Introducing the Entra Helpdesk Portal: A Zero-Trust, Dockerized ITSM Interface for Tier 1 Support
Hello everyone, If you manage identity in Microsoft Entra ID at an enterprise scale, you know the struggle: delegating day-to-day operational tasks (like password resets, session revocations, and MFA management) to Tier 1 and Tier 2 support staff is inherently risky. The native Azure/Entra portal is incredibly powerful, but it’s complex and lacks mandatory ITSM enforcement. Giving a helpdesk technician the "Helpdesk Administrator" role grants them access to a portal where a single misclick can cause a major headache. To solve this, I’ve developed the Entra Helpdesk Portal (Community Edition)—an open-source, containerized application designed to act as an isolated "airlock" between your support team and your Entra ID tenant. Why This Adds Value to Your Tenant Instead of having technicians log into the Azure portal, they log into this clean, Material Design web interface. It leverages a backend Service Principal (using MSAL and the Graph API) to execute commands on their behalf. Strict Zero Trust: Logging in via Microsoft SSO isn’t enough. The app intercepts the token and checks the user’s UPN against a hardcoded ALLOWED_ADMINS whitelist in your Docker environment file. Mandatory ITSM Ticketing: You cannot enforce ticketing in the native Azure Portal. In this app, every write action prompts a modal requiring a valid ticket number (e.g., INC-123456). Local Audit Logging: All actions, along with the actor, timestamp, and ticket number, are written to an immutable local SQLite database (audit.db) inside the container volume. Performance: Heavy Graph API reads are cached in-memory with a Time-To-Live (TTL) and smart invalidation. Searching for users or loading Enterprise Apps takes milliseconds. What Can It Do? Identity Lifecycle: Create users, auto-generate secure 16-character passwords, revoke sign-in sessions, reset passwords, and delete specific MFA methods to force re-registration. Diagnostics: View a user's last 5 sign-in logs, translating Microsoft error codes into plain English. Group Management: Add/remove members to Security and M365 groups. App/SPN Management: Lazy-load raw requiredResourceAccess Graph API payloads to audit app permissions, and instantly rotate client secrets. Universal Restore: Paste the Object ID of any soft-deleted item into the Recycle Bin tab to instantly resurrect it. How Easy Is It to Setup? I wanted this to be universally deployable, so I compiled it as a multi-architecture Docker image (linux/amd64 and linux/arm64). It will run on a massive Windows Server or a simple Raspberry Pi. Setup takes less than 5 minutes: Create an App Registration in Entra ID and grant it the necessary Graph API Application Permissions (e.g., User.ReadWrite.All, AuditLog.Read.All). Create a docker-compose.yml file. Define your feature toggles. You can literally turn off features (like User Deletion) by setting an environment variable to false. version: '3.8' services: helpdesk-portal: image: jahmed22/entra-helpdesk:latest container_name: entra_helpdesk restart: unless-stopped ports: - "8000:8000" environment: # CORE IDENTITY - TENANT_ID=your_tenant_id_here - CLIENT_ID=your_client_id_here - CLIENT_SECRET=your_client_secret_here - BASE_URL=https://entradesk.jahmed.cloud - ALLOWED_ADMINS=email address removed for privacy reasons # CUSTOMIZATION & FEATURE FLAGS - APP_NAME=Entra Help Desk - ENABLE_PASSWORD_RESET=true - ENABLE_MFA_MANAGEMENT=true - ENABLE_USER_DELETION=false - ENABLE_GROUP_MANAGEMENT=true - ENABLE_APP_MANAGEMENT=true volumes: - entra_helpdesk_data:/app/static/uploads - entra_helpdesk_db:/app volumes: entra_helpdesk_data: entra_helpdesk_db: 4.Run docker compose up -d and you are done! I built this to give back to the community and help secure our Tier 1 operations. If you are interested in testing it out in your dev tenants or want to see the full architecture breakdown, you can read the complete documentation on my website here I’d love to hear your thoughts, feedback, or any feature requests you might have!
Teams Planner Duplication
Does anyone know if you can duplicate Microsoft Teams Planners for onboarding tasks? I am trying to create an easily replicable Teams Planner with links to files in Sharepoint folders, for example. I want to be able to copy this planner for each new hire and have a copy of all the files and planner tasks in the new copy. Any advice or expertise would be much appreciated!
Student chat disabled?
Hi there, I’ve started testing and setting up Teams for my education customer. I’ve gotten reports that teachers have a “This chat has been disabled. You can’t send send a message , but can view past messages.” Message when going to message a student. I have tried re-assigning policies but nothing that I’ve tried has worked. Any resolutions? Help is greatly appreciated. Thanks, Jessie M. Hadaller EDIT: This issue only appears on the iPad app version of Teams. Version#:3.10.0
Group email addresses for Teams sometimes contain “+” or “/” characters
We are using Microsoft Teams in our organization. When creating multiple Teams with exactly the same team name, using ASCII alphanumeric characters only, we occasionally see that the automatically generated group email address contains unexpected characters such as “+” or “/”. I would like to know whether this behavior is expected or if it is specific to our environment. This issue seems to have been occurring since around August 2025. We manually create Teams using the Windows Teams client. For example, if we create several Teams with a simple name such as “example2026”, the corresponding group email addresses are generated in the following format: email address removed for privacy reasons However, in some cases, the XXXXXX portion includes characters like “+” or “/”. When creating around 50 Teams, this issue appears in a few of them. This causes two problems for us: A “+” character interferes with plus-addressing behavior. When a “/” is included, we cannot create events inside the Team. Has anyone else encountered this issue or knows why this happens? Any insights would be appreciated.
Best External Access configuration
I’m looking for guidance on the best Microsoft Teams configuration for the following goal: Objective Prevent random external domains from: Looking up users in Teams Sending 1:1 chats Making direct audio/video calls At the same time: External users invited to Teams meetings should not appear as AnonymousUpcoming change: disabling Teams meeting recording expiration notification emails
Hello, We wanted to share an important update regarding email notifications for expired Microsoft Teams meeting recordings. Based on valuable feedback from our community, we’ve decided to make a change to how notifications are handled. What’s changing: Starting June 1st, we will stop sending email notifications for expired Microsoft Teams meeting recordings. We are making this change due to complaints we received from many customers about the high volume of notifications which they deemed low value. This change allows us to respect your preferences while ensuring critical communications remain accessible. Recording expiration and deletion policies remain unchanged and items that expire will be deleted even when notifications are not being sent. How to keep receiving notifications: For those customers that would like to continue receiving email notifications, we will create a new setting and make it available before June 1st. This will be a per-tenant setting. We will send another message center post once this setting is available and update our documentation in this discussion and on our support page. After June 1st: If you didn’t change notification settings before the deadline, you can still re-enable them at any time by running the PowerShell command. Note: Our original message center post incorrectly asked recipients to fill out a survey and failed to include a link to the survey. We are committed to providing options that work for your organization, and we would like to hear from you. If you have questions or additional feedback about this change, please complete this survey and join the discussion: Teams Meeting Recording Notification Changes – Fill out form Thank you for being part of our community.
Teams duplicates contacts until it maxed out at 15000
Hi, I have a weird issue with some users, Teams seems to be duplicating old Skype for Business contacts until it maxes out at 15000 contacts. I have been digging into it a bit and found out the location of the folder through Exchange powershell but I can't clear or delete it. Skype for Business is phased out and disabled in my tenant for a long time now so I couldn't do much there, I can't login to it through powershell. We've had Teams since like 2017 so I suspect this is a niche legacy issue popping up recently somehow. Manual deleting is possible through the browser environment but that is such a hassle because it keeps glitching if you delete per 100 and skipping pages and stuff, need to refresh constantly. Just a pain, it would take days. And no guarentee its not coming back either. See screenshots. Does anyone know why this is happening and how to fix this? Thanks for reading, cheers!Allow only specific external domains
When External Access is set to “Allow only specific external domains” Scenario 1 If Microsoft Teams External Access is set to “Allow only specific external domains”, and a user from a domain not on the allowed list joins a meeting while signed into their work Teams account, Will they still appear with their actual name and organization, rather than as Anonymous? Is this correct? Scenario 2 If a user from a non-allowed domain joins the meeting link through a browser and selects “Join as guest”, Will they appear under the name they manually enter, instead of showing as Anonymous? Is this correct? Scenario 3 If a user joins without authenticating and meeting policy allows anonymous access, Will they appear as Anonymous only in that situation, and not because of the External Access restriction? Is this correct?
