"sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?
Exclusion of Copilot App (for O365) from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude "Microsoft 365 Copilot"/ "Copilot App" so no Reauthentication is necessary for Copilot in the frame of accessing O365 content. Exclusion has been made for a range of identified Copilot applications that are shown in Sign-in logs. However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!
MFA breakglass account recommendations?
Hi folks. Looking at the new Authentication Methods settings, and trying to consider the scenario where someone disables all of these methods by accident. We require MFA on all accounts (using the 'require MFA' param of Conditional Access). If these are all disabled, there's no MFA method available... Trying to think of ways around this, for that situation. Things I've considered - cert based auth, telephone auth, etc - all require the corresponding auth method to be enabled. How should this be handled?Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, weβre hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community HubExclusion of Microsoft Edge Browser from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude Microsoft Edge Browser so no Reauthentication is necessary for MS Edge Browser. Exclusion has been made for the "Microsoft Edge" application with the following App ID: ecd6b820-32c2-49b6-98a6-444530e5a77a However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!Microsoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereπ Microsoft Entra in Action: From Conditional Access to Identity Protection
One of the areas Iβm most passionate about is identity-driven security. Microsoft Entra makes it possible to apply Zero Trust principles directly at the identity layer. β‘ Conditional Access β the backbone of modern access policies. π€ Privileged Identity Management (PIM) β ensuring just-in-time, least privilege for admins. π‘οΈ Identity Protection β risk-based policies to stop compromised sign-ins in real time. In my labs, Iβve seen how these features transform security posture without adding friction for users. Coming soon: - Step-by-step breakdown of a risky user detection scenario. - A visual guide to Conditional Access controls for critical apps. Would love to exchange insights with others experimenting in this space β what Entra features are you finding most impactful? #MicrosoftEntra | #ConditionalAccess | #IdentityProtection | #MicrosoftLearn | #PerparimLabs
Unable to add Azure Virtual Desktop Client Enterprise App to Conditional Access
We currently use conditional access to allow certain contractors to sign into VMs, and from these VMs, access other MS Apps. Currently we block all applications from outside the VM ip range, but exclude the Virtual desktop applications to allow the users to do the initial signin to the VM. When contractors are using the Virtual Desktop app, it seems to work ok. However, recently when signing in via the browser only and launching from there, the conditional access rule is blocking them as the application ID isn't in the exclude list, and we are unable to add it: a85cf173-4192-42f8-81fa-777a763e6e2c The documentation: https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd shows that web signins may originate from this application ID, but without the ability to add this to the exclusion apps, we cannot find another workaround that allows access via the browser. I also tried adding this app in to the policy via GraphAPI, but I get an error saying that this first party application isn't allowed. I need to know if there is another workaround or if Microsoft are planning to add this to the CA compatibility list? I'm not sure why some of the Virtual desktop apps are there but this one is not.
