Dynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group: user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf']) The group is an Active Directory group that is represented in Entra with the stated Entra group object Id. The validation fails for every user and looks like this: It seems that all out dynamic groups are affected and stopped working. Have you seen this before? Thanks.
License for Multi Tenant Setup
Scenario: User R is part of Tenant A and have M365 License. Tenant A & B are cross sync. Whether User R would need M365 license from Tenant B to operate on files stored in Tenant B? Scenario: User M is the external guest to Tenant B. Whether User M would need M365 license from Tenant B to operate on files stored in Tenant B?Double entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?
Enterprise Application AWS IAM Identity Centre
Hi Can someone please help... I have configured AWS IAM Identity Centre Enterprise Application, this works fine for internal users but I can not get external users working correctly as the username keeps looking at UPN rather e mail In the Enterprise Application i have set claim conditional But when I look into AWS under users I still see the guest users have there username set as the UPN in Entra not there E Mail address. Any ideas as to what i can do to sort this out?
Is it Possible to Create a Conditional Access Policy for Non-Interactive Sign-Ins Based on Location?
Hi everyone, I'm looking to create a Conditional Access policy in Azure AD that targets non-interactive sign-ins based on the user's location. Specifically, I want to restrict non-interactive logins if they originate from outside a specific geographic region. Is it possible to configure such a policy? If so, what are the necessary steps and considerations? Any guidance or documentation links would be greatly appreciated! Thanks!JoinNotFound
I have seen a post on here with the same error but it didn't seem to help me so rather than hijack the thread I'd ask again. More specifically, I don't understand which attribute it's trying to match on and how to set/check that. I get this when doing a provision on demand. "No action required. User '....' is not a newly discovered entry to be provisioned in the target application, nor one with an update that should flow to a target entry with which it was previously matched." Skipreason: JoinNotFound. I'll go through the documents again on Microsoft Learn in case I've missed something but if anyone has any pointers I'd be most grateful. TIA Andrew
Azure AD Connect - One forest - Two tenants - Same OUs
Hi All, We are looking to add a second Azure AD Connect to our environment to have users synchronized to a new tenant(second tenant different domain). According to Microsoft this is a supported approach, but is it also ok to have the same OUs as part of both syncs? We currently have situations where the same user object may belong to ContosoA and ContosoB or would the users that belong to each tenant need to be part of their own OUs and exclusive to each? Thanks.
Entra Connect Sync duplicated UPN
Hi I had Entra Connect running for a long time without issues. Out of the blue Connect Sync started to reportDuplicate Attribute on 3 usersUser Principal Name. The 3 users, Connect Sync believe has a conflicting value in Entra, do exist in Entra, but with a smtp address which matches the UPN, and isnot the the users UPN. If i run the following command on my on-prem AD the UPN does not exist in any form of domain name: Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"} Get-ADUser -Filter {UserPrincipalName -eq "e-mail@domain.local"} Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"} All my users UPN are different from the configured on-prem ProxyAddresses so the above error mesage makes no sense. And futher more the 3 users which sync sees as a conflict do not even has a ProxyAddresses configured. Any ideas how to futher debug this? /Robert
B2B sharing policy
Hi, Microsoft has updated the B2B sharing policy, so we now need to invite externals to our Azure AD before sharing files with them. Is there any way to create an exception for certain domains, like those of our partners, so we can share files with them without having to invite them as guests? Thank you for your help! Best,Multitenant organization (MTO): user licenses
Hello everyone, As described here, I have created an MTO. It seems to have worked because I can see users from tenant A in tenant B. Everything looks correct, as the users have #EXT# in their usernames, their type is “Member”, and their identity is “ExternalAzureAD”. BUT they are all unlicensed. My question: is there a way to synchronize the licenses of the users, or do I really have to purchase the same license twice for a single user? Specifically, I am interested in the following licenses: Microsoft 365 Business Premium (access to Teams, SharePoint, Exchange Online sharedmailboxes, etc.) Dynamics 365 licenses (e.g., Business Central). Thank you very much for your assistance, and warm regards, Nico
