Forum Widgets
Latest Discussions
Entra ID’s Keep Me Signed In Feature – Good or Bad?
The Entra ID Keep Me Signed In (KMSI) feature creates persistent authentication cookies to allow users to avoid sign-ins during browser sessions. Is this a good or bad thing and should Microsoft 365 tenants enable or disable KMSI. I think KMSI is fine in certain conditions and explain my logic in this article. Feel free to disagree! https://office365itpros.com/2025/09/17/kmsi-good-or-bad/
Profile photo component adds unwanted overlay
Component https://myaccount.microsoft.com Run command: ms-settings:yourinfo Environment Profile picture uploaded through https://myaccount.microsoft.com Profile picture uploaded through Run command (WIN+R): ms-settings:yourinfo Retrieved via Microsoft Graph SDK / Graph REST API endpoint /v1.0/me/photos/$value Steps to Reproduce Go to https://myaccount.microsoft.com. Upload a new profile picture (no presence, badge, or branding requested). Retrieve the profile picture using Microsoft Graph endpoint: GET https://graph.microsoft.com/v1.0/me/photos/$value Render the image in the client application. Expected Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding. Actual Result The component renders an overlay (e.g., presence badge/ring/branding) on top of the photo, altering the image. Impact Users see altered profile photos, leading to inconsistencies with expectations. Breaks brand/UX design guidelines that rely on unmodified profile images. Severity Medium–High (affects identity consistency across apps using Graph). Notes This happens even though no overlay option was requested in either the upload or retrieval flow. Alternative: Steps to Reproduce and working as expected Run command (WIN+R): ms-settings:yourinfo Upload a new profile picture (no presence, badge, or branding requested). Retrieve the profile picture using Microsoft Graph endpoint: GET https://graph.microsoft.com/v1.0/me/photos/$value Render the image in the client application. Expected Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding. Actual Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding.Microsoft Authenticator Passkeys for Entra ID on unmanaged devices
Hello, has anyone successfully registered passkeys on an unmanaged phone in an organisation with device compliance policies? Use case is to provide a phishing-resistant MFA option via Authenticator app for logging into apps on their desktop. Users already have authenticator app on their phone and do number matching MFA. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS When I select "Create a passkey" - I need to log into my account. However I'm blocked from successful authentication because I have conditional access policies to require compliant devices. As my mobile phone is not enrolled into Intune, I never get to the step where the passkey is created and registered. Based on the constraints - it seems like passkeys cannot be used for unmanaged/BYOD devices for organisations that have device compliance policies. It can only be used for users who have enrolled their mobile phone. Looking to see if anyone has tips or different experience using passkeys on unmanaged mobile phones to log into Entra?
Support tickets unresolved after 11 months; escalation requests ignored; stuck in a feedback loop
Hello, We have been unable to update O365 applications for close to a year now. When we update the applications, our end-users are unable to authenticate and receive 1001 errors. We have had a support ticket open now for 11 months. We are stuck in a loop where support asks us to demonstrate the issue. I can consistently reproduce this issue. This is a cry for help. Thanks to anyone who has any suggestions.
SCIM - Provision null values
Hoping to get some more official feedback regarding Entra's in-ability to provision null values, mainly outbound provisioning. The SCIM standard caters for this use case, so what is Microsoft's reluctance on this functionality? If it's the concern of breaking functionality, surely it can be an 'opt-in' setting like the bulk delete setting? I know some good conversation has taken place here: https://learn.microsoft.com/en-us/answers/questions/223936/sending-an-empty-value-with-user-provisioning-(sci
Fallas AUTHENTICATOR
Tengo un problema enorme y es que no puedo iniciar sesión en mi cuenta de Outlook la cual tengo relacionada a Authenticator, me dice que me va a llegar un código y nunca me llega doy para ingresar el código manual y al ingresar el que me arroja en la app me dice que el código es erróneo, y no puedo montar un ticket porque para ello necesitaría iniciar sesión en la cuenta, y hablando con los soportes de chat no me dan una solución, soy de Colombia alguien me puede ayudar.
Problem z zalogowaniem się no nowym telefonie z maila firmowego
Dzień dobry , Mam problem , ponieważ wymieniłem swojego starego Iphona na nowszy model , i po przeniesieniu wszystkich danych na nowy telefon , ze starego Iphona usunąłem wszystkie dane i wyzerowałem go, jednak gdy chciałem zalogować się na nowym telefonie do aplikacji mailowej Outlook wyskoczyła mi informacja o zatwierdzeniu żądania logowania z numer "33". Nie mam możliwości potwierdzić tego numeru na starym telefonie ponieważ na starym telefonie już nic nie ma. Proszę o odpowiedź co w tej sytuacji mam zrobić ? P.S Próbowałem przez aplikacje Authenticator , logując się do aplikacji swoim prywatnym mailem i po zalogowaniu chciałem dodać konto służbowe jednak po raz kolejny wyskakuje informacja odnoście potwierdzenia logowania na urządeniu przenośnym ...How to exclude Forms from Conditional Access Policy blocking Exchange in browser on mobile?
MAM for mobile makes only sense when EXO gets blocked in the mobile browser. But then Forms gets blocked too. Forms service doesn’t have a dedicated mobile app. So, how to exclude Forms by blocking EXO with Conditional Access in the browser on mobile? Anyone / anything?Windows Hello for Business Configuration Issue with multiple Devices
Hello everyone, We are currently facing an issue with our Windows Hello for Business configuration for Multiple Users/Devices, and I'd like to seek your assistance and insights on this matter. We've implemented Windows Hello for Business through Group Policy (User Configuration) and deployed it within our User Organizational Unit (OU). Initially, everything seemed to be working seamlessly. Users were able to log in to their devices, set up Windows Hello for Business, and use it without any problems. However, a problem arises when the same user attempts to log in from another device. Ideally, we expect the same behavior, where the user gets the Windows Hello configuration, successfully sets up their PIN, and can use it for subsequent logins. However, after a reboot, the user is prompted to log in with their password only, and the Windows Hello Sign-in option does not appear. What's even more concerning is that this issue has now started affecting the user's ability to log in with a PIN on their initial device as well. We would greatly appreciate your insights and suggestions on how to troubleshoot and resolve this issue. If anyone has encountered a similar situation or has any guidance on resolving Windows Hello for Business configuration problems, please share your expertise. Thank you in advance for your assistance. Best regards, Rashad BakirovConditional Access - Policy AND'ing - Registering Security Info
Hi All, I've been working away trying to solve an issue but haven't found a way around it just yet. The aim is to let an users on BYOD use TAP on a non-compliant device to setup their security info, but then for all other actions to have MFA+Compliance enforced from desktops. Three CA Policies from the templates articles with a tweak for passwordless: - Secure Registration Policy (MFA+TAP Auth Strength) - Device Compliance (MFA+TAP Auth Strength + Compliance) - Intune Enrollment (MFA+TAP Auth Strength) I'm noting a few outcomes here: Device Compliance (AND grant control) - User with a BYOD Device and TAP, can't enroll in MFA as the device isn't compliant, they cant workplace join the device either - User on an enrolled device, can use TAP to reset/create their MFA control Device Compliance (OR grant control) - User with a BYOD Device and TAP, can workplace join and register their security info without issues - User with an enrolled device has no issues using TAP to reset/create their MFA control. This makes sense with the AND'ing of policies, however for the registration method i'm wanting to let the user in on their BYOD device to register their security control, once done they can workplace join with no issues to access resources. The sign-in logs, always show the device compliance policy as hit, this is expected, the login shows a success for passwordless + tap but fails the compliance strength as expected. It doesn't look like its the device enrolment side of things, purely the registration portal getting in the way wanting the compliant device. Does anyone else have similar requirements and have a way to do this without a manual exclusion group? Thanks!
