Forum Widgets
Latest Discussions
Microsoft Authenticator Passkeys for Entra ID on unmanaged devices
Hello, has anyone successfully registered passkeys on an unmanaged phone in an organisation with device compliance policies? Use case is to provide a phishing-resistant MFA option via Authenticator app for logging into apps on their desktop. Users already have authenticator app on their phone and do number matching MFA. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS When I select "Create a passkey" - I need to log into my account. However I'm blocked from successful authentication because I have conditional access policies to require compliant devices. As my mobile phone is not enrolled into Intune, I never get to the step where the passkey is created and registered. Based on the constraints - it seems like passkeys cannot be used for unmanaged/BYOD devices for organisations that have device compliance policies. It can only be used for users who have enrolled their mobile phone. Looking to see if anyone has tips or different experience using passkeys on unmanaged mobile phones to log into Entra?10Views0likes0CommentsFederation Issues - No protocol handlers?
Hi All, It's been a number of years since I've federated a domain with Entra, i'm flipping this back in a home environment to complete some testing. Would appreciate some troubleshooting thoughts. What from memory was a quick task, I've spent waaaaay to long on this today. I've rebuilt the environment a number of times with the same outcome. Install ADFS (Enabled the sign-in page). Install WAP. Generate Let's Encrypt certificate and provide to the servers. Port Forward 443 to the WAP server. Use Entra Connect to Federate the domain (AD FS Config looks good and generated as Microsoft Office 365 Identity Platform) WAP is configured via AAD Connect (Blank but seems alright talking back to ADFS) I can hithttps://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspxand authenticate with UPN internally/externally. I can hithttps://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xmlinternally/externally. I also setup IAMShowcase to test (SAML 2.0 Test Service Provider) and published the app via the WAP, worked fine for SP and IDP initiated flows. Interestingly enough, I am chucked the following error from the ADFS redirection with M365 authentication: Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request. This raises an error on the ADFS server ID#364, I've rebuilt a few times and havent been able to find much in troubleshooting. Would love to hear if someone else has seen something similar, i'm at a bit of a loss here. Encountered error during federation passive request. Additional Data Protocol Name: Relying Party: Exception details: Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest) at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) Get-MgFederatedDomainFederationConfiguration -IdentityDomain.com ActiveSignInUri :https://adfs.domain/adfs/services/trust/2005/usernamemixed IssuerUri :http://domain/adfs/services/trust/ MetadataExchangeUri :https://adfs.domain/adfs/services/trust/mex PassiveSignInUri :https://adfs.domain/adfs/ls/ PreferredAuthenticationProtocol : wsFed SignOutUri :https://adfs.domain/adfs/ls/SolvedMiikeJan 10, 2025Brass Contributor283Views0likes11CommentsAzure MFA "Activation Failed" error with Microsoft Authenticator App
We've opened a premier ticket, but has anyone in the community seen this error before? We've got a few users that can't set up the Microsoft Authenticator app, and nothing we do is working. This is rolling out to all of our users overnight tonight, and none of our global testing has run into anything like this.Brent EllisJan 03, 2025Silver Contributor128KViews0likes16Commentsfailed set-up of a passkey for a personal MS account
After scanning the QR code (on the PC screen) in the Authenticator app on the Iphone, the error message “Error adding the passkey - Microsoft Authenticator does not support this passkey” (translated from German) appears. What does this mean ? How to prevent? Any help is appreciated.RegerDec 29, 2024Copper Contributor153Views1like2CommentsWhat are the FQDNs used for Office 365 logon and authentication?
Hello, We run a computer lab with Office 365 installed, with a network firewall that restricts all outbound internet traffic. We had made allowances for Office 365 logons so that users could use the Office 365 desktop applications, by allowing the following entries: *.office.com *.office365.com *.microsoftonline.com *.office.net And that was working until earlier this month. Suddenly a couple weeks ago, users were no longer able to sign into Office 365. I found this list here of all URLs and IPs that Microsoft tries to use for Office 365, and I tried adding *.auth.microsoft.com *.msftidentity.com *.msidentity.com to our firewall, but still no ability to log in. As a test, I disabled the outbound network block on one of the lab machines, and confirmed that I was indeed able to log in. So I know the issue is with this firewall rule. But I cannot add every single URL on that huge list above, that's not feasible. So please, I would like to know just what URLs are required for the Office 365 sign-on to work. I don't need or care about the other services on that list.md5hashDec 24, 2024Copper Contributor12KViews0likes7CommentsHow to Create Alerts for New Global Admins/Privileged access accounts
Hello Microsoft Community, I'm looking for guidance on setting up alerts whenever a new Global Admins or Privileged access account. Im not trying to look for a PIM scenario.EVIWOLDec 23, 2024Copper Contributor62Views0likes1CommentHow to add Passkey for Entra ID / M365 Identity to Windows Hello or third-party password manager?
I manage many M365 tenants and can't add all of them to Windows as an account. Because of this I would like to add passkeys for those accounts to either a third-party password manager or (preferred) Windows Hello. So far I haven't found a way to do this. The passkey dialog at https://mysignins.microsoft.com/security-info only allows me to add a passkey to a physical key. So: So how can I add M365 passkeys to Windows Hello?PhilippeSDec 20, 2024Copper Contributor62Views1like3CommentsTicketing System for Clients
Hello everyone and greetings from Portugal! So, I work at a startup that at the moment has a nice number of clients, both in Portugal and in the US. We're feeling the need to have a ticketing system and I was wondering if anyone can give some suggestions. Not a lot of requisites but would be great if it integrates/allows multi-tenant support so users from different oganizations can SSO. And the ability for the system to get user information from Entra ID (like UPN, etc) and associated device (managed by Intune) would be great. And...writing this post I got wondering if I should be looking only for ticketing system or other tool with more features. All my clients are "cloud native", no physical servers, and all devices managed via Intune. Thanks to all in advance!SolvedDiogoSousaDec 13, 2024Iron Contributor1.9KViews0likes5CommentsAuthenticator Reset
I cannot log into my Office365 account. I'm not even sure what I have its been so long. I run a small business and set up the account myself. I did not have the authenticator backed up so when I lost my phone, i lost all of the authenticator accounts. Now I cannot log in due to not having the authenticator. I've been hung up on 3 times by microsoft support. How can I get the authenticator reset? I need to install the apps on a new machine. I can't even cancel the account because in order to do anything you have to log in.....which I can't do.bullzeyebrown77Dec 05, 2024Copper Contributor35Views0likes1CommentAuthenticator backup use company account
Just switched phones yesterday and discovered my Authenticator app backs up using a personal Microsoft account instead of my business account. If MFA is required by a business, shouldn't Authenticator be backed up using business accounts? In my opinion, there should be a way to keep business and personal MFA separate within a single app. Outlook does this with my business and personal email accounts...Scott ElkinsDec 03, 2024Brass Contributor4.2KViews0likes7Comments
Resources
Tags
- Authentication324 Topics
- office 365213 Topics
- security151 Topics
- admin61 Topics
- Identity52 Topics
- multi-factor authentication45 Topics
- exchange42 Topics
- Azure AD39 Topics
- Microsoft 365 Apps36 Topics
- hybrid35 Topics