The My Sign-Ins Portal, Applications, and Conditional Access
A recent change has exposed the applications used by the My Sign-ins portal for use in conditional access policies. This article discusses the app-centric nature of Microsoft 365 and Entra ID and why it’s important that the newly-revealed set of applications are available for conditional access processing, just in case the Entra ID agents planned by Microsoft can’t optimize your policies. https://office365itpros.com/2025/10/15/my-sign-ins-portal/External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter! Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory. This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open. So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options: Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated. Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things. Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect. Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well. I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides. I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.Creating a Comprehensive Inactive Guest Account Report
Many examples of how to report inactive Entra ID guest accounts with PowerShell are available on the internet, but they're all flawed because they make decisions based on the last sign in. That's a shortsighted method because it doesn't take guest activity into account. This article explains how to combine audit data with sign-in data to create an enhanced view of guest account activity so that intelligent decisions can be made to keep or retain the accounts. https://practical365.com/inactive-guest-account-report/
Azure AD Health Failing
I am on the latest version of Azure AD Connect (2.5.79.0)... There are no network/DNS/connectivity issues at our site, it seems to me that Azure AD Health Service is having trouble because the endpoint is experiencing a service issue.. Is anyone else having the same problem with failure alerts/etc? I checked by running "Test-MicrosoftEntraConnectHealthConnectivity -Role SYNC" command, the stack trace throws an undocumented error number and complains of rate limiting issues... smells like the server is being overwhelmed or there are other issues slowing down the endpoint/service with the consequence that connections are piling up causing this error: Connectivity Test Step 1 of 2: Testing dependent service endpoints begins ... AAD CDN connectivity is skipped. Connecting to endpoint https://login.microsoftonline.com Endpoint validation for https://login.microsoftonline.com is Successful. Connecting to endpoint https://s1.adhybridhealth.azure.com/providers/Microsoft.ADHybridHealthService/diagnostics/version Endpoint validation for https://s1.adhybridhealth.azure.com/providers/Microsoft.ADHybridHealthService/diagnostics/version is Successful. Connectivity Test Step 1 of 2 - Testing dependent service endpoints completed successfully. Connectivity Test Step 2 of 2 - EventHub data upload procedure begins ... Tenant Id is successfully collected during agent registration. Server rejected Eventhub data upload, here is the exception: Microsoft.ServiceBus.Messaging.ServerBusyException: The request was terminated because the entity is being throttled. Error code : 50002. Sub error : 101. Please wait 4 seconds and try again. To know more visit https://aka.ms/sbResourceMgrExceptions and https://aka.ms/ServiceBusThrottlingS:N:ADHSPRODWUSEHSYNCIA:EVENTHUB:ADHSPRODWUSEHSYNCIA~22527,CL:30,CC:32,ACC:356250,LUR:WinEnd,LUT:2025-10-08T03:03:12.2035867Z,RC:1 TrackingId:<<< anonymized tracking ID>>> 0, SystemTracker:adhsprodwusehsyncia:eventhub:adhsprodwusehsyncia~22527, Timestamp:2025-10-08T03:03:13 at Microsoft.ServiceBus.Common.ExceptionExtensions.ThrowException(Exception exception) at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result) at Microsoft.ServiceBus.Messaging.EventHubSender.Send(EventData data) at Microsoft.Identity.Health.AgentV1.ConfigurationPowerShell.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure() Azure AD Connect Health agent could not communicate to the Health Service using port 5671. As a result, agent communication will fall back to use port 443, but use of port 5671 is recommended. Please allow outbound communication using port 5671. Tenant Id is successfully collected during agent registration. Server rejected Eventhub data upload, here is the exception: Microsoft.ServiceBus.Messaging.ServerBusyException: The request was terminated because the entity is being throttled. Error code : 50002. Sub error : 101. Please wait 4 seconds and try again. To know more visit https://aka.ms/sbResourceMgrExceptions and https://aka.ms/ServiceBusThrottlingS:N:ADHSPRODWUSEHSYNCIA:EVENTHUB:ADHSPRODWUSEHSYNCIA~22527,CL:30,CC:32,ACC:356837,LUR:IncomingUsage_ADHSPRODWUSEHSYNCIA-5,LUT:2025-10-08T03:03:54.9448143Z,RC:1 TrackingId:<<< anonymized tracking ID>>>, SystemTracker:adhsprodwusehsyncia:eventhub:adhsprodwusehsyncia~22527, Timestamp:2025-10-08T03:04:00 at Microsoft.ServiceBus.Common.ExceptionExtensions.ThrowException(Exception exception) at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result) at Microsoft.ServiceBus.Messaging.EventHubSender.Send(EventData data) at Microsoft.Identity.Health.AgentV1.ConfigurationPowerShell.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure() Azure AD Connect Health agent could not communicate to the Health Service using port 5671. As a result, agent communication will fall back to use port 443, but use of port 5671 is recommended. Please allow outbound communication using port 5671.Entra Agents are Promising but Could do More
Microsoft's Alex Simons came to the TEC 2025 conference to talk about the future of Entra ID, a lot of which hangs on the use of AI in components like the Entra agents that are now in preview. The idea of using agents to relieve hard-pressed human administrators is great, but only if those agents do more than a skilled human administrator can do, and that's not the case so far. https://practical365.com/entra-agents-could-do-more/
Inquiry Regarding Existing Microsoft Applications for End-to-End Operational Management
I would like to inquire whether Microsoft offers any pre-built, production-ready applications—preferably within the Dynamics 365 ecosystem—that are currently in use by customers and proven to be stable, which support the following functionalities: Work Order Management Operational Management Production Planning and Control Resource Management Asset Management Quality Management Inventory Management Barcode Scanning for real-time job tracking (start/finish) Profitability and Financial Reporting Hours Variation Analysis( Planned Vs Actual) Cost Variation Analysis( Planned Vs Actual) We are seeking a solution that integrates these capabilities into a unified platform, ideally with real-time data capture and reporting features. If such a solution exists, we would appreciate details regarding its availability, deployment options, licensing, and customer success stories. Looking forward to your guidanceMicrosoft Introduces Restore Capability for Conditional Access Policies
New Graph APIs allow Entra administrators to restore a conditional access policy with a Graph request. This article explains how to list, restore, and permanently remove soft-deleted conditional access policies using Graph API requests run in PowerShell. Being able to restore conditional access policies removed in error closes a big gap, especially if agents might begin working on policies. Who knows what errors might happen in future. https://office365itpros.com/2025/10/03/restore-a-conditional-access-policy/Updating the User Password and Authentication Report
A change to a Graph beta API meant that some data used to create the user password and authentication report was no longer available. An update was required for the PowerShell script. The experience underlines the truth that developers should not rely on the Graph beta APIs because the APIs are prone to change at any time as Microsoft moves them along to become production-ready. https://office365itpros.com/2025/09/23/password-and-authentication-report/Entra Group Source of Authority CONVERSION: Enabling Cloud-First Identity Management
As organizations modernize their identity infrastructure, Microsoft Entra’s Group Source of Authority (SOA) Conversion feature enables a granular migration of group management from on-premises AD to Microsoft Entra ID without disabling sync or rearchitecting the entire directory. What Is Group Source of Authority? Group SOA defines where a group object is mastered either in on-prem AD or in Entra ID. With SOA conversion, administrators can selectively convert AD-synced groups into cloud-native groups, making them editable and governable directly in Entra ID. Permissions Required To perform SOA conversion, the following Microsoft Entra roles and Graph API permissions are required: Hybrid Administrator: Required to call Microsoft Graph APIs to read and update SOA of groups. Application Administrator or Cloud Application Administrator: Required to grant user consent to the app or Graph Explorer. Graph API Permission Scope: Group-OnPremisesSyncBehavior.ReadWrite.All must be granted to the app calling the onPremisesSyncBehavior endpoint. Prerequisites Before initiating SOA conversion, ensure the following: Licensing Microsoft Entra Free or Basic license is sufficient. Sync Clients Microsoft Entra Connect Sync: Minimum version 2.5.76.0 Microsoft Entra Cloud Sync: Minimum version 1.1.1370.0 Group Eligibility Groups must not be mail-enabled or tied to Exchange on-premises (DLs or MESGs). If provisioning back to AD is planned, change group scope to Universal. How to Convert Group SOA from AD to Entra Here’s a simplified step-by-step guide: Identify Target Groups Use Entra Admin Center or Graph Explorer to list synced groups. Confirm they are not Exchange-dependent. Grant Permissions Use Graph Explorer or your app registration to grant Group-OnPremisesSyncBehavior.ReadWrite.All. Execute SOA Conversion If we see Group1, which is in scope of conversion is synchronized from on-prem. Execute the below from Graph Explorer to convert “Group1” to cloud managed PATCH https://graph.microsoft.com/beta/groups/{group-id}/OnPremisesSyncbehavior { "isCloudManaged": true } We can verify the change by executing below query on Graph API Explorer This marks the group as cloud-managed. AD sync will stop honoring changes to this group. Validate Conversion Confirm blockOnPremisesSync = true in the Entra Admin Center. Use audit logs to verify the change. Apply Governance Apply lifecycle policies, access reviews, and provisioning rules using Entra ID Governance. Use Cases: Migrating from On-Prem to Cloud Use Case 1: Retiring Legacy AD Groups Scenario: A customer has migrated all mailboxes to Exchange Online and no longer needs certain AD groups. Solution: Convert those groups to cloud-native Entra ID groups and delete them from AD, reducing footprint and simplifying governance. Use Case 2: Governing On-Prem Apps from the Cloud Scenario: A customer uses AD security groups to secure on-prem apps (e.g., Kerberos-based apps). Solution: Convert the group SOA to Entra ID, apply governance policies, and use Group Provision to AD to sync cloud-managed groups back to AD. Use Case 3: Migrating DLs and MESGs to Cloud Scenario: A customer wants to migrate all distribution lists and mail-enabled security groups to the cloud. Solution: Convert SOA to Entra ID, recreate mail-enabled groups in Exchange Online, and decommission AD-based mail groups. Use Case 4: Enabling Access Reviews Scenario: A federal customer wants to run access reviews on group memberships but the groups are AD-synced. Solution: Convert SOA to Entra ID, enabling full access review capabilities and lifecycle workflows. Use Case 5: Hybrid Identity Cleanup Scenario: A customer is migrating from Entra Connect Sync to Cloud Sync and wants to clean up group sprawl. Solution: Use SOA conversion to move group management to the cloud, then decommission legacy sync rules and OUs. Strategic Impact Group SOA Conversion is more than a technical enhancement, it’s a strategic enabler for identity modernization. It supports: AD DS minimization: Shrinking on-prem footprint. Cloud-first governance: Centralized access control and lifecycle management. Phased migration: Avoiding disruption while modernizing.Automating Microsoft 365 with PowerShell Second Edition
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads (Entra ID, Exchange Online, SharePoint Online, Teams, Planner, and more). Existing subscribers can download the second edition now free of charge. https://office365itpros.com/2025/06/30/automating-microsoft-365-with-powershell2/
