Entra ID to Disable Service Principal-Less Authentication
Microsoft will disable service principal-less authentication in March 2026. This step closes a hole that doesn’t exist today but might in the future. The strange thing is that many Microsoft 365 applications seem to use service principal-less authentication. Microsoft will take care of first-party apps before March 2026, but there’s work to do for apps from other vendors. https://office365itpros.com/2025/04/15/service-principal-less-auth/Microsoft Attempts to Fix Microsoft Graph PowerShell SDK Problem with Azure Automation
V2.26 and V2.26.1 of the Microsoft Graph PowerShell SDK were low-quality, buggy disasters. Microsoft aims to fix the problem in the next version to make it possible for the SDK to work with Azure Automation runbooks again and address many of the obvious problems that should never have appeared outside Microsoft. It will take time for customer confidence to be restored. https://office365itpros.com/2025/04/14/microsoft-graph-powershell-sdk-2261/Recover a Domain from an Old Microsoft 365 Test Tenant
Hi everyone, I’m trying to register my domain abc.com in a new Microsoft 365 tenant, but I’ve discovered that it was previously associated with a test tenant set up by a former colleague. I no longer have access to that old tenant and would like to reclaim the domain so I can use it in my current M365 environment. Has anyone tried any alternatives in addition to Microsoft support? Can Microsoft release the domain if I can prove ownership (via DNS or registrar)? Has anyone dealt with a similar situation, and how long does the process usually take? Appreciate any guidance or shared experiences! Thanks in advance.
CA policy for corporate devices
I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources. I created a policy: Applies to -> User Group Applies to -> all resources Applies to -> Win 10 Filter for devices exception-> Ownership: company & trust type: Entra Hybrid joined. Action: block The above works fine for office desktop login, i.e. blocks non corporate devices and allows corporate devices. However, a side effect is that sign ins from browser on a corporate device is still blocked.Bringing Artificial Intelligence to Entra ID Conditional Access
The Conditional Access Optimization Agent is one of 6 Security Copilot agents unveiled by Microsoft on March 24, 2025. The idea is that the agent can optimize CA policies by observing the connectivity behavior within a tenant. The agent can suggest how to fill gaps in CA coverage, detect new users and apps, and generally be helpful. Is it worth it? Experience will tell… https://office365itpros.com/2025/04/04/conditional-access-optimization/Duplicate Mail User Objects Created for Guest Accounts
The February 2025 EX1015484 incident explains why mail user objects with duplicate SMTP addresses are created for guest accounts. That’s a problem because Exchange Online can’t route messages to objects with duplicate email addresses. Fortunately, you can find out if any duplicates exist in your tenant with some PowerShell. It's a good opportunity to remind ourselves of the relationship between Entra ID guest accounts and Exchange Online mail user objects. https://office365itpros.com/2025/03/28/ex1015484-problem/User with hundreds of Interactive Sign-In log entries that are "Interrupted"
I have one user in our organization that has hundreds of Interactive Sign-in logs in EntraID that are marked as "Interrupted". I don't even know where to start with the user. Does anyone have a recommendation for isolating the cause of these logs? Recent entries are 95% related to Office Online Core SSO application.
Entra-ID Privileged Identity Management for Groups
We have used PIM for groups to assign certain Azure Security groups to eligible users. For example a group which provides the contributor role to a certain subscription. This group is added in PIM for groups, and eligible users have been assigned to the group, in which they can provide themselves with the privileges if required to do so for maximum 8 hours. However, when we assign a user to a PIM protected group, then there is no way to tell from the user's properties, that the user has been assigned (eligible) to a PIM protected group. Therefore wouldn't it be better to create PIM groups and add the assigned user as a member of a PIM group, and assign the PIM group as eligible to the PIM protected group? Then you would able to see from the Groups list if the user is illegible for any PIM groups.Create SharePoint Files from Azure Automation Runbooks
In this Practical Graph article, we describe how to create SharePoint files using an Azure Automation runbook. The code uses the Microsoft Graph PowerShell SDK whenever possible, but we had to resort to Graph API requests at times. We also look at how to update document metadata for the newly uploaded files. https://practical365.com/create-sharepoint-files-azure-automation/Practical Graph: Nag Users to Upgrade to a Strong Authentication Method
Convincing people to use MFA is one challenge. Convincing them to use a stronger authentication method than SMS is another. This article explains how to use PowerShell to find people still using SMS for MFA and send email to ask them to upgrade their authentication method. https://practical365.com/upgrade-stronger-authentication-method-mfa/
