Identity Management
603 TopicsShape the future of our communities! Take this survey to share your practitioner insights. ๐ก โ๏ธ ๐
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=52183918Views0likes0CommentsCloud-First Attribute Ownership for Synced Users in Entra ID Is Not Supported
๐ Description As an enterprise architect working to modernize identity provisioning, Iโve encountered a major limitation in Microsoft Entra IDโs hybrid identity model. While Microsoft promotes a cloud-first strategy, the current architecture forces reliance on on-premises Active Directory for attribute ownership when users are synced via Entra Connect. Key issues: Directory extension attributes, even when created in the cloud, are read-only for synced users. Custom security attributes are not queryable and cannot be used in dynamic groups or claims. There is no supported mechanism to allow cloud apps (e.g., Workday provisioning) to own or update specific attributes for synced users. Breaking sync to convert users to cloud-only is disruptive and not scalable for large enterprises. This creates a conflict between cloud-first provisioning goals and technical limitations, making it difficult to fully transition away from on-prem AD. โ Requested Improvements Attribute-Level Ownership Delegation Allow cloud apps to own and update specific attributes for synced users, even if the user is still managed by AD. Writable Directory Extensions for Synced Users Enable Graph API write access to cloud-created directory extensions for hybrid users. Dynamic Query Support for Custom Security Attributes Make custom security attributes usable in dynamic groups, claims, and app filtering. Clear Guidance and Tooling for Cloud-First Identity Models Provide supported patterns and tools for transitioning identity provisioning and attribute management to the cloud. ๐ Why This Matters Organizations are actively trying to reduce reliance on legacy infrastructure and embrace cloud-first identity. The current limitations in Entra ID make this transition unnecessarily complex and inconsistent with Microsoftโs cloud-first messaging. ---copiloted response for sure after many days of trying to work a solution that does not create more tech debt...54Views0likes1CommentEntra App Gallery required for Excel AddIn
Hi, We have an Excel Addin published to Microsoft AppSource: https://appsource.microsoft.com/en-us/product/office/WA200009029?tab=Overview The Excel Addin uses Entra ID to obtain an OIDC token to securely / seamlessly access MS 365 SharePoint on behalf of the user. In order to achive this the Entra ID subscription needs the TR4E application registered as an Enterprise Application / App Registration. My question is whether I need to submit the TR4E application separately to the Entra App Gallery, so it can be installed by the Entra ID admin - or will the registration in Entra ID happen automatically when a new user first tries using TR4E? I note that MS has suspended new application submissions for Entra App Gallery, which means our customers would need to manually create the Entra ID Enterprise Application (which is not a great experience). Cheers, Andrew56Views0likes1CommentCan External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress โ user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?27Views0likes0CommentsUser Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.54Views0likes1CommentUsers is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled136Views0likes3CommentsSecurity Best Practices for Bookings Page's Mailbox Objects in Entra ID
Hi, are there any recommendations / best practices for hardening the user objects that are created in Entra ID when I create a new Microsoft Bookings page? Unlike regular shared mailboxes, the sign-in is enabled by default, I can simply reset the password, sign in via Outlook Web and see the Microsoft Bookings calendar. Bad actors could brute force this sign-in, register the MFA authentication method of their choice and gather data of the customers that used my public bookings page. What is the recommeded way to handle these objects in Entra ID? Conditional Access settings? Azure Monitoring alerts for sign-ins? Defender alerts for when an inbox rule is created? Kind regards, YaseminSolved188Views0likes2CommentsConditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal"
Hello Identity Experts, We are expanding access to our M365 resources to Guests and as such we are modifying our existing CA policies to provide the appropriate restrictions and controls. We are using principles of least privilege best practices to BLOCK All Cloud Apps for Guests (With Exceptions) and REQUIRE MFA for Guests. We've followed a number of blogs detailing the same essential set of policies / well-known identity pros: https://danielchronlund.com/2020/11/26/azure-ad-conditional-access-policy-design-baseline-with-automatic-deployment-support/ The idea is to allow guests to access Office 365 and My Apps (and AIP) but block all others plus require MFA for guests. Seems pretty straightforward and again we've seen this implemented and suggested by a number of experts. This doesn't work however and we've had a colleague test this in a separate tenant with just these two policies enabled. What is happening is that Guests, while redeeming their invitation, are triggering the BLOCK All Cloud Apps for Guests policy when they access the "Microsoft Invitation Acceptance Portal". This App is, unfortunately, one that cannot be excluded from CA policy (there is no target available for it). Guests receive the "You don't have access to this" error with the AppName = Microsoft Invitation Acceptance Portal and error 53003 in the AAD sign-in logs (along with the fact that the BLOCK policy caused the failure). What is also odd is that if the Guest returns to the invitation link, they can then complete the registration. Something is off/wrong and we're curious if anyone else has encountered this using these policies. Thanks in advance!Solved18KViews0likes7Comments