API-driven provisioning field mapping changes resynchronize all users and groups
We have configured API-driven provisioning for on-premises Active Directory, along with Azure AD Connect, to synchronize on-premises AD users with Azure Entra ID. As part of the provisioning setup, we have used a separate Organizational Unit (OU) in on-premises AD (designated as the default OU for new users) while configuring API-driven provisioning. We are attempting to make some changes to the API field mapping, specifically the ‘UserPrincipalName’ regular expression (custom domain) and the ‘manager’ field, and saving the configuration. Upon attempting to save, a prompt appears (as highlighted below screenshot), indicating that this action will resynchronize all users and groups. Could you please clarify: Will this resynchronization update any existing users outside the default provisioning Organizational Unit (OU)? Specifically, what does the resynchronization operation update? For instance, will it modify the 'UserPrincipalName' and 'manager' attributes for all users including old users outside of provisioning Organizational Unit (OU)? Screen Shot - While Saving Mapping.
Unable to add Azure Virtual Desktop Client Enterprise App to Conditional Access
We currently use conditional access to allow certain contractors to sign into VMs, and from these VMs, access other MS Apps. Currently we block all applications from outside the VM ip range, but exclude the Virtual desktop applications to allow the users to do the initial signin to the VM. When contractors are using the Virtual Desktop app, it seems to work ok. However, recently when signing in via the browser only and launching from there, the conditional access rule is blocking them as the application ID isn't in the exclude list, and we are unable to add it: a85cf173-4192-42f8-81fa-777a763e6e2c The documentation: https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd shows that web signins may originate from this application ID, but without the ability to add this to the exclusion apps, we cannot find another workaround that allows access via the browser. I also tried adding this app in to the policy via GraphAPI, but I get an error saying that this first party application isn't allowed. I need to know if there is another workaround or if Microsoft are planning to add this to the CA compatibility list? I'm not sure why some of the Virtual desktop apps are there but this one is not.
Entra ID Connect cloud sync: User and group sync is quarantined
Hi, I connected our on-premise AD with Entra ID with Azure AD Connect Cloud Sync. Agents are active, but User and group sync is quarantined with the following error. Error code: HybridSynchronizationContainerStateEnumerationFailed Error message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.... Additional details: Encountered an error while enumerating container changes in the provisioning agent. Please make sure you are running the latest version of the agent. Contact support if the issue persists. Additional Error Details: UnwillingToPerform: The server cannot handle directory requests.. ResultCode: UnwillingToPerform, HResult: -2146233088, responseType: System.DirectoryServices.Protocols.SearchResponse, serializedResponse: {"MatchedDN":"","Controls":[],"ResultCode":53,"ErrorMessage":"error in module dsdb_paged_results: Unwilling to perform during LDB_SEARCH (53)","Referral":[],"References":[],"Entries":[],"RequestId":null}. I use SaMBa servers (4.19.4) as DCs. Agents are installed on Windows 2019 servers. How can I resolve the problem?
Dynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group: user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf']) The group is an Active Directory group that is represented in Entra with the stated Entra group object Id. The validation fails for every user and looks like this: It seems that all out dynamic groups are affected and stopped working. Have you seen this before? Thanks.Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, Garima
API-driven provisioning to on-premises Active Directory mapping of the manager not working anymore
Hello Guys, I have a problem with the provisioning service of the above enterprise application. The whole time it was working fine until yesterday when I changed an attribute mapping (not the manager mapping) and now the manager is not sync because he can't lookup the manager, with every user even though the all worked before. Error: UnableToResolveReferenceAttributeValue Someone have an Idea or the same problem?Microsoft Entra Hybrid Join Issue Despite Setting Up All Essentials
I’m facing an issue where my client computer is unable to join Hybrid Azure AD, even though I’ve already set up all the essential steps, I downloaded that Microsoft Entra Connect Sync tool from the official site and did all the necessary steps. including configuring the SCP (Service Connection Point). Our main server is in New York, and our branch office is in Asia region, I want to have Microsoft Entra Hybrid Joined to all of my office PC in order to apply some conditional access policies. Despite these setups, the device fails at the discovery phase, and I can’t figure out what’s missing. This is what it says when I try to manually add the client PC TenantInfo::Discover: Failed reading registration data from AD. Defaulting to autojoin disabled 0x800706ba DsrCmdJoinHelper::Join: TenantInfo::Discover failed with error code 0x801c001d. Has anyone encountered a similar issue? Any guidance or troubleshooting tips would be greatly appreciated. Thanks!
keep ui_locales param in custom policy sign in flow
Hi, I'm having some trouble with the language customization of our AD B2C based authentication pages. In my country (Greece) even though the local language is greek, it's very common to use english as the default language for web tools and specifically browsers. In our business we do want to show english translations but only when user needs it. There is a language switch added in a custom html template that changes the ui_locals param and refreshes the page. We have added LocalizedStrings to our custom policies and initially force the ui_locals=el param in order to override the default browser language and set it to greek. This works fine in the first screen where users are asked to add their email address but as long as they proceed to the next step, the ui_locals param is lost and the password screen is shown with strings in english. Is there a way to tell to a custom policy to respect the ui_locals param when moving from one screen to another?
WTF is going on in these logs?
I had a user phished the other day but they realized and changed their password straight away. Not before the bad actor collected his credentials so I checked the logs and what I see makes no sense. First i looked at the sign in logs (Sign in logs.png). You can see a failed login attempt from Jacksonville Florida. You can see they used the old password (invalid passowrd.png). Looks good right? Then why the hell is there a follow up attempt (approved.png) that says Password via pass-through succeeded? Yes, it's now waiting for MFA but if it's the wrong password as seen prior why now is it saying succeeded? Plus, another one 10 mins later from another IP (probably trying to get around location blocking) with the same thing. Pass Through succussed and now waiting for MFA. If the password is wrong, why even request MFA?
