The My Sign-Ins Portal, Applications, and Conditional Access
A recent change has exposed the applications used by the My Sign-ins portal for use in conditional access policies. This article discusses the app-centric nature of Microsoft 365 and Entra ID and why it’s important that the newly-revealed set of applications are available for conditional access processing, just in case the Entra ID agents planned by Microsoft can’t optimize your policies. https://office365itpros.com/2025/10/15/my-sign-ins-portal/External people can't open files with Sensitivity Label encryption.
Question: What are the best practices for ensuring external users can open files encrypted with Sensitivity Labels? Hi all. I've been investigating proper setup of sensitivity labels in Purview, and the impact on user experience. The prerequisites are simple enough, creating and configuring the labels reasonably straightforward, and publishing them is a breeze. But using them appears to be a different matter! Everything is fine for labels that don't apply encryption (control access) or when used internally. However, the problems come when labels do apply encryption and information is sent externally. The result is that we apply a label to a document, attach that document to an email, and send it externally - and the recipient says they can't open it and they get an error that their email address is not in our directory. This is because due to the encryption, the external user needs to authenticate back to our tenant, and if they're not in our tenant they obviously can't do this so the files won't open. So, back to the question above. What's the easiest / most secure / best way to add any user we might share encrypted content with to our tenant. As I see it we have the following options: Users have to request Admins add the user as a Guest in our tenant before they send the content. Let's face it, they'll not do this and/or get frustrated. Users share encrypted content directly from SharePoint / OneDrive, rather than attaching it to emails (as that would automatically add the external person as a Guest in the tenant). This will be fine in some circumstances, but won't always be appropriate (when you want to send them a point-in-time version of a doc). With good SharePoint setup, site Owners would also have to approve the share before it gets sent which could delay things. Admins add all possible domains that encrypted content might be shared with to Entra B2B Direct Connect (so the external recipient doesn't have to be our tenant). This may not be practical as you often don't know who you'll need to share with and we work with hundreds of organisations. The bigger gotcha is that the external organisation would also have to configure Entra B2B Direct Connect. Admins default Entra B2B Direct Connect to 'Allow All'. This opens up a significant attack surface and also still requires any external organisation to configure Entra B2B Direct Connect as well. I really want to make this work, but it need to be as simple as possible for the end users sharing sensitive or confidential content. And all of the above options seem to have significant down-sides. I'm really hoping someone who uses Sensitivity Labels on a day-to-day basis can provide some help or advice to share their experiences. Thanks, Oz.Creating a Comprehensive Inactive Guest Account Report
Many examples of how to report inactive Entra ID guest accounts with PowerShell are available on the internet, but they're all flawed because they make decisions based on the last sign in. That's a shortsighted method because it doesn't take guest activity into account. This article explains how to combine audit data with sign-in data to create an enhanced view of guest account activity so that intelligent decisions can be made to keep or retain the accounts. https://practical365.com/inactive-guest-account-report/
Azure AD Health Failing
I am on the latest version of Azure AD Connect (2.5.79.0)... There are no network/DNS/connectivity issues at our site, it seems to me that Azure AD Health Service is having trouble because the endpoint is experiencing a service issue.. Is anyone else having the same problem with failure alerts/etc? I checked by running "Test-MicrosoftEntraConnectHealthConnectivity -Role SYNC" command, the stack trace throws an undocumented error number and complains of rate limiting issues... smells like the server is being overwhelmed or there are other issues slowing down the endpoint/service with the consequence that connections are piling up causing this error: Connectivity Test Step 1 of 2: Testing dependent service endpoints begins ... AAD CDN connectivity is skipped. Connecting to endpoint https://login.microsoftonline.com Endpoint validation for https://login.microsoftonline.com is Successful. Connecting to endpoint https://s1.adhybridhealth.azure.com/providers/Microsoft.ADHybridHealthService/diagnostics/version Endpoint validation for https://s1.adhybridhealth.azure.com/providers/Microsoft.ADHybridHealthService/diagnostics/version is Successful. Connectivity Test Step 1 of 2 - Testing dependent service endpoints completed successfully. Connectivity Test Step 2 of 2 - EventHub data upload procedure begins ... Tenant Id is successfully collected during agent registration. Server rejected Eventhub data upload, here is the exception: Microsoft.ServiceBus.Messaging.ServerBusyException: The request was terminated because the entity is being throttled. Error code : 50002. Sub error : 101. Please wait 4 seconds and try again. To know more visit https://aka.ms/sbResourceMgrExceptions and https://aka.ms/ServiceBusThrottlingS:N:ADHSPRODWUSEHSYNCIA:EVENTHUB:ADHSPRODWUSEHSYNCIA~22527,CL:30,CC:32,ACC:356250,LUR:WinEnd,LUT:2025-10-08T03:03:12.2035867Z,RC:1 TrackingId:<<< anonymized tracking ID>>> 0, SystemTracker:adhsprodwusehsyncia:eventhub:adhsprodwusehsyncia~22527, Timestamp:2025-10-08T03:03:13 at Microsoft.ServiceBus.Common.ExceptionExtensions.ThrowException(Exception exception) at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result) at Microsoft.ServiceBus.Messaging.EventHubSender.Send(EventData data) at Microsoft.Identity.Health.AgentV1.ConfigurationPowerShell.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure() Azure AD Connect Health agent could not communicate to the Health Service using port 5671. As a result, agent communication will fall back to use port 443, but use of port 5671 is recommended. Please allow outbound communication using port 5671. Tenant Id is successfully collected during agent registration. Server rejected Eventhub data upload, here is the exception: Microsoft.ServiceBus.Messaging.ServerBusyException: The request was terminated because the entity is being throttled. Error code : 50002. Sub error : 101. Please wait 4 seconds and try again. To know more visit https://aka.ms/sbResourceMgrExceptions and https://aka.ms/ServiceBusThrottlingS:N:ADHSPRODWUSEHSYNCIA:EVENTHUB:ADHSPRODWUSEHSYNCIA~22527,CL:30,CC:32,ACC:356837,LUR:IncomingUsage_ADHSPRODWUSEHSYNCIA-5,LUT:2025-10-08T03:03:54.9448143Z,RC:1 TrackingId:<<< anonymized tracking ID>>>, SystemTracker:adhsprodwusehsyncia:eventhub:adhsprodwusehsyncia~22527, Timestamp:2025-10-08T03:04:00 at Microsoft.ServiceBus.Common.ExceptionExtensions.ThrowException(Exception exception) at Microsoft.ServiceBus.Common.AsyncResult.End[TAsyncResult](IAsyncResult result) at Microsoft.ServiceBus.Messaging.EventHubSender.Send(EventData data) at Microsoft.Identity.Health.AgentV1.ConfigurationPowerShell.TestAzureADConnectHealthConnectivity.TestInsightServiceDataUploadProcedure() Azure AD Connect Health agent could not communicate to the Health Service using port 5671. As a result, agent communication will fall back to use port 443, but use of port 5671 is recommended. Please allow outbound communication using port 5671.Entra Agents are Promising but Could do More
Microsoft's Alex Simons came to the TEC 2025 conference to talk about the future of Entra ID, a lot of which hangs on the use of AI in components like the Entra agents that are now in preview. The idea of using agents to relieve hard-pressed human administrators is great, but only if those agents do more than a skilled human administrator can do, and that's not the case so far. https://practical365.com/entra-agents-could-do-more/Microsoft Introduces Restore Capability for Conditional Access Policies
New Graph APIs allow Entra administrators to restore a conditional access policy with a Graph request. This article explains how to list, restore, and permanently remove soft-deleted conditional access policies using Graph API requests run in PowerShell. Being able to restore conditional access policies removed in error closes a big gap, especially if agents might begin working on policies. Who knows what errors might happen in future. https://office365itpros.com/2025/10/03/restore-a-conditional-access-policy/Updating the User Password and Authentication Report
A change to a Graph beta API meant that some data used to create the user password and authentication report was no longer available. An update was required for the PowerShell script. The experience underlines the truth that developers should not rely on the Graph beta APIs because the APIs are prone to change at any time as Microsoft moves them along to become production-ready. https://office365itpros.com/2025/09/23/password-and-authentication-report/Automating Microsoft 365 with PowerShell Second Edition
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads (Entra ID, Exchange Online, SharePoint Online, Teams, Planner, and more). Existing subscribers can download the second edition now free of charge. https://office365itpros.com/2025/06/30/automating-microsoft-365-with-powershell2/What’s the Best Way to Manage Guest Accounts?
Guest account management should be a part of every Microsoft 365 tenant administrator’s checklist, unless the tenant has no guests. That’s possible but given the way that workloads like Teams and SharePoint Online create new guest accounts, the average tenant is likely to have quite a few guests. The question is how to manage guests – with Microsoft’s tools or using tenant-designed PowerShell scripts? https://office365itpros.com/2025/09/18/guest-account-management/
SSPR for synced account failed — error: OnPremisesUserNotFound
Hello, I’m encountering the following error for all synchronized accounts when attempting to use Self-Service Password Reset (SSPR): Error: OnPremisesUserNotFound Details: Synchronization Engine returned an error hr=80230405, message: "The operation failed because the object cannot be found." Here are some details about the current setup: The Entra ID Connect agent is running without any errors. The service account used for synchronization has the necessary permissions. Password writeback is enabled. All synchronized accounts have a P1 license. SSPR is enabled for all users. Could you please assist me in resolving this issue? Thank you,
