Shape the future of our communities! Take this survey to share your practitioner insights. š” āļø š
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
Force Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? ThanksDynamic AD group
Hi Experts I am using exchange hybrid environment, all my users are created on onprem and migrated to cloud. for example i have user1 whose department number is 100, every user has department number in AD attribute. i have another user whose department number is 101. my requirement is to add these users to office365 unified group dynamically, i.e user whose department number is 100 or 101 should be added to this office365 group dynamically and if tomorrow employee leaves the company it should be removed automatically,or is it possible to create a dynamic group in Azure AD to pull the members of department 100 and 101 and add this group to office365 unified group. Experts guide me on this.
employeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, BUsers Cannot Change Passwords ā Conditional Access Blocking Office 365 Portal (Non-Admin Scenario)
Hi everyone, Iām encountering an issue with Conditional Access that Iād like some input on. š The Problem: Users are unable to change their passwords (e.g., using Ctrl + Alt + Del on Windows) because access to the Office 365 Portal is blocked by our Conditional Access configuration. The error message states: Access has been blocked by Conditional Access policiesTarget app: Office 365 Portal (App ID: 00000006-0000-0ff1-ce00-000000000000) According to Microsoft documentation, this portal is not classified as an admin portal, yet access is being blocked. āļø The Configuration: We have a Conditional Access policy that: Targets all users Excludes admin accounts Applies to Microsoft Admin Portals Action: Block access This setup worked as designed for preventing users from accessing admin portals ā admins can access, users are blocked. However, now when regular users attempt to change their passwords, they seem to trigger access to the Microsoft 365 Portal, which is getting blocked by the policy. ā My Questions: Why is the Office 365 Portal (non-admin) being affected by a policy scoped only to admin portals? Is there a recommended exception or configuration change that allows users to perform password changes securely without lifting the block on admin portals? Could this be related to how Microsoft identifies the portal/app in the Conditional Access policy backend? Any insights or experiences with similar setups would be greatly appreciated! Thanks in advance for your help.
Enabling JIT Access for Managed Identities through PIM - Possible?
Hello, Azure Community, I'm exploring the capabilities of Privileged Identity Management (PIM) and have encountered a scenario where I'm seeking guidance. Scenario: I have a managed identity that requires various permissions, which should be granted through group assignments. My goal is to utilize PIM for Just-In-Time (JIT) assignment of these permissions to enhance security and minimize the attack surface by limiting the time these elevated permissions are available. Question: Is there a known method to enable JIT assignments for a managed identity through PIM? Specifically, I'm looking to understand if it's possible for me as a user to activate JIT assignments on behalf of the managed identity. If this approach isn't feasible, is there an alternative strategy that would achieve similar outcomes in terms of assigning managed identities to groups or roles just in time? Cheers folks!
Disable Windows Hello AND Remove Existing PIN
Previously, after setting up Windows for an Azure AD user, it would give me a prompt saying that my organization requires a PIN for Windows Hello. I would hit next, then close the dialog asking for the PIN, and it would say there was an error or something, I'd hit OK and I'd be in Windows with no further Windows Hello harassment until I restarted. Once I got the device enrolled in Intune, it would apply the policy I have a policy that disables Windows Hello. However, a recent update to Windows seems to have made it impossible to bypass setting up a PIN. Because I can't enroll the device in Intune during the Windows Setup, the disable policy doesn't apply until after the PIN is established on the account. Once the PIN is set up on a Windows Account, it is not removed when Windows Hello is disabled via Intune/GPO, and it is seemingly impossible to remove manually. The only lead I've been able to find is to delete this folder: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\. However, Windows simply is not letting that happen, even after taking full ownership of the folder as a local admin. My only workaround is to first setup the device authenticating with my own account which will have the PIN. Then enroll in Intune with the user's account to their policies applied and Hello disabled. Then create the local admin account. Then add the users account. Then log into the local admin account and delete my account. Finally, log into the users account to create shortcuts and do QA. We use Bitlocker with a PIN that effectively does the same thing as Windows Hello with a PIN, except it also encrypts the disk. So I really don't see what it brings to the table besides a redundant password for users to memorize and extra help desk work when they forget it? How do I get devices configured without adding a bunch of work to get around Windows Hello?
