Access Management
410 TopicsAccess Review on multiple Management Groups and Subscriptions
Hi everyone, We are facing the challenge of managing numerous Subscriptions and Management Groups in Azure. Our goal is to make Access Reviews more efficient by conducting them at a higher level, such as the Tenant Root or a central Management Group. Additionally, it would be ideal if roles like "Global Administrator" or "Owner" could be centrally configured for such structures (Tenant Root => All Management Groups => Subscriptions) to reduce administrative effort. Does anyone have experience or tips on how to optimize Access Reviews and role configurations for large and complex Azure environments? Thanks in advance for your help!6Views0likes0CommentsCan I configure authentication to be application specific?
Hi Community, I've been searching but could not get an answer. Here's my scenario which I hope someone can point me in the right direction or documentation. The organisation's Microsoft Office 365 uses an external IdP (let's say Okta) for federated login. Now I have a separate application registered via Entra admin centre using App registration and the requirement is to have it use Microsoft passwordless authentication method for login. After I done all the necessary OIDC config for this new app, testing the application login led me to the external IdP for authentication. I guess that's because the Microsoft tenant is configured to use the external IdP as default. Is there any way I can configure application specific authentication? e.g. O365 uses external IdP for authentication while my custom app uses Microsoft passwordless login, and other apps may use some other login mechanisms. Users for all apps are company's employees. Any guidance is much appreciated. Thank you.32Views0likes1CommentConditional policies to access to SharePoint and Files (not Apps)
Hi Team!! I'm looking for a way to restrict SharePoint access from outside of my office network (typically using the static public IP address). My understanding is that to do so, I require configuring conditional access policies in Azure (which in turn requires Entra ID P1 license for each user). Is my understanding correct? If so, do I have to licenses each and every user to do so? And the other clarifications I'm looking for is; Does conditional access policy apply universally to all users when enabled? or only to those with Entra ID P1 license? Reason for this clarification is that I tried applying this using a trial license by setting up a policy to block SharePoint access outside our office network but it ended up applying to all users instead of the ones with trial license assigned. Further I noticed that, when setting this policy blocks the entire Microsoft Teams app as well, where as my objective is to limit access to the files in Teams as they are part of the SharePoint. Is there a way to control access to SharePoint files in Teams without blocking the whole Teams app? Do let me know if I'm doing something wrong here?26Views0likes2CommentsBusiness User to manage an Application's users in Entra External ID
Hi all, In my company we are using Microsoft Entra External ID as CIAM for one of our applications. Users are external to the company (i.e. 'consumers'). Users are initially created by IT, as the app is not open for the general public. Everything works fine so far and, in addition to the authentication, we are using Entra External ID for authorization as well. For that, we are using regular Entra groups that travel to the app using OIDC claims, so once the user has successfully authenticated, the apps gets the group/s membership as well. Here comes the question: We now want to have a non-IT, Business user to manage authorizations, (i.e group memberships). The options we manage are: 1) Provide the business user access to the Entra External ID console, with a heavily restricted role that will only allow him to manage users of a certain app (in general, a limited collection of apps). 2) Create a (web) application that handles user authorization management. It would basically show the list of users and group membership for each, and allow making modification to them. For option 2) we would like to keep it "CIAM agnostic", meaning we don't want to have it solved via something like MS Graph API , for instance. Instead, we would like (if possible) a solution based on standards such as OIDC. We are open to use any other different standard protocol such as SAML. We don't know if any of the options are actually feasible, or if there is a better approach that should be considered. Ideas about how we can handle this? Thank you all in advance for you help.285Views0likes2CommentsemployeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, B217Views0likes1CommentIs it Possible to Create a Conditional Access Policy for Non-Interactive Sign-Ins Based on Location?
Hi everyone, I'm looking to create a Conditional Access policy in Azure AD that targets non-interactive sign-ins based on the user's location. Specifically, I want to restrict non-interactive logins if they originate from outside a specific geographic region. Is it possible to configure such a policy? If so, what are the necessary steps and considerations? Any guidance or documentation links would be greatly appreciated! Thanks!261Views0likes1CommentIdle Session Timeout policy for Entra ID - Enterprise applications
Hi All, I would like to understand the limitations of having Idle session timeout policies for Enterprise applications in Entra ID. Although we do have Session based sign-in CAP option in Entra ID configuration, but that is something not customer's requirement, they want to have idle session timeout option to be configured for their set of applications. During research I got to know that, we can configure Idle session timeout through admin.microsoft.com portal by visiting Org Settings >> Security & Privacy tab>> Idle session timeout, but that is something applicable for M365 apps only like Outlook web apps, OneDrive, SharePoint, Microsoft Fabric, M365 Defender portal, M365 Admin portal etc., but there is no such resource available which covers the Entra ID Enterprise applications. Thanks 🙂455Views0likes1CommentWhat does disabling an Azure AD device actually do?
In a AAD only org, with Windows 10 Enterprise computers all Azure AD joined and managed by Intune, exactly what does "disabling" the device via the AAD Portal -->Devices-->Select a device-->Disable do? It seems to have absolutely no impact on our devices' abilities to continue to login to AAD, and access Office 365 apps/services, for example. Perhaps I naively assumed that disabling a device actually meant that it would be disabled in the sense that you couldn't login to your org via AAD login, or, even if you were, you wouldn't be able to do anything that required AAD - which in my mind includes Office 365. Am I mistaken? Thanks, Bob120KViews0likes6CommentsNew Blog | Microsoft Entra Internet Access now generally available
ByAnupma Sharma With the rise of hybrid work, identity and network security professionals are now at the forefront of protecting their organizations. Traditional network security tools fall short in meeting the integration, complexity, and scale requirements of anywhere access, leaving organizations exposed to security risks and poor user experiences. To address this, network security and identity must function as a unified force in defense. Only when identity and network controls deeply integrate into secure access, can we fully deliver on the core Zero Trust principles, where trust is never implicit and access is granted on a need-to-know and least-privileged basis across all users, devices, and applications. Read the full post here:Microsoft Entra Internet Access now generally available329Views0likes0Comments