Forum Widgets
Latest Discussions
User and Permissions Management Issues in Microsoft Entra ID (Assigned Roles)
Hello everyone, I’m encountering some challenges with user and permission management in Microsoft Entra ID. Here are the main issues I'm facing: Revoking Local Administrator Permissions: After removing a user from the Local Device Administrator group in Microsoft Entra, the device continues to recognize the user as an administrator, even after multiple synchronization attempts. What’s the recommended procedure to force a permissions update on the associated devices? Device Join Issue via PowerShell: I'm trying to join a device to Microsoft Entra ID using PowerShell with the command dsregcmd /join to force a policy update, but I'm encountering the following error: Error 0x80041326: "Failed to schedule Join Task. Error: 0x80041326." Does anyone know how to resolve this issue or have suggestions for an alternative approach to join the device or enforce the policy? I’ve checked permissions and task scheduling services, but the problem persists. Has anyone experienced similar issues or have suggestions on how to address these challenges? Any advice would be greatly appreciated! Thanks so much in advance!
OTP Code via SMS from non microsoft number
Hi Microsoft Team, Good day! For a few weeks now, many people around me have been receiving their OTP code for MFA via SMS often from unknown senders (non-Microsoft phone number). The sender of the SMS doesn't use an official Microsoft phone number and "Microsoft" is not displayed as the sender. I would like to request assistance on how to verify that these numbers are legitimately from Microsoft. 41 79 998 76 61 and 4915758307532. Many thanks for your help. Kind regards, RosineDynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group: user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf']) The group is an Active Directory group that is represented in Entra with the stated Entra group object Id. The validation fails for every user and looks like this: It seems that all out dynamic groups are affected and stopped working. Have you seen this before? Thanks.'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed tohttps://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com) Support conditional access for MyApps.microsoft.com · Community (azure.com) Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabled
Conditional policies to access to SharePoint and Files (not Apps)
Hi Team!! I'm looking for a way to restrict SharePoint access from outside of my office network (typically using the static public IP address). My understanding is that to do so, I require configuring conditional access policies in Azure (which in turn requires Entra ID P1 license for each user). Is my understanding correct? If so, do I have to licenses each and every user to do so? And the other clarifications I'm looking for is; Does conditional access policy apply universally to all users when enabled? or only to those with Entra ID P1 license? Reason for this clarification is that I tried applying this using a trial license by setting up a policy to block SharePoint access outside our office network but it ended up applying to all users instead of the ones with trial license assigned. Further I noticed that, when setting this policy blocks the entire Microsoft Teams app as well, where as my objective is to limit access to the files in Teams as they are part of the SharePoint. Is there a way to control access to SharePoint files in Teams without blocking the whole Teams app? Do let me know if I'm doing something wrong here?
Exception in conditional access policy for "Windows app - macOS"
Hi, I'm trying to restrict all Enterprise resources to Cloud-PC's only and therefore have a CAP in place that restricts access to all apps to cloud-pc's only. Naturally I have to provide an exception for the Remote desktop app so that end users can connect from their private endpoints to the cloud-PC. Here's the problem though. While I can find an exception for the Windows Remote Desktop app this exception doesn't apply to macOS and when looking at the sign-in logs the policy locks out "Windows App - macOS" with the app-id63896e48-3d27-4ce2-9968-610b4af62c5d. Neither "Windows App - macOS" nor63896e48-3d27-4ce2-9968-610b4af62c5d is findable in the application list for CAP exceptions. Is there a workaround or will this be made available? MaximReport conditional access policies and sign in logs
I would like to create a PowerShell report about the relation between sign in logs and the conditional access policies. For me it is important to see the effects of the conditional access policies (in reporting mode) on the user signs. Thank you for your supportNew role recommendation: Read Only Exchange Admin
To fully leverage PIM, we are transitioning to Entra roles wherever possible. We wish we could get off of customized Exchange RBAC roles, but the Exchange Recipient Admin role, lacks access to information like mail flow rules, which is essential for troubleshooting mail delivery issues. We would appreciate the introduction of a read-only role that allows viewing all information in Exchange without the ability to make changes.Members of a privileged access group cant validate dynamic group membership
Hi All, Does anyone know when this ability will be rolled out to members of a PAG with the group administrator role. Currently we are rolling out a PIM implementation using access packages to control PIM roles using privileged access groups using the least privileged model. Although this has worked well so far, we have an issue with admins who have the group administrator role via a PAG not being able to validate a dynamic group membership role. I know this feature is currently in preview, but was wondering if this is on Microsoft's roadmap to resolve it before it the preview is completed? As our admins use this feature a lot, we are currently having to assign this role as eligible to a user via PIM, which defeats the object of using the entitlement management access packages controlled via PAG's. Rgds Lee
Enable MFA for external idetnities in MS Entra
Hi all, I am planning to enable MFA for guest accounts and external identities using Conditional Access in MS Entra. I am however wondering how I can select what Authentication methods can they use - or what would be the default behaviour. Currently, I am still using legacy MFA for internal users. I will migrate MFA to MS Entra later this year however, not sure how this is working when enabling MFA for external users. As I do use legacy MFA, my setting in " Authentication methods > Policies" have MS Authenticator set to NO. Now, do I need to switch MS Authenticator to YES if I want guests to use that app? And if I enable it, how do I assign it to External identities only? I do not see that kind of option there at all... I can assign it to all, for example, but I am not yet ready to migrate internal users as well... Would be happy to get some clarification on this. Thank you
