Why Are Per-User MFA Settings Available in the Entra Admin Center?
A reader asked why the Entra admin center includes an option to manage per-user MFA settings for accounts. I don’t know why Microsoft added this option, but it doesn’t take away from the strategy to enforce and manage multifactor authentication through conditional access policies. Microsoft has been very focused on CA policies for the last few years and per-user MFA will eventually be subsumed into the CA strategy. https://office365itpros.com/2024/10/30/per-user-mfa-entra-admin/How to Force Users to Sign in Weekly
A recent question asked how to force users to reauthenticate at 7AM every Monday. The solution seems to revoke access for user accounts. This article describes how to create an Azure automation runbook (PowerShell script) to find target accounts and revoke their access. By linking the runbook to an automation schedule, we can make sure that revocation happens at the desired time. https://office365itpros.com/2024/10/23/revoke-access-for-user-accounts/How to Set Directory Synchronization Features with the Graph
Directory synchronization features control how the Entra Connect tool works when synchronizing accounts from Active Directory to Entra ID. The current advice is to use a cmdlet from the depreciated MSOL module to update settings. This article explains how to do the job with the Graph APIs, including cmdlets from the Entra PowerShell module. https://office365itpros.com/2024/10/24/directory-synchronization-features/
Restrict access to a Form to include external users in our tenant?
Hello, I'm setting up an automation where a Form response triggers a Power Automate Flow that updates a non-critical value in Business Central records. It works well except that I want the form to be non-public but to still be usable for people that are from different tenants but added as guests or members in our Entra. I haven't found what kind of setup and changes I need to make for this to be possible, I feel like it's either people within my domain or public, nothing in between. Is there really no way to restrict access to exclude public and anonymous users but include users from externa tenants and invited in my domain ? This is the current Entra setup for the kind of user I want to be able to access the form, I have tried with both user type Guest and Member but no change. Thank youPer-User MFA State Added to Tenant Passwords and MFA Report
A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now see if accounts are disabled, enabled, or enforced for per-user MFA along with all the other information captured about passwqrd changes, MFA authentication methods, and so on. https://office365itpros.com/2024/06/14/per-user-mfa-state/
Unable to authenticate in Copilot Studio despite configuring in azure AD & Copilot security settings
Hello guys, I intend to setup Copilot studio to give answers from the connected SharePoint Site using Generative AI. I followed the steps detailed in these two links for setting up manual authentication https://learn.microsoft.com/en-us/microsoft-copilot-studio/configuration-end-user-authentication#authenticate-manually https://learn.microsoft.com/en-us/microsoft-copilot-studio/configuration-authentication-azure-ad So as per the recommendations, I have done following : -Setup app registration -grant admin consent to the app -copy the client id and secret (to paste into the chatbot configuration) -Published the chatbot after setting "manual authentication" (Requires sign in) Now when I try to interact with the chatbot (in chat window), it asks me to sign in. When I click "sign in"., it asks to copy a code. When I do that, it keeps showing the "please sign in" prompt over and over again, instead of letting me in. 1. I am already signed in to copilot studio using the intended user account 2.Here is the settings in the "Security" Section in Copilot studio 3.Here is the settings in AAD 4. However when I publish the bot, and try to interact with it, it keeps prompting me with the below screen (to enter access code to sign in). If I click "login" below, it asks me to copy a code. Then if I copy and put code into chat, it come back to below screen and it keeps prompting me same as below. 5. Also in Azure, I have ensured admin has consented following Here is scope Can you please advice what is it that I am missing?
SSO issues in Word and Excel, but not Outlook
Hi, Strange issue started a month ago at a customer site. They use RDS with Office 365 installed. Historically this has been working fine, then it randomly stopped signing in properly for all users. We can't point it down to anything specific however. Network / User / Settings all look good. What is strange is on first login to Outlook, it says it's done SSO but says unlicensed. A simple restart then would show it licensed. We have managed to work round that issue by saving the license folder \appdata\local\microsoft\office\ to the UPD. So for this, a month ago, new and existing users would just sign in and it worked. Then something changed and users were being asked to sign in every time. So we have made this change to include \appdata\local to the UPD - now users only see this problem once (a month). While not as good as it was a month ago, it is acceptable. However, and this is what I need help with. SSO is NOT working at all from Word / Excel. Open Word Blank Micrsoft Sign In box pops up. You have to type username and hit enter You then have to type your password and hit Sign In That popup then goes away, but at the tope right of Word, it still shows "Sign In". When you go to Account, it still has a Sign in box. BUT... if you now close and reopen word, both of those show the signed in user. The problem here is that this doesn't persist over the UPD, so happens every time the users open Word or Excel. As this is used by a business app to open docs, it's actually breaking the process and we need to fix this. I have been having a look at SSO info, because it feels like something fairly low level has changed with how this works, but can't find anything helpful, hence posting here after about a month of searching and trying things. It's not very helpful when you have MS links like: How to use Remote Connectivity Analyzer to troubleshoot single sign-on issues for Microsoft 365, Azure, or Intune https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/active-directory/single-sign-on-issues How to run Remote Connectivity Analyzer to test SSO authentication To run Remote Connectivity Analyzer to test SSO authentication, follow these steps: Open a web browser, and then browse tohttps://www.testconnectivity.microsoft.com/tests/SingleSignOn/input. However, that page just hangs with LOADING written on it. Then on the change notes for this page we see that it was removed in 2022! Version 4.0.15 (October 2022) Removed the Single Sign-on Test now that basic authentication in Exchange Online is being disabled. Quick note on the setup. AD is synced to Entra using Entra Connect (Password Hash Sync + SSO enabled), latest version. SSO URLs are added to Internet trusted sites as per setup instructions. Network has been tested and all URLS accessible and working for the user. User is on RDS on fully updated Server 2016 and is on the latest Office 365 app updates. So I guess my first question is: 1) Does SSO still work for Word and Excel? Is it a realistic expectation that the user will sign in to the PC and then Word and Excel will automatically sign in for the user (proper seamless single sign on) like it was doing only a month or so ago? 2) What can I do to test and troubleshoot this if it should be working? I have been trying for a month, so I have already tried a lot of things. But maybe I am missing some tests? Any info to help get this working again (or that it's no longer possible and we missed that instruction from MS) would be ideal. Thanks in advanceThe New Entra ID Photo Update Settings Policy for User Profile Photos
A new Entra ID photo update settings policy aims to cure the mish-mash of existing settings controlling how user profile photos are updated in Microsoft 365. The new policy is based on a Microsoft Graph resource. Work is needed to update clients to respect the policy settings and take over from current controls, like the OWA mailbox policy. https://office365itpros.com/2024/09/16/photo-update-settings-policy/
