Disable MFA for User with certain admin roles
Hello all, we have a user with sharepoint administrator role and a self build application support manager role (the suer is allowed to create apps in Azure). We are now at a point where this user has to register an app for our helpdesk tool, but we have to remove the MFA for the registration. We excluded the user from the "MFA is mandatory for all users"-policy, the "MFA is mandatory for admins"-policy and set his MFA in the MFA-per-user setting on disabled. We have no other policy that enforces MFA for this user. Wenn we try to log in with the user (under http://www.office.com), we still get the request to register MFA Authenticator. I am aware that MS enforced MFA for admins, when they try to log in into the admin portals. Does this also apply for sharepoint admins? Does anyone have an idea, where the MFA request for this user could come from. Any help is appreciated. Cheers, Erik
GSA client exclamation mark, Forwarding policy dosen't exist in registry
Good day, Have difficult time getting Entra Private Access working. Entra portal --------------- GSA > Dashboard > Device Status says : 0 have the Global Secure Access Client installed: 0.0% The client pc is entra joined and is compliant, the client user has Entra ID Suite Trail license assigned. Traffic forwarding > Private access is enabled, have Quick Access application configured for SMB access. User and group assigments is set to a group where the user resides. Microsoft traffic profile and Internet access profile = disabled (as for now i just want to make the Private acces profile working) Enterprise applications = 1 active Connectors are online with status active. Client PC ------ Event log of client pc says the understated: Error occurred while requesting a new forwarding profile: The SSL connection could not be established, see inner exception.. Request Parameters: Microsoft Entra Device ID: 61ma02-9453-1277-98gz-hkdhksa3d0, Correlation vector: kdfhkshfkashdJ.0, APS URL: https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0. The client will continue working with the existing forwarding profile. GSA Advanced diagnostics: Username : empty Tenant ID : empty Forwarding profile ID: empty Client version 2.8.45.0 Health check = is green till Policy server is reachable, after that exclamation mark. https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0 if i try the above url in the browser then i get invalid request, this means that the client is able to reach the server, which means network or DNS issues are unlikely and the The SSL handshake is successful, and the certificate is valid. Need guidance as to understand why the client is not able to retreive profiles, i am using windows 11. Tried with disabling firewall too. Thanks!
Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, GarimaRegistered App > Grant Permission to OneDrive?
Hello everyone, I'm trying to connect an automation platform (N8N) to our OneDrive. What I did: registered an app create a secret for it gave n8n the client id and secret value gave the app various api permissions (i.e. files.readwrite.all) created an app role (users & apps) added myself as an owner Error I'm running into: "Forbidden - perhaps check your credentials? You do not have access to create this personal site or you do not have a valid license." I know that I have all the needed permissions, because in another automation platform which is more hands-off (Make.com), everything works fine. Unfortunately, I need it in N8N, which requires more setup. My question: What permissions do I need to give the registered app? Did I miss a step in the grand scheme of things? Thanks a lot in advance!! TomSCIM provisioning - custom app authentication
Hi, in the documentation for handling endpoint authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments." ? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?
Microsoft Entra Internet Access Location Awareness
Hi all, I'm currently evaluating Microsoft Entra Private and Internet Access (with good result until now). By default, the agent is started meaning that all Internet traffic goes to MS Edge. Is it possible to disable (automatically) the agent based on the location of the computer ? Example, if the device is connected to the corporate network, the service needs to be disabled... Another question, does it detect captive portal in case the device is connected to a "kiosk" network ? And finally (for Private Access), is it plan to support LDAP traffic over UDP and more generally UDP ?? Regards, HA
Create a new user in Power App through register/log-in function
Hi. I am trying to implement the log-in function in Power App. The user should be able to create their own account through Power App and log-in again next time since their log-in data will be saved in a database. In this case, I am using Microsoft Entra ID as my database. This is my code of the "Submit" button in my Power App: MicrosoftEntraID.CreateUser(EnableAccountToggle.Value;EMailTextInput.Text; PasswortTextInput.Text). I dont know what is wrong with my code, because when I try to create a new user account from Power App, the data of the new user does not show on my Microsoft Entra ID. I have already connected my app to the Microsoft Entra ID connector. I have not changed anything at all in my Microsoft Entra ID since having an account for it. Do I have to create a group or something in my Microsoft Entra ID? I really appreciate your advice! You can also recommend other data management tools to me or tell me what your experience with them.New Blog | Microsoft Entra Private Access: An Identity-Centric Zero Trust Network Access Solution
On July 11, 2023, we introduced Microsoft’s identity-centric security service edge (SSE) solution and two new services: Microsoft Entra Private Access and Microsoft Entra Internet Access, which are now in public preview. In this blog, we take a deeper look into Microsoft. Entra Private Access. Read the full blog here: Microsoft Entra Private Access: An Identity-Centric Zero Trust Network Access Solution - Microsoft Community Hub
Trying to force credentials on a powerapps through azure AD, URL modifiers
Hello! Powerapps guy here. Tried posting this question on the powerapps community with little response. I think I might do better here. What I'm trying to do: I'm trying to find a way to force credentials for a powerapp (canvas in browser) each time a user clicks the link to open it. In this world of everyone having work/personal accounts and teams, it's anything but elegant to tell a user to open a private browsing session first to avoid account confusion. Not everyone is computer savvy and knows how to setup multiple browsing profiles, and unfortunately SSO while trying to be helpful, doesn't always make it clear for the user what's happening and why they need different credentials. It feels like a clunky hand-off for apps that are made to be user friendly. Admittedly I'm much less experienced with azure AD than powerapps. So far I've been able to do some helpful things with the URL. However they don't seem to work with the typical powerapps weblinks (I could be doing it wrong). But I know there is a solution in here somewhere. I feel close. After much searching I've mashed together a bunch of links with varying results. I registered an app (lets call it Jumper) in azure AD that I'm using as a redirect to the powerapp. I can't seem to force credentials on the raw powerapps link, but using the Jumper app authentication endpoint, coupled with &login_hint, I'm able to give a personalized link that does prompt a user with the correct credential, only requesting their password. Then it redirects to the powerapp. Unfortunately from this point the redirect to the powerapp seems to lose track of which account is using it. So if they are signed in with multiple accounts (even though they just signed into the login_hint account) it can default to another causing the app to fail to load its data. I'm guessing the prompt for credentials is only valid for the registered app. I'm wondering if the solution requires the use of tokens and if so, how might I want to set that up. Or if anyone just has a simple URL modifier up their sleeve, or powershell trick, that would allow me to force credentials with each launch of a weblink powerapp, you would be my hero. Many thanks for any insight provided. Cheers!
