User Profile
KappieKA
MCT
Joined Sep 22, 2021
User Widgets
Recent Discussions
Users Cannot Change Passwords – Conditional Access Blocking Office 365 Portal (Non-Admin Scenario)
Hi everyone, I’m encountering an issue with Conditional Access that I’d like some input on. 🛑 The Problem: Users are unable to change their passwords (e.g., using Ctrl + Alt + Del on Windows) because access to the Office 365 Portal is blocked by our Conditional Access configuration. The error message states: Access has been blocked by Conditional Access policiesTarget app: Office 365 Portal (App ID: 00000006-0000-0ff1-ce00-000000000000) According to Microsoft documentation, this portal is not classified as an admin portal, yet access is being blocked. ⚙️ The Configuration: We have a Conditional Access policy that: Targets all users Excludes admin accounts Applies to Microsoft Admin Portals Action: Block access This setup worked as designed for preventing users from accessing admin portals — admins can access, users are blocked. However, now when regular users attempt to change their passwords, they seem to trigger access to the Microsoft 365 Portal, which is getting blocked by the policy. ❓ My Questions: Why is the Office 365 Portal (non-admin) being affected by a policy scoped only to admin portals? Is there a recommended exception or configuration change that allows users to perform password changes securely without lifting the block on admin portals? Could this be related to how Microsoft identifies the portal/app in the Conditional Access policy backend? Any insights or experiences with similar setups would be greatly appreciated! Thanks in advance for your help.Re: Exclusions for Network Name Resolution
Hi EliOfek, thank you very much for your fast feedback. Unfortunately, I don't have the information first-hand, but from the network administrators, who are bothered by the fact that at certain times there are always a lot of requests going to various addresses. I spontaneously searched for requests from the honeypot machine's IP address using Advanced Hunting IdentityLogonEvents | where IPAddress contains "XXX.XXX.XXX.XXX" and found no log entry. Do you know any good KQL query that I can use to analyse all possible requests to show that the honeypot first contacted the DC? Kind Regards Marco1.3KViews0likes1CommentExclusions for Network Name Resolution
Hi all, I have deployed Defender for Identity in an infrastructure and now it has been discovered that the sensors are performing name resolution even on unknown IPs, e.g. a Linux-based honeypot that has no connection to the AD. Furthermore, according to the firewall, the sensors "scan" in larger packets, which in turn causes the firewall to alert. Does anyone know if it is possible to exclude certain IPs or ranges from the scan and is there any documentation on how the process works in detail? Thanks in advanceSolved
Recent Blog Articles
No content to show