Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!Add members to a dynamic sec-grp excluding users with a specific "serviceplanid" assigned license
Hello, I am trying to populate dynamically a security group that shoud contain all members with a specific attribut value and trying to filter the groupe membership based on a serviceplanId assigned to members (user.extensionAttribute9 -startsWith "83") -and (user.accountEnabled -eq True) -and (user.mail -ne null) -and (User.AssignedPlans -any (assignedPlan.servicePlanId -ne "818523f5-016b-4355-9be8-ed6944946ea7" -and assignedPlan.capabilityStatus -eq "Enabled")) How to exclude members with the ServicePlanId : "818523f5-016b-4355-9be8-ed6944946ea7" from the list of the groupe members ?Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
Disable MFA for User with certain admin roles
Hello all, we have a user with sharepoint administrator role and a self build application support manager role (the suer is allowed to create apps in Azure). We are now at a point where this user has to register an app for our helpdesk tool, but we have to remove the MFA for the registration. We excluded the user from the "MFA is mandatory for all users"-policy, the "MFA is mandatory for admins"-policy and set his MFA in the MFA-per-user setting on disabled. We have no other policy that enforces MFA for this user. Wenn we try to log in with the user (under http://www.office.com), we still get the request to register MFA Authenticator. I am aware that MS enforced MFA for admins, when they try to log in into the admin portals. Does this also apply for sharepoint admins? Does anyone have an idea, where the MFA request for this user could come from. Any help is appreciated. Cheers, Erik
GSA - Web content filtering - Custom blocked page
Hello everyone, I have a quick question. I just tested the 'Web Content Filtering' of Global Secure Access. However, in Microsoft's documentation, two processes are mentioned for displaying blocked sites (related to HTTP and HTTPS). I wanted to know if it is possible to create a custom page (for example, adding the company logo, indicating the reason for blocking such as the associated web category, etc.). I tried to search, but no documentation related to this is available (or at least I couldn't find it). Thanks in advance for the help!
What is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple years, and there's a buildup of alerts for sign-in attempts I can't even pull logs for. These users would've been required to change their password since the date on most of these, and we have some hybrid environments I plan on enabling self-clearing for. But wondering what other MSPs have done in this scenario?How to Recover a Global admin account without MFA
Hi Community I have created a Global admin account in a tenant, unfortunately I had to reset my mobile device, and the MFA codes / setup are gone. I know the password for the account though, without being able to access MFA, I'm not able to login anymore. I have no other admin accounts / Privileged accounts setup. Is there any way to recover from this situation?
Limitations on Modifying Enterprise Applications in Azure AD
Hi All, I'm curious about the limitations on modifying Enterprise Applications in Azure AD. Specifically, are there any restrictions on how frequently we can make changes to attributes, ACS, or reply URLs? I understand that modifying these settings can impact user access, but I'm concerned about potential rate limits or other restrictions that might prevent frequent updates. Any insights or best practices for managing these changes would be greatly appreciated. Post Script We don't have a dedicated QA environment, so understanding these limitations will help us plan our changes carefully.
New role recommendation: Read Only Exchange Admin
To fully leverage PIM, we are transitioning to Entra roles wherever possible. We wish we could get off of customized Exchange RBAC roles, but the Exchange Recipient Admin role, lacks access to information like mail flow rules, which is essential for troubleshooting mail delivery issues. We would appreciate the introduction of a read-only role that allows viewing all information in Exchange without the ability to make changes.
Enterprise Application AWS IAM Identity Centre
Hi Can someone please help... I have configured AWS IAM Identity Centre Enterprise Application, this works fine for internal users but I can not get external users working correctly as the username keeps looking at UPN rather e mail In the Enterprise Application i have set claim conditional But when I look into AWS under users I still see the guest users have there username set as the UPN in Entra not there E Mail address. Any ideas as to what i can do to sort this out?
