured with two FIDO2 security keys as the only authentication method. The account is: Excluded from Microsoft Authenticator in Authentication Methods policy Also, the included target is a dynamic group that includes all users but the break glass account. Excluded from the MFA Registration Campaign Also, the included target is a dynamic group that includes all users but the break glass account. Excluded from all Conditional Access policies However, whenever we test the account, it still gets prompted to set up the Microsoft Authenticator app during sign-in. We can skip the setup, but ideally, the prompt should not appear for this account. How can we prevent the Authenticator setup prompt entirely for this break-glass account?
Block all 365 apps except Outlook via CA
Trying to block 365 for a subset of users, except email. The old app-based CA rules made this easy. The new 'resource' based setup... I'm not even sure if it's possible. CoPilot just keeps telling me to use the old version of CA, because it hasn't clued into Microsoft's downgrade cycle. If I try to filter by resource attribute, I'm told I don't have permission to do so. I'm the global admin. Here's what searching for Outlook gives me and Exchange Advice? We ARE intune licensed, but i'm not sure App Protection Policies will help here. The intention is to block BYOD from accessing anything but Outlook / Exchange. That is, Mobile devices that aren't (whatever param I decide on)Convert Group Source of Authority to the cloud. Global Groups support?!
This is the exact feature we need, unfortunately it's also unusable for an existing environment. Does anyone know when Entra SOA will support global groups? We have ZERO universal groups and we are not going to convert into them.
SSO in Azure doesn't work for the test users from the free Microsoft 365 Developer Program
Hi, I have made an integration of SAP S/4HANA Public Cloud with Microsoft MS Teams functionalities: share as a Tab and share a Card. When the link is sent from the main account, which I used while configurating the Microsoft 365 Developer Program, SSO with SAP BTP works correctly. If I am logged with some of the test accounts, the SSO doesn't work. The roles in Azure are the same, the Application CIS was also assigned to all the users. Other then that everything works fine. Could you please help with that?
Blocking email in outlook mobile application via conditional access and Intune
Hello, all. We’re currently experiencing an issue where corporate email remains accessible in the Outlook mobile app on personally owned iOS devices, even after the device either falls out of compliance or undergoes an enterprise wipe. These devices are managed through Intune. Additionally, some users may have personal email accounts configured within the Outlook mobile app already. Below is the conditional access policy currently applied to mobile devices. Any assistance would be appreciated.NPS Extension for azure MFA and multiple tenants?
Hi, is it possible to setup one NPS server with the Extension for Azure MFA to authenticate against multiple tenants? The onprem AD has azure ad connector for each domain and the users are in sync with there tenants. Its a RDS setup with one RD Gateway and one NPS server and multiple RD servers. I need email address removed for privacy reasons and email address removed for privacy reasons etc. to authenticate with MFA, but i can only get the users on the tenant thats linked in the NPS Extension for Azure MFA to work. I dont think its possible to setup more than one tenant in one NPS server (Extension for azure MFA). I get this error in the NPS log NPS Extension for Azure MFA: CID:xxxxxxxxxxxxxxx : Access Rejected for user email address removed for privacy reasons with Azure MFA response: AccessDenied and message: Caller tenant:'xxxxxxxxxxxxxxxxxxxxxxx' does not have access permissions to do authentication for the user in tenant:'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',,,xxxxxxxxxxxxxxxxxxxxxx The ID in the Caller tenant and the user tenant in the error is correct, so something have to work? I cat find a way to allow the Caller tenant to access users in the user tenant.Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!
Need Powershell Script for consolidated report of Active Directory users
Dear Experts, I need a consolidated report for the following instances for Active Directory users --> 1) All LIVE AD Users with “CREATED ON” header 2) Inactive Users (No Login in 90+ Days) 3) Users with “Password Never Expires” Mark 4) Users Who Never Logged In – Users never logged on 5) Users with Old Passwords (Not Changed in 90+ Days) 6) Disabled User Accounts with “Disabled ON” header 7) Inactive Computers (No Logon in 60+ Days) 8) Disabled Computer Accounts 9) Last User Logged in, on computers 10) ALL Users' with Last Password Change Date Kindly share the powershell script for the same ASAP. ..AjitEntra Verified ID: CAP Preview Feature to require Face Check
During one of the MS demo video, I saw a preview feature for Conditional Access Policy to require "Face Check". I have now enabled Entra Verified ID and also switched on Face Check. When I create a new CAP, I do not see the "Require Face Check" option under the Grant. How can I request to have this feature released to my tenant? Thanks!
Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure
We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data. Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can: Flag apps as restricted from accessing PII/PHI. Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.” Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data. Generate alerts and audit logs when apps approach or violate these boundaries. If not, are there plans to introduce these protections? Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs.
Token Protection Conditional access policy is blocking access to PowerShell Modules.
Hi Everyone, Recently we have started implementing Microsoft token protection via CAP. We have created the policy based on the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection Everything is working fine for regular users, but for our admin accounts that require access to Powershell modules, they get this error when trying to access: I've confirmed this is linked to the token protection policy and no other policy is causing this behavior. The policy is configured in the following way: My question here is: How can I keep our admin accounts included on this policy without affecting Powershell access? Thank you for your help.Workplace Benefits Program (earlier meaning: home Use)
Hello, let me describe our current situation: Tenant A: our first tenant, should be decom. soon Tenant B: our new productive tenant On Tenant A we are able to use the Workplace Benefits Program. Unfortunatelly we have to decom this tenant. so we have created an new one, Tenant B. Enterprise Agreement was transfered well to the new, but one topic is missing, we couldn't transfer the existing workplace benefits from A to B. Perhaps someone here has been in the same situation and has found a solution? Thanks a lot. best regards, MarkusDisabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?Sharing Best Practices and Experiences
Hi everyone! I’m opening this space for us to discuss everything related to Microsoft Entra — implementation, management, and best practices. The goal is to create a community where we can share experiences, exchange tips, and discuss procedures that make working with Entra ID, Entra Permissions Management, Entra ID Governance, and the rest of the Entra ecosystem easier. 🔹 What challenges have you faced in identity and access management? 🔹 Any configuration, automation, or integration tips worth sharing? 🔹 How are you applying Microsoft’s recommended security practices? If you’re just getting started, check out this Microsoft Learn article on the Microsoft Entra fundamentals. Let’s build an active and collaborative community around Microsoft Entra!
AZURE AD Contacts problem
Heloo, I've been looking for an online solution and nothing works. I have a hybrid Active Directory on-premise and Azure AD system since 2021. Users created in Active directory on-premise deleted since 2021-2022 still appear in my Azure AD contacts, and when I synchronize the contacts from AzureAD with other applications, those users are also visible. The users no longer exist in AD, from there they are automatically deleted after 180 days anyway, I checked. They are no longer found in Azure AD, M365 Admin, the only place where they are still found is Azure AD contacts, it seems they are not in the GAL either because they do not appear in outlook. - I tried Online PowerShell - Get-User | Format-List DisplayName, UserPrincipalName, PrimarySmtpAddress , It only shows me active users - I tried Microsoft Graph , ditto, it only shows me active users. I don't know how to identify those users, and their number is increasing. Please help, some other Ideas?
Recent Blogs
6 MIN READDeep dive into Microsoft’s identity-centric secure web & AI gateway.Dec 19, 2025- The AI Surge Is Here—Are You Ready? Learn more about how to get started with the public preview of Microsoft Entra Agent ID, announced at Ignite 2025.Dec 17, 2025
