Recent Discussions
Windows Live Custom Domains causes Entra account lockout
Hi everyone, we have an on-prem AD connected with EntraConnect to EntraID since about 3 years. We only sync users and groups, no password hash or anything else. Since a few days 4 (out of about 250) users are constantly being locked out due to failed login attempts on an Application called "Windows Live Custom Domains". All 4 users are locked out not at the same time but within 30 min to an hour. This happens multiple times a day. As far as I was able to investigate Windows Live Custom Domains is a service no longer offered by MS or has been replaced with something else. How am I able to find out where this failed login attempts come from? If someone could point me in the right direction I would be very happy. Thanks DanielJoin Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
Exclusion of Copilot App (for O365) from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude "Microsoft 365 Copilot"/ "Copilot App" so no Reauthentication is necessary for Copilot in the frame of accessing O365 content. Exclusion has been made for a range of identified Copilot applications that are shown in Sign-in logs. However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!Microsoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereShape the future of our communities! Take this survey to share your practitioner insights. 💡 ✏️ 🔓
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
Services I had no understanding of being used against me.
First of all, I want to apologize for the lack of technical knowledge, I was backed into a corner by a complete lockout of all my accounts and devices as a result of individuals using Azure resources and a Microsoft 365 admin account. They put the Azure services into play in early 2022 and were using an old Android to access my accounts and lock me out by changing passwords. This situation is unique because it was a homeless couple (Or so I thought) that I opened my home to in late 2021. When I had lost access to all my accounts that had been mine for over a decade I tried moving on and creating new accounts. I was creating a recovery email account for my new primary email and fell asleep before I finished. I woke to discover it had been completed, and the password was set. When unsuccessful with the .aspx recovery form I wrote it off because the account was new and I did not believe it was a danger. Maybe I finished setting it up as I drifted off and forgot. A few weeks later I was still having issues with unauthorized access to my new primary email, and when investigating noticed the email I never had access to had been assigned as admin over my Microsoft 365 apps. I tried for a month to address the issue and failed. I was fine with not being able to recover the account but if it was not mine it had no business being admin over my personal accounts. I had also discovered the people in my home running a scam on Azure using my credentials from another account, and I reported this to Microsoft. There are a lot of factors that go into this and in 2022 I had zero understanding of all of it. Only when I found myself completely locked out of everything with my personal accounts being used to request and receive an EIN from the IRS, and file a fraudulent business return, and more did I really begin troubleshooting to determine the best course of action. I was still not receiving the escalation I had requested in early 2022, and things had gone beyond too far so I created a business profile to gain an understanding of Azure services, roles and permissions, and more. Now granted when this began in September of 2024, I still had zero IT experience, admin experience or developer experience. I am still a novice at these at best in my opinion, but I have been combatting those with advanced system knowledge and developer skills the entire time. I found developer portals that had been set up using my credentials with anything associated to me. HP for my PCs, Microsoft, Google Cloud, Norton, and more. I would be directed to update drivers with HP to a site that must have been some developer's sandbox because eventually Norton flagged all HP sites as malicious. My passwords were being scraped out of my Norton Password Vault and more. This has all been quite an ordeal since 2022, and I still do not understand most of it, but I am doing my best. I already had the issue that it was my Microsoft account, and my problems crossed various platforms, and when I created my own business accounts to investigate I began having significant success seeing what was happening, but I cannot export the data in my head to a .csv about my personal accounts to share with 365 Business support or vice versa about my business accounts to personal support, so I am the only one that can see both sides. Cross platform communication on tickets is hard enough let alone crossing the business and personal threshold. I had just found myself in a position that it was my best investigative option. It has been successful on my end, however communicating what the criminals were doing has been a challenge. My lack of technical knowledge and the fact I am on a Microsoft Learn as I go system makes this quite demanding on my part. The logs and screenshots from my original investigation in 2022 exist in my photographic memory but nowhere else. And I can pick out details in logs and reports that will go unnoticed and flagged as "not me" by AI". But because of my attention to detail, I see the names associated with the activity and know that it is where the fraud began.Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?
Fetch Email of Login User Using Command or Script
Dear Team, We are working on retrieving email address of the user joined to Entra ID from Entra-joined Windows devices, specifically while running in a system context.The whoami /upn command successfully returns the joined user’s email address in a user context, but it does not work in a system context, particularly when using an elevated terminal via the psexec utility. We also tested the dsregcmd /status command; however, in a system context, the User Identity tab in the SSO State section only appears when there is an error in AzureAdPrt. Under normal, healthy operating conditions, this command does not provide the user identity or the full domain username. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context, especially from those with prior experience in this area. Thank you for your support.Fetch Email From Entra Joined Device Login User
Dear Team, We are working on retrieving email address of the user joined to Entra ID from Entra-joined Windows devices, specifically while running in a system context.The whoami /upn command successfully returns the joined user’s email address in a user context, but it does not work in a system context, particularly when using an elevated terminal via the psexec utility. We also tested the dsregcmd /status command; however, in a system context, the User Identity tab in the SSO State section only appears when there is an error in AzureAdPrt. Under normal, healthy operating conditions, this command does not provide the user identity or the full domain username. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context, especially from those with prior experience in this area. Thank you for your support.Global Secure Access - Deleted Appliction still applies (and cannot be recreated)
Hello everyone, we currently face an issue with Global Secure Access - Private Access - Enterprise applications. An admin has delete and tried to recreate an enterprise application. When he tried added the ip address and the port he got an error, that this rule is already within another app. The link led to an "empty" app. It was found that under "app registrations" the previously deleted applicaiton is still there and it was permanently deleted. However the problem stays. If we try a connection to the ip address and port which was specified in the deleted policy, we can see an error in the GSA Event Log on the Client: Could not authenticate using a cached token... Error: 9, Message: IncorrectConfiguration {"Description":"V2Error: invalid_resource AADSTS500011: The resource principal named <id of the deleted application> was not found in the tenant named <ourTenant>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Unfortunatly, since the application is not permanently deleted, it cannot be restored. We tried to completly disable and reenable private access (in Entra!) but this did not fix the problem. For some reason the deleted policy is stuck in GSA and we have no idea how to get it out.Secure Linux Logins with Azure Entra ID: MFA, Hello, Device Compliance & SSO with Himmelblau
As organizations adopt Azure Entra ID and Intune to secure their fleets, Linux has often been left behind — especially for modern authentication requirements like MFA, Conditional Access, and device compliance. Traditional Linux frameworks (PAM, NSS) were never designed for cloud identity or Zero Trust. Himmelblau is an open-source project that bridges this gap by integrating Linux systems directly with Entra ID. With Himmelblau, you can: Join Linux machines to Azure Entra ID, creating a device object in Entra ID to establish device identity and enable Conditional Access checks tied to trusted devices. Enroll Linux systems into Microsoft Intune (currently in beta), so they participate fully in compliance policies alongside Windows. Enforce MFA at the Linux login prompt, using your existing Entra ID Conditional Access configurations. Offer secure Hello for Business PIN authentication on Linux, providing end-users with a familiar, strong second factor that’s backed by hardware-bound credentials. Integrate Linux with SSO in Firefox and Chrome, allowing seamless access to Entra-protected web apps once the user is logged in. Manage Linux users and groups via Entra ID, with robust caching for reliable offline operation. Leverage TPM-backed certificates and secure key storage, so device credentials remain protected even if the system is compromised. For many IT teams, this means finally bringing Linux endpoints under the same Zero Trust umbrella as Windows — without compromising user experience or compliance. Get started: https://himmelblau-idm.org https://himmelblau-idm.org/landing.html https://github.com/himmelblau-idm/himmelblau We’d love your feedback — especially from organizations managing hybrid fleets. What other Entra scenarios would you like to see better supported on Linux?
Adding PIM enabled security group to an Access Package
Hi, Recently a new feature has gone in preview, it's now possible to add PIM enabled security group to an access package. explained here: https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-eligible I followed the instruction exactly on 2 different tenants, one tenant has Entra ID Governance licence, another has the Entra Suite licence. The result on both tenants was the same. When adding a PIM enabled group to an access package. I am presented only with 2 roles (member or owner) and not with the expected 4 roles. (member, owner, eligible member, eligible owner). The group I add is created for test purpose couple of weeks ago, and really is PIM enabled (discovered ). Is this a preview that has to be activated on a tenant? (its not in the "Entra -> Identity -> settings -> Preview features" list). Am i missing something? Cheers!
Entra ID External - Custom Claims Provider help
Hi, I'm working with Entra ID External identities, trying to get a 'Token Issuance Start' event in a Custom Claims Provider working correctly. I've got all the pieces in place (SPA, web api with endpoint set and configured, app registrations, basic login working successfully, etc). I just can't get the claims provider to call my claims endpoint. Tried so many different ways, get all different errors, all kinds of hours with and without ChatGPT, and still not working. I'm to the point where I'm ready to pay a consultant to help me get past this. But I'm just a solo dev working on a personal side project, I can't call an enterprise consulting company asking for an hour or two on a Zoom call, they don't deal with such miniscule jobs, at least none that I've called. I'm well past the point of making a stack overflow post or something like that, I need a one-on-one with someone familiar with Entra ID custom claims providers for External identities. But I'm guessing most folks with that knowledge are working for some big consulting firm that won't give me the time of day. Can anyone suggest a small company that could help me, or maybe a place to post online for someone that might want to make a few bucks moonlighting on the side? I'm not looking for a handout, I'll pay a reasonable rate, I just can't afford (and pretty sure I won't need) more than a couple hours. If anyone knows of some site (or anyone interested yourself) please let me know, I'd be forever grateful, I'm at my wits end :) Thanks, AndyEdge Warning when clicking on Links in Entra
I am in the Entra portal looking at the latest recomendations to improve the Identity Secure Score. When you select an option, and the fly-out windows shows on the right, you have the 'Get Started' link at the bottom. Upon clicking on that, Edge will warn you that something doesn't look right. I know that the URLs were changed a while ago now for the various portals, but it looks like Edge didn't get the message on this one, hence the warning showing in the browser Can this be addressed as I constantly get this alerted to myself from other users.Strengthening Enterprise Identity Security with Country Based Blocking in Conditional Access
In a Zero-Trust world, identity is the foundational security perimeter. Securing access begins with full visibility and control over authentication activity - including where login attempts originate. By continuously validating the context of every access request, organizations can detect threats early and enforce least privilege with precision. For public sector agencies and global enterprises alike, defending against unauthorized sign-ins from foreign locations is a top priority, especially when those locations fall outside the boundaries of legitimate business activity. Why Country-Based Blocking Matters Not every foreign login attempt is malicious but when your organization has no employees, contractors, or systems operating out of certain countries, any authentication activity from those regions should be treated as suspicious by default. We’ve seen organizations use this capability to: Block access from countries where they have no personnel or partnerships Reduce exposure to credential stuffing or token replay attacks from known threat regions Enforce geo compliance policies related to data sovereignty or regional restrictions This helps reduce risk without interfering with legitimate business operations—and it’s surprisingly easy to configure. Fortunately, Microsoft Entra ID (formerly Azure Active Directory) provides a powerful, often overlooked feature in Conditional Access: the ability to block authentication attempts by country using Named Locations. 🔧 Step by Step: How to Block Access by Country Using Conditional Access 1. Create a Named Location for the Country Go to the Microsoft Entra admin center (Entra Portal). Navigate to Protection > Conditional Access > Named locations. Click + Country location. Name the location (e.g., Blocked - China). Check the box for the country or countries you want to block (e.g., North Korea). Click Create. 2. Create the Conditional Access Policy Still in Conditional Access, click + Create New policy. Name your policy, e.g., Block Sign-ins from Forbidden Countries. Under Assignments: Users: Choose All users (or specific groups), and exclude your break glass accounts. Target resources: Select All resources (or target specific apps). Under Network: Set Configure to Yes. Include: Selected networks and locations, Choose the Named Location(s) you created earlier (e.g., Blocked - North Korea). This setup tells Conditional Access to apply the policy unless the sign-in is from an excluded location i.e., from a blocked country. Under Access controls > Grant: Select Block access. Enable the policy (set to On) or test it first by setting it to Report-only. Click Create. 🛡️ Best Practices Begin with Report-only mode to simulate the effect of your policy before enforcement. Exclude break-glass (emergency) accounts to avoid accidental lockout. Monitor sign-in activity in Microsoft Entra sign-in logs to validate the policy’s effect. Combine with sign-in risk policies or device compliance to further refine access decisions. Consider the service limits for Named Locations and IP address ranges. While these limits are generous and unlikely to affect most organizations, it is good practice to review them to ensure your design remains scalable. More details can be found in the Microsoft Entra service limits documentation. Final Thoughts Blocking access from foreign countries where your organization has no legitimate activity is one of the most straightforward and effective Conditional Access strategies available. It strengthens your authentication perimeter and supports a zero trust approach to identity security. However, it is important to remember that Named Locations should be part of a broader defense-in-depth strategy. Sophisticated attackers can use VPNs or proxy services to disguise their location, so country-based controls alone are not enough. For stronger protection, combine them with additional signals such as sign-in risk, device compliance, and multi-factor authentication. Whether you're protecting a government agency or a multinational enterprise, adding country-based controls to your Conditional Access policy set remains a simple but powerful step forward. 🧭 Ready to get started? Dive into the official docs here: ➡️ Block access by location using Conditional Access ➡️ Simplify Conditional Access policy deployment with templates - Microsoft Entra ID | Microsoft Learn
How to test MSAL Android app with SSO across long periods (token expiry and silent sign-in)
Hi, I'm developing an Android application using MSAL and SSO for authentication and I am pretty new to using these tools. I want to ensure that SSO and token refresh mechanisms continue to work correctly over long periods especially after access and refresh tokens expire. My goal is to simulate and test the following scenarios: Behavior after access token expiration Behavior after refresh token expiration If silent token acquisition via acquireTokenSilent() continues to work as expected over time If user needs to re-authenticate interactively after refresh token expiry and if this re-authentication work How to simulate token expiry effectively for testing (e.g., adjusting system clock, clearing token cache, or using custom Azure AD token lifetimes) What is the best approach to simulate long-term usage and token expiration within an Android environment using MSAL? I have come across this ressource: https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes But I don't have access to "Conditional Access" and policies in my Entra Admin center. Does anybody have any recommendations, sample code, or official tools to test these scenarios without using policies? It would be greatly appreciated. Thanks!Unable to modify SSO with External Member account
Hi everyone, Our client is using their Work force tenant accounts to manage the External ID tenant. The accounts are initially created as External Guests on the External tenant and then converted to External Members. However, they encounter the following error when attempting to modify SSO for some applications: When we convert the admin account back to a guest account, it works. This issue doesn't occur with all applications, only some of them. Additionally, we have a test tenant where we cannot reproduce the issue. Do you have any idea why this is happening? Also, is it possible to open support tickets for External ID? Under the "New support request" option, I can only see options for Billing and Subscription management. Thanks a lot, DarioIssues with Passkey Login Hanging on "Connecting to Your Device"
Hi everyone, I'm currently working on enabling passkey login for some users. I have a test account where I enabled the passkey and enrolled it in Microsoft Authenticator. However, when I try to log in and scan the key, it hangs on "connecting to your device." Has anyone encountered this issue before? How can I find the root cause, and which log would show what might be blocking me? Thanks in advance for your help!
Recent Blogs
- 3 MIN READExplore how new logging updates in Microsoft Entra bring agent visibility and enriched logs for deeper, more actionable sign-in insights.Sep 22, 2025
- While System for Cross-domain Identity Management (SCIM) is the best foundation for agent identity provisioning, key enhancements are needed, says Alex Simons, Corporate Vice President of Identity an...Sep 16, 2025
