Azure AD
434 TopicsDynamic group based on custom security attribute
Can anyone answer this question. Can or should i be able to create a Dynamic group filtering on a customer security attribute. Yes I know you can filter based on extenstionattribute1-15 however i have noted that accounts create in Entra don't appear to have the option to view extension attributes plus these come from an on prem created account. So the questions are: Can I create a dynamic group using a custom security attribute and if so how because the custom attributes don't show up in the Property options when creating the dynamic group query How can I add to the extension attributes for non on prem sync accounts (accounts created in Entra)14Views0likes1CommentMicrosoft Authenticator Passkeys for Entra ID on unmanaged devices
Hello, has anyone successfully registered passkeys on an unmanaged phone in an organisation with device compliance policies? Use case is to provide a phishing-resistant MFA option via Authenticator app for logging into apps on their desktop. Users already have authenticator app on their phone and do number matching MFA. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS When I select "Create a passkey" - I need to log into my account. However I'm blocked from successful authentication because I have conditional access policies to require compliant devices. As my mobile phone is not enrolled into Intune, I never get to the step where the passkey is created and registered. Based on the constraints - it seems like passkeys cannot be used for unmanaged/BYOD devices for organisations that have device compliance policies. It can only be used for users who have enrolled their mobile phone. Looking to see if anyone has tips or different experience using passkeys on unmanaged mobile phones to log into Entra?7Views0likes0CommentsCan't use a SPN in a PowerBi dashboard to access SharePoint lists
Hoping you can help with an ongoing issue I have. I have a PowerBi dashboard I built using regular account to fetch some SharePoint lists and uploaded it to PowerBi for others to view Now in PowerBi portal I want to change the credential from my account to an SPN. I've read what feels like a thousand articles describing the process to create the SPN 99% all the same. Yet when I go into Powerbi portal, edit the semantic model for the dashboard, click edit credentials, select Service Principal put in the tenant ID the Service principal ID (yes using the app id, in fact I tried everything) the service principal key (the secret) and choose any privacy level it fails 100% of the time. Error is: Failed to update data source credentials: The credentials provided for the SharePoint source are invalid. Same error regardless of what privacy level I choose. I'm sure the secret is correct also. Just for fun I tried the Secret ID and the Object ID in place of the Application ID for the Service principal ID field. All failed same error. I'm sure the secret is correct also. The SPN has Graph sites.read.all, Graph user.read and SharePoint Sites.Read.All api permissions configured. All are consented. Everything seems right but gives me the error failed to retrieve oauth token 100% of the time. Am i missing something else? More API permissions maybe? Do i still need ot actually add the SPN to the Sharepoint site itself even though I has API permissions SharePoint Sites.Read.All? I've done days of research and all I find is lots of people with same or similar issue but not resolution. Is this a bug? Help me I'm desperate to get this fixed or I'm going to have to allow people to bypass MFA across my organization which I cant have.29Views0likes0CommentsPractical Graph: Combining Sign In Activity and App Detail in a User Report
Often tenants create user sign-in reports based on the sign-in data held in user account properties. This article explains how to supplement that information with insights about the apps users sign into using sign-in audit logs. The combined information is more valuable than simply knowing when someone last successfully signed in. https://practical365.com/sign-in-audit-logs-app-report/97Views0likes0CommentsIs PIM any good?
I'm planning a PIM implementation and am trying to understand a few things about PIM and certain recommendations. I have a OnPrem\Entra hybrid environment. I have many servers hosted both on prem in the on prem AD and in Azure. In traditional on prem environments this segregation has typically been achieved using separate admin accounts. This give you some segregation and protection in case an account was compromised. I'll accept its not bullet proof but a lot of things would have to work in the right order for a bad actor to compromise a separate admin account I've read and heard MS guys (probably driving license sales) saying that's not the right way anymore and JIT is the right way. Which of course requires license. I'm looking for opinions or observations from experience for the following: Why is doing one account (possibly the regular user account in a Hybrid environment) with PIM better that having a regular and admin accounts? Why not have a separate admin account with PIM implemented on the admin account in Entra? I can't see how this would be less secure that just one account with PIM. One argument I heard was you can require MFA to activate the access. Well right now i just use CA policies to require MFA for any use of a role I have nominated (portal\cli\PowerShell etc). How is Entra JIT with one account better than still having a admin account have a requiring MFA for them to log onto any of the the admin portals to use their privileged access? Another concern I have is controlling who is assigned to the roles. Right now I can add them one by one to the role in PIM but our MSP (who does the bulk of the management) wants to add a group to each role assignment and then they add people to the group to inherit the assignment of the role. For many reasons I cant go into there are large numbers of people who are in the group admin role. This basically means any of them could elevate theirs or someone else access into a Entra role if I'm using groups to assign groups to role. What if they start nesting groups into other groups and suddenly Domain Users has been nested and has Global Admin? How do I police this?58Views0likes2CommentsMicrosoft O365 Auto Login
I want to set up auto-login for the O365 desktop application. When a user logs in to an on-premises AD-joined device, the O365 application should automatically log in with their AAD credentials. I have an AAD subscription, and user sign-in is configured with password hash synchronization. Additionally, I have enabled SSO on the Azure AD Connect application. Please note that the end-user devices are not Azure AD-joined.49Views0likes1CommentCannot reset password for user converted from Active Directory synched to cloud only
Hi everyone, Checking the audit logs of few involved users we notices the same error: Synchronization Engine returned an error hr=80230405 message=The operation failed because the object cannot be found OnPremisesAgent: AADConnect This error sounds strange to us since we are talking about Cloud-Only resources with no entry in the AD-DS system. Thanks.Solved1.2KViews0likes6CommentsFind Unused Guest Accounts with PowerShell
Given the widespread use of guest accounts within Microsoft 365 to allow external sharing of resources, it’s almost inevitable that some unused guest accounts exist in any Microsoft 365 tenant. Identifying unused guest accounts is a good management practice. If the accounts serve no purpose, why keep them? This article explores how to find unused guest accounts. What you do with them later is up to you. https://practical365.com/find-unused-guest-accounts/29Views0likes0CommentsAdd EXTERNAL Teams account details to a contact in the GAL
We collaborate a lot with another company who have their own tenant. When we want to message an “external” user in Teams we have not messaged before, we must first search and type in the full email address, then select "(External)" to message them. We also have these same users as contacts in our GAL for email. The problem we have is that when you start searching for the user, the GAL contact comes up first, and users think that this is the correct Teams user account so they select this instead of typing further to bring up the real external account. If they do make it as far as to type out the full email address, then two users show up, one from the GAL and one with "(external)" in it. This is not a great user experience. We'd like to know if there is a way in which we can import the external user to our GAL, or if we can populate the GAL contact with the Teams attributes of the external user. The end goal is to have a GAL contact which the user can click to message in Teams. Has anyone come across this before and has a solution?55Views1like2Comments