Active Directory (AD)
162 TopicsGroup writeback doesn't sync back to Entra
Hi all Can't find documentation on this if this should actually work or not. I enabled group writeback, which works fine. Now if I add a user to one of those groups in local Active Directory and sync the user to Entra, the user isn't a member of the group here. Might be just normal behavior, but would be nice if it did sync.25Views0likes1CommentFailed authentication with SAML Certificate
When I create a new Enterprise application, and I set up SAML-based SSO. The token signing certificate (Base64) I get fails to login my user into my application. I have to re-upload the certificate for successful login request. This has started happening often.39Views0likes3CommentsDynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group: user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf']) The group is an Active Directory group that is represented in Entra with the stated Entra group object Id. The validation fails for every user and looks like this: It seems that all out dynamic groups are affected and stopped working. Have you seen this before? Thanks.160Views0likes4CommentsLicense for Multi Tenant Setup
Scenario: User R is part of Tenant A and have M365 License. Tenant A & B are cross sync. Whether User R would need M365 license from Tenant B to operate on files stored in Tenant B? Scenario: User M is the external guest to Tenant B. Whether User M would need M365 license from Tenant B to operate on files stored in Tenant B?238Views0likes5CommentsDouble entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?209Views0likes1CommentEnterprise Application AWS IAM Identity Centre
Hi Can someone please help... I have configured AWS IAM Identity Centre Enterprise Application, this works fine for internal users but I can not get external users working correctly as the username keeps looking at UPN rather e mail In the Enterprise Application i have set claim conditional But when I look into AWS under users I still see the guest users have there username set as the UPN in Entra not there E Mail address. Any ideas as to what i can do to sort this out?Solved313Views0likes4CommentsIs it Possible to Create a Conditional Access Policy for Non-Interactive Sign-Ins Based on Location?
Hi everyone, I'm looking to create a Conditional Access policy in Azure AD that targets non-interactive sign-ins based on the user's location. Specifically, I want to restrict non-interactive logins if they originate from outside a specific geographic region. Is it possible to configure such a policy? If so, what are the necessary steps and considerations? Any guidance or documentation links would be greatly appreciated! Thanks!255Views0likes1CommentJoinNotFound
I have seen a post on here with the same error but it didn't seem to help me so rather than hijack the thread I'd ask again. More specifically, I don't understand which attribute it's trying to match on and how to set/check that. I get this when doing a provision on demand. "No action required. User '....' is not a newly discovered entry to be provisioned in the target application, nor one with an update that should flow to a target entry with which it was previously matched." Skipreason: JoinNotFound. I'll go through the documents again on Microsoft Learn in case I've missed something but if anyone has any pointers I'd be most grateful. TIA Andrew248Views0likes0CommentsAzure AD Connect - One forest - Two tenants - Same OUs
Hi All, We are looking to add a second Azure AD Connect to our environment to have users synchronized to a new tenant(second tenant different domain). According to Microsoft this is a supported approach, but is it also ok to have the same OUs as part of both syncs? We currently have situations where the same user object may belong to ContosoA and ContosoB or would the users that belong to each tenant need to be part of their own OUs and exclusive to each? Thanks.718Views0likes7CommentsEntra Connect Sync duplicated UPN
Hi I had Entra Connect running for a long time without issues. Out of the blue Connect Sync started to reportDuplicate Attribute on 3 usersUser Principal Name. The 3 users, Connect Sync believe has a conflicting value in Entra, do exist in Entra, but with a smtp address which matches the UPN, and isnot the the users UPN. If i run the following command on my on-prem AD the UPN does not exist in any form of domain name: Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"} Get-ADUser -Filter {UserPrincipalName -eq "e-mail@domain.local"} Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"} All my users UPN are different from the configured on-prem ProxyAddresses so the above error mesage makes no sense. And futher more the 3 users which sync sees as a conflict do not even has a ProxyAddresses configured. Any ideas how to futher debug this? /Robert675Views0likes8Comments