Recent Discussions
Entra Enterprise apps and App registrations - Global Secure Access - Conditional Access Block
I am working on a rollout for Global Secure Access and ran into an issue with Entra Enterprise apps setup in the tenant. With Global Secure Access I have a Conditional Access Policy set to Block access to All Resources excluding some resources like Intune and Defender tap required for mobile setup. When I added an administrator account which had done some Enterprise application setup and authorization for various third-party applications, those third-party applications stopped working with failed logins indicating token access issues. Upon review I found the majority of applications to be using client secret authentication with this administrator account as the authorizer. My limited knowledge of Enterprise apps leads me to believe this client secret is an application password that the third-party uses to keep generating tokens based on the authorizing account. My questions surrounding this setup and further understanding are mainly in relation to how Enterprise apps and app registrations authenticate, as well as user authentication directly. 1. How does the token authorization work? Does the application just use the client secret to authenticate as the user who authorized it to generate an access token? Why does MFA requirements and changing passwords not affect this but specific Block policy does? 2. What are best practices in relation to authorizing third-party applications? My thoughts are a dedicated account to authorize applications when needed. 3. How will this work with applications regular users use? Say a user has a digital notebook that syncs with their OneNote or a calendar app that syncs calendars between Outlook and their website. Do these applications also use client secrets with the user's token and will break when added to the GSA setup I have? Is the only way around this to authorize with an admin account for token issuance? Thank you for your time reading this and any insight you may have for any of the questions or ideas mentioned.Request to enable preview feature - Face Check with CAP
Dear Microsoft, I am on a business premium plan for my home test tenant. I cannot raise ticket nor do I have an account manager. I know this is in private preview. I would like my tenant to be enabled to test this new Verified ID feature to have "Face Check" in CAP as one of the Grant conditions. tenant id: bc85b508-0107-4472-a49c-fc8cefd4f0d7 Thank you.Global Secure Access - Conditional Access Require GSA - Android Blocked
Hello all, I am currently working on deploying Global Secure Access client with Microsoft Forward Traffic profile and a conditional access policy to block access to M365 services unless connected through the GSA client. I have this working as I want it for Windows and mobile devices in a tenant we use for development. However, when I set this up at our live tenant, I cannot get the Android device to work. My setup is a Personally Owned Work Profile with the Defender app deployed and configured to enable GSA. I can connect to Global Secure Access and it does show some traffic tunneling to Microsoft. However, when I go to login to another app like Outlook, it blocks the sign-in. This is not the case for an iPhone I have personally enrolled and my Entra Joined laptop. Upon investigation of any differences between our development tenant (working fully) and our tenant (Android not working) I found that in the GSA section under Services, there is an extra service called “Microsoft Entra Channel Access”. This service does not show up when I am logged in our developer tenant. Even on the same phone by removing work profiles and signing in to both tenants, our live tenant shows the new channel, and the developer tenant does not have it. I did some log review with the advanced diagnostics feature and the app and noted a few things I am lead to believe that the issue is with this new Entra Channel that has been deployed to our live tenant and not to our dev tenant yet. When I go to sign-in to the Outlook application in the work profile for the developer tenant, I can see the authentication traffic being tunneled through the Microsoft 365 profile. (login.live.com, login.microsoftonline.com, and aadcdn.msftauth.net). However, in our production tenant when doing the same test I do not see those destinations being tunneled at all. I do see the traffic being collected in the “Hostname” section, but is not being tunneled. Another interesting point with this is that on an iPhone I am testing; I do see the authentication destinations being tunneled through the Entra Channel. Here are the screenshots of my findings. https://imgur.com/a/82r3HQC I have an open Microsoft support case and hoping to get the attention of a Microsoft employee or MVP who may be able to get this in front of the Entra product team to see if this is a bug.
Convert Group Source of Authority to the cloud. Global Groups support?!
This is the exact feature we need, unfortunately it's also unusable for an existing environment. Does anyone know when Entra SOA will support global groups? We have ZERO universal groups and we are not going to convert into them.Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!
Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure
We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data. Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can: Flag apps as restricted from accessing PII/PHI. Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.” Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data. Generate alerts and audit logs when apps approach or violate these boundaries. If not, are there plans to introduce these protections? Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs.
Workplace Benefits Program (earlier meaning: home Use)
Hello, let me describe our current situation: Tenant A: our first tenant, should be decom. soon Tenant B: our new productive tenant On Tenant A we are able to use the Workplace Benefits Program. Unfortunatelly we have to decom this tenant. so we have created an new one, Tenant B. Enterprise Agreement was transfered well to the new, but one topic is missing, we couldn't transfer the existing workplace benefits from A to B. Perhaps someone here has been in the same situation and has found a solution? Thanks a lot. best regards, MarkusIdentity, access, and agent governance—Microsoft Entra at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across identity and access management to the forefront, with sessions focused on Zero Trust, agent governance, and securing AI-powered apps. Featured sessions: BRK243: Microsoft Entra: What's new in secure access on the AI frontier Strengthen your Zero Trust foundation, manage and govern the rising tide of agents, and enable AI to accelerate your success. BRK265: Secure access for AI agents with Microsoft Entra Discover, manage, govern, and protect agent identities and access—just as you do for human identities. LAB549: Strengthen your identity security posture with Conditional Access Learn safe rollout patterns and use the CA Optimization Agent (Security Copilot in Entra) to find and fix gaps with one-click and phased enforcement. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions Why attend: Ignite is the best place to learn about new Microsoft Entra capabilities for agentic AI, identity governance, and secure access. We will also share its vision for the future of identity and agent management. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community HubMicrosoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereGrant Just-in-Time Admin Access with Microsoft Entra PIM
In my lab, I worked with Microsoft Entra Privileged Identity Management (PIM) to grant Just-in-Time admin access. Instead of permanent assignments, users become eligible for roles and must activate them only when needed. Steps I tested: - Configured roles as eligible rather than permanent - Required MFA and approval for role activation - Verified access automatically expired after the time window This approach reduces standing privileges and aligns with Zero Trust by securing privileged access. Curious — does your org still keep permanent Global Admins, or have you moved to JIT with PIM?Shape the future of our communities! Take this survey to share your practitioner insights. 💡 ✏️ 🔓
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
Services I had no understanding of being used against me.
First of all, I want to apologize for the lack of technical knowledge, I was backed into a corner by a complete lockout of all my accounts and devices as a result of individuals using Azure resources and a Microsoft 365 admin account. They put the Azure services into play in early 2022 and were using an old Android to access my accounts and lock me out by changing passwords. This situation is unique because it was a homeless couple (Or so I thought) that I opened my home to in late 2021. When I had lost access to all my accounts that had been mine for over a decade I tried moving on and creating new accounts. I was creating a recovery email account for my new primary email and fell asleep before I finished. I woke to discover it had been completed, and the password was set. When unsuccessful with the .aspx recovery form I wrote it off because the account was new and I did not believe it was a danger. Maybe I finished setting it up as I drifted off and forgot. A few weeks later I was still having issues with unauthorized access to my new primary email, and when investigating noticed the email I never had access to had been assigned as admin over my Microsoft 365 apps. I tried for a month to address the issue and failed. I was fine with not being able to recover the account but if it was not mine it had no business being admin over my personal accounts. I had also discovered the people in my home running a scam on Azure using my credentials from another account, and I reported this to Microsoft. There are a lot of factors that go into this and in 2022 I had zero understanding of all of it. Only when I found myself completely locked out of everything with my personal accounts being used to request and receive an EIN from the IRS, and file a fraudulent business return, and more did I really begin troubleshooting to determine the best course of action. I was still not receiving the escalation I had requested in early 2022, and things had gone beyond too far so I created a business profile to gain an understanding of Azure services, roles and permissions, and more. Now granted when this began in September of 2024, I still had zero IT experience, admin experience or developer experience. I am still a novice at these at best in my opinion, but I have been combatting those with advanced system knowledge and developer skills the entire time. I found developer portals that had been set up using my credentials with anything associated to me. HP for my PCs, Microsoft, Google Cloud, Norton, and more. I would be directed to update drivers with HP to a site that must have been some developer's sandbox because eventually Norton flagged all HP sites as malicious. My passwords were being scraped out of my Norton Password Vault and more. This has all been quite an ordeal since 2022, and I still do not understand most of it, but I am doing my best. I already had the issue that it was my Microsoft account, and my problems crossed various platforms, and when I created my own business accounts to investigate I began having significant success seeing what was happening, but I cannot export the data in my head to a .csv about my personal accounts to share with 365 Business support or vice versa about my business accounts to personal support, so I am the only one that can see both sides. Cross platform communication on tickets is hard enough let alone crossing the business and personal threshold. I had just found myself in a position that it was my best investigative option. It has been successful on my end, however communicating what the criminals were doing has been a challenge. My lack of technical knowledge and the fact I am on a Microsoft Learn as I go system makes this quite demanding on my part. The logs and screenshots from my original investigation in 2022 exist in my photographic memory but nowhere else. And I can pick out details in logs and reports that will go unnoticed and flagged as "not me" by AI". But because of my attention to detail, I see the names associated with the activity and know that it is where the fraud began.
Fetch Email From Entra Joined Device Login User
Dear Team, We are working on retrieving email address of the user joined to Entra ID from Entra-joined Windows devices, specifically while running in a system context.The whoami /upn command successfully returns the joined user’s email address in a user context, but it does not work in a system context, particularly when using an elevated terminal via the psexec utility. We also tested the dsregcmd /status command; however, in a system context, the User Identity tab in the SSO State section only appears when there is an error in AzureAdPrt. Under normal, healthy operating conditions, this command does not provide the user identity or the full domain username. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context, especially from those with prior experience in this area. Thank you for your support.Global Secure Access - Deleted Appliction still applies (and cannot be recreated)
Hello everyone, we currently face an issue with Global Secure Access - Private Access - Enterprise applications. An admin has delete and tried to recreate an enterprise application. When he tried added the ip address and the port he got an error, that this rule is already within another app. The link led to an "empty" app. It was found that under "app registrations" the previously deleted applicaiton is still there and it was permanently deleted. However the problem stays. If we try a connection to the ip address and port which was specified in the deleted policy, we can see an error in the GSA Event Log on the Client: Could not authenticate using a cached token... Error: 9, Message: IncorrectConfiguration {"Description":"V2Error: invalid_resource AADSTS500011: The resource principal named <id of the deleted application> was not found in the tenant named <ourTenant>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Unfortunatly, since the application is not permanently deleted, it cannot be restored. We tried to completly disable and reenable private access (in Entra!) but this did not fix the problem. For some reason the deleted policy is stuck in GSA and we have no idea how to get it out.Secure Linux Logins with Azure Entra ID: MFA, Hello, Device Compliance & SSO with Himmelblau
As organizations adopt Azure Entra ID and Intune to secure their fleets, Linux has often been left behind — especially for modern authentication requirements like MFA, Conditional Access, and device compliance. Traditional Linux frameworks (PAM, NSS) were never designed for cloud identity or Zero Trust. Himmelblau is an open-source project that bridges this gap by integrating Linux systems directly with Entra ID. With Himmelblau, you can: Join Linux machines to Azure Entra ID, creating a device object in Entra ID to establish device identity and enable Conditional Access checks tied to trusted devices. Enroll Linux systems into Microsoft Intune (currently in beta), so they participate fully in compliance policies alongside Windows. Enforce MFA at the Linux login prompt, using your existing Entra ID Conditional Access configurations. Offer secure Hello for Business PIN authentication on Linux, providing end-users with a familiar, strong second factor that’s backed by hardware-bound credentials. Integrate Linux with SSO in Firefox and Chrome, allowing seamless access to Entra-protected web apps once the user is logged in. Manage Linux users and groups via Entra ID, with robust caching for reliable offline operation. Leverage TPM-backed certificates and secure key storage, so device credentials remain protected even if the system is compromised. For many IT teams, this means finally bringing Linux endpoints under the same Zero Trust umbrella as Windows — without compromising user experience or compliance. Get started: https://himmelblau-idm.org https://himmelblau-idm.org/landing.html https://github.com/himmelblau-idm/himmelblau We’d love your feedback — especially from organizations managing hybrid fleets. What other Entra scenarios would you like to see better supported on Linux?
Adding PIM enabled security group to an Access Package
Hi, Recently a new feature has gone in preview, it's now possible to add PIM enabled security group to an access package. explained here: https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-eligible I followed the instruction exactly on 2 different tenants, one tenant has Entra ID Governance licence, another has the Entra Suite licence. The result on both tenants was the same. When adding a PIM enabled group to an access package. I am presented only with 2 roles (member or owner) and not with the expected 4 roles. (member, owner, eligible member, eligible owner). The group I add is created for test purpose couple of weeks ago, and really is PIM enabled (discovered ). Is this a preview that has to be activated on a tenant? (its not in the "Entra -> Identity -> settings -> Preview features" list). Am i missing something? Cheers!
Entra ID External - Custom Claims Provider help
Hi, I'm working with Entra ID External identities, trying to get a 'Token Issuance Start' event in a Custom Claims Provider working correctly. I've got all the pieces in place (SPA, web api with endpoint set and configured, app registrations, basic login working successfully, etc). I just can't get the claims provider to call my claims endpoint. Tried so many different ways, get all different errors, all kinds of hours with and without ChatGPT, and still not working. I'm to the point where I'm ready to pay a consultant to help me get past this. But I'm just a solo dev working on a personal side project, I can't call an enterprise consulting company asking for an hour or two on a Zoom call, they don't deal with such miniscule jobs, at least none that I've called. I'm well past the point of making a stack overflow post or something like that, I need a one-on-one with someone familiar with Entra ID custom claims providers for External identities. But I'm guessing most folks with that knowledge are working for some big consulting firm that won't give me the time of day. Can anyone suggest a small company that could help me, or maybe a place to post online for someone that might want to make a few bucks moonlighting on the side? I'm not looking for a handout, I'll pay a reasonable rate, I just can't afford (and pretty sure I won't need) more than a couple hours. If anyone knows of some site (or anyone interested yourself) please let me know, I'd be forever grateful, I'm at my wits end :) Thanks, AndyEdge Warning when clicking on Links in Entra
I am in the Entra portal looking at the latest recomendations to improve the Identity Secure Score. When you select an option, and the fly-out windows shows on the right, you have the 'Get Started' link at the bottom. Upon clicking on that, Edge will warn you that something doesn't look right. I know that the URLs were changed a while ago now for the various portals, but it looks like Edge didn't get the message on this one, hence the warning showing in the browser Can this be addressed as I constantly get this alerted to myself from other users.
Recent Blogs
6 MIN READDeep dive into Microsoft’s identity-centric secure web & AI gateway.Dec 19, 2025- The AI Surge Is Here—Are You Ready? Learn more about how to get started with the public preview of Microsoft Entra Agent ID, announced at Ignite 2025.Dec 17, 2025
