Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
General Question About Federation
Hello, We have a federated domain and to my knowledge this means that all authentication for this domain will be send to ADFS and will not be directly handled in Azure Entra ID. Is the following statement correct: When I register an APP in Entra ID the authentication will still be handed off to ADFS. (when my user types in email address removed for privacy reasons. I will first go to microsoft that will then hand it off to ADFS. Will there by any additional config required on the ADFS server for the registered application? If i would like to bypass this federated authentication the only way to do this is change it to a managed domain removing the federation or do a staged rollout as described below Microsoft Entra Connect: Cloud authentication via Staged Rollout - Microsoft Entra ID | Microsoft Learn
Federating multiple domains with Google Workspace (IdP)
We have 2 domains in our org, with these being added and verified in our Google Workspace and M365 tenants. We've setup federation between our Entra ID (SP) and Google Workspace (IdP) for one of our domains using the steps in this article.However, when repeating the same steps to add our other domain we run into the following error. New-MgDomainFederationConfiguration_CreateExpanded: Resource already exists. I've found this article, but it looks to be only applicable to on-prem AD and uses deprecated PowerShel modules (which don't work on Mac). Has anyone managed to federate multiple domains with Entra ID and Google Workspace?
Is it Possible to Create a Conditional Access Policy for Non-Interactive Sign-Ins Based on Location?
Hi everyone, I'm looking to create a Conditional Access policy in Azure AD that targets non-interactive sign-ins based on the user's location. Specifically, I want to restrict non-interactive logins if they originate from outside a specific geographic region. Is it possible to configure such a policy? If so, what are the necessary steps and considerations? Any guidance or documentation links would be greatly appreciated! Thanks!Microsoft Entra Hybrid Join – Devices Stuck in "Pending" Status
Hello Team, We are facing an issue with our on-premises Active Directory (AD) integrated with Active Directory Federation Services (AD FS). We have correctly configured Microsoft Entra hybrid join using Microsoft Entra Connect, following the official documentation. However, we have observed that all our devices are showing up in Microsoft Entra devices with a status of "Pending", and this status remains unchanged indefinitely. To troubleshoot, we have already tried running the following command: dsregcmd /leave. After rebooting the PCs, the issue persists. Running the below command, results in the following output: C:\Users\abc> dsregcmd /debug /join DsrCLI: logging initialized. DsrCLI: logging initialized. DsrCmdJoinHelper::Join: ClientRequestId: e58946ab-b851-1759-3658-69824b6857fDsrCmdAccountMgr::IsDomainControllerAvailable: DsGetDcName success { domain:contoso.local forest:contoso.local domainController:\\dc1.contoso.local isDcAvailable:true } PreJoinChecks Complete. preCheckResult: Join deviceKeysHealthy: undefined isJoined: undefined isDcAvailable: YES isSystem: YES keyProvider: undefined keyContainer: undefined dsrInstance: undefined elapsedSeconds: 1 resultCode: 0x0 Automatic device join pre-check tasks completed. TenantInfo::Discover: Call to DsrBeginDiscover failed before wait. 0x80070057 DsrCmdJoinHelper::Join: TenantInfo::Discover failed with error code 0x80070057. DSREGCMD_END_STATUS AzureAdJoined : NO EnterpriseJoined : NO We also ran the DSRegTool PowerShell script but did not encounter any significant errors. Given the error code 0x80070057 and the devices not registering with Azure AD, we suspect there could be an issue either with the tenant discovery process or with certain configuration steps that might have been overlooked. Has anyone encountered this error before or have any insights into further troubleshooting steps to resolve this issue? Any guidance would be greatly appreciated. Thanks
Admin roles for external collaboration settings not working
We are attempting to grant access to the external collaboration settings in Entra to facilitate adding and removing domains. We've gone over all the documentation and tried every single role that supposedly grants this access, but none of them work. Those underlined below have some sort of domain changing access according to Microsoft's documentation. Even with all these roles, the screen remains completely grayed out. Even on the Entra side of things, we can see all the respective roles assigned to the user, but it still doesn't work.Are we missing something here? Maybe some sort of dependency role for these other ones to work?
PIN authentication error after hybrid join
I have just rolled out hybrid join to several older devices in my company, which worked pretty well at first and those devices also joined Intune right away. However, for some reason only today, the WHFB policy set in and required every user to set up a PIN. But authentication with the PIN does not work after the users reboot. We either get the errors 0xc00000BB or 0xc000005E. After several hours of googling, a pattern is starting to form that points to certificate errors. We currently don't have any Kerberos-KDC, SCPA, PKCS or PKI set up in our environment and I'm honestly a little overwhelmed by the sheer documentation size revolving around this issue. Does hybrid Azure AD join only work with a sophisticated certificate authentication in place? If so, is there an easy way to implement this?AAD federated SSO downside?
We're looking to add our internal SSO as an AAD federated identity. If we do this do we lose any of the AAD capabilitiescovered by P1 or P2? Conditional access, MFA, identity protection, risk event detection, PIM etc . Does using AAD fully for IAM provide better IAM capabilities?ADFS to AAD App Migration tool
Are you planning to migrate your applications from ADFS to Azure AD? The ADFS to AAD App Migration tool will help you in the planning phase and consists of three steps: :pushpin: Collect First, we collect the relying party applications from your ADFS server. This is done via a PowerShell module that must run on one of your ADFS server and it writes the configuration of each application to the file system as individual .XML files. :pushpin: Analyze Next, our PowerShell module will enumerate through the individual .XML files and check the configuration of various settings. This analysis can be done directly on your primary ADFS server or on a different ADFS server. However, it is necessary for ADFS to be installed to process the configuration. :pushpin: Report Finally, we produce an Excel report of your relying party applications that indicates which ones are eligible for migration to Azure AD and which ones are not, along with an explanation of why they cannot be migrated. To generate this report, Excel must be installed on the workstation or server being used. Check it out:https://lnkd.in/engyW36s
