Identity and Access Management
152 TopicsInsider Builds
I have been an avid Microsoft user for many years with only a couple of small issues every now and again. The 6 weeks have been unbelievably stressful and disheartening. I thought trying samples of New Insider builds and enlisting in Azure for some up to date training for myself to help with what I wanted to roll out for my business. This has been the worst experience i have ever been apart of. I now have multiple computers and hardware in disarray but more importantly the loss of time and patience is paramount . I have come to realise the repetitive responses and requests for data collection on feedback or issues is one-sided The amount of user data submissions is not the issue though. It is the assistance from Microsoft regarding issue via portals, help-desk etc. The inclusion of many backend functions for the purpose of better user experience is heavily flawed. Unless end-user inadvertently has or encounters issues in there OS life is good. Heavily automated program tiggers sit through all OS builds for example. One drive. Regardless whether this is declined or removed it will always be running in the background. If you system had been compromised this is a perfect place for root-kit other Malware to spread. Xcopy: A Microsoft background function which has the ability clone and copy 99% of drivers of operating info structure. Can be controlled by ghost script directives or embedded dll to aid malware. Anti-virus or defender find difficulties identifying or distinguishing authentic and re-pro-ducted data. In time this type of incursion can mimic a vast amount of OS functionality. Microsoft OS validity. I have trailed numerous builds with all sharing this characteristic. Invalid or expired software and driver certificates & TPM flaws even after a full clean reset and TPM turned off in bios. Inevitably this can introduce compromised software without end-user knowledge. The impact leads to unauthorised access in many elements of the OS platform especially data access and embedded .dll which can run inline or above elevated authorisation. A lot of this is undetectable. Once embedded in OS and bios this is impossible to clean without expert assistance and can be very costly. For the most part the inclusion of new AI functionality across the OS platform is very welcomed. Unfortunately there are a large amount of bugs to be ironed out especially in the platform navigation. Advice provided via OS AI can be mis-leading or incorrect. .SMTP XOAuth authentication and Microsoft authentication libraries
Due to the upcoming deprecation of basic authentication our company is looking to move all our products to modern authentication protocols for sending emails but we have some unusual usage scenarios that have me running in circles. I have been through all available documentation multiple times and I'm stuck. The problem is that we have on premise web applications that are running on multiple client servers and not a central location. This creates a problem when using standard OAuth flows since there is no fixed URL to use as a redirect URI. Because of this I have created a separate API on a fixed URL that will serve as the redirect URI for all clients and instances of our web applications. This breaks the standard usage of MSAL library and I had to go around chasing my tail to even be able to implement something that could possibly work. I have been able to do it using Microsoft.Identity.Client MSAL library but I hit a problem since I need to use the ConfidentialClientApp.AcquireTokenByAuthorizationCode call to redeem the access code obtained after user login but apparently SMTP does not allow confidential clients to login. We need the application to be able to send emails from any account any tenant or personal accounts. I have obtained the access token for a personal account but SMTP rejects it with this error: 535:5.7.3Authenticationunsuccessful[AM8P251CA0016.EURP251.PROD.OUTLOOK.COM]. If I switch to PublicClientApplication then there is no AcquireTokenByAuthorizationCode method and I can't even use client secret so I'm not even sure how this works in redeeming a code. I am going by instructions on this page: https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauthand it mentions no requirement of a public client application. It states I can use authorization code flow and the documentation on authorization code flow states it can be used by web apps and desktop apps. Well how am I supposed to use it when SMTP won't accept a confidential app and the PublicClientApplication does not have a method to redeem it? If I drop the authentication library and go for pure REST API call implementation, which application credentials should I use that the acquired tokens will be accepted by the SMTP server? Also I would like to know if office 365 users still have to disable security defaults and enable STMP Authentication to use SMTP with OAuth 2? This would defeat the whole purpose of migrating to OAuth 2 and the blog about deprecation states that moving to OAuth 2 is the way to prepare your app for this deprecation, but I've seen instructions on SMTP OAuth that state SMTP Authentication still needs to be enabled.2.3KViews0likes3CommentsNew Blog | Upcoming design updates: Microsoft Purview Message Encryption Portal
BySamson Chan The Microsoft Purview Message Encryption portal will undergo minor design updates to align with Purview branding.Microsoft will be updating fonts, colors, controls, and more to align with Purview branding. These changes are designed to enhance the user experience without causing any disruptions. Microsoft will begin rolling out changes mid-October 2024 and expects to complete by mid-December 2024. Users will see minor design changes within the user interface (UI) - fonts, colors, controls, and more are updated to align with Purview branding. Read the full post here:Upcoming design updates: Microsoft Purview Message Encryption PortalMoving Microsoft 365 authentication to Entra ID Cloud Auth from On-Prem ADFS
Hi Identity Brain Trust, Assuming this would be the right place for my question as I couldn't find any other hub more relevant for this one. We have several applications configured to be authenticated via ADFS. We are looking to move these gradually to Entra ID Cloud auth and decommission ADFS, eventually. I would like to test out how Microsoft 365 can be moved to Cloud Auth from ADFS for a certain group of people. I have tried to use ADFS migration wizard in Entra but 365 app is not showing in the ADFS Application Migration section of Entra ID. I've read this official guide but still couldn't find how this can be manually done when App Migration section won't have the app appearing there. -https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-ad-fs-application-overview Appreciate any of your inputs on this one! KevEnable Windows Hello in Hybrid Environment
Hi all, we are planning to enable Windows hello for our hybrid ad joined devices. I have below questions around it before proceed with it. appreciate anyone's help. Does certificate or Cloud Kerberos configurations is a must thing? Can't we enable Windows-Hello from Microsoft Intune like we do for Azure AD standalone devices. Do we need to consider anything important if we go forward with Cloud Kerberos configurations (it seems this is the only method we don't need certificate). Because we have around 20+ domain controllers in our environment, including RODCs. Can I please have Pros and Cons of enabling Windows Hello for Hybrid environment? Thanks in advance! DilanSolved4.7KViews0likes6CommentsMFA Issue blocks Global Admin / Data Protection Team disconnects calls
Hi. I have just learned that the Microsoft Authenticator app allows you to create MFA for multiple Global Administrator accounts, but those accounts will not properly transfer when you move to a new Smartphone. I have one tenant that has only one Global Admin Account secured using MFA and the Microsoft Authenticator App. The MFA is no longer working. I have been told to work with the Microsoft Data Protection Team by calling them at800-865-9408. The weird thing is they keep disconnecting the call before the issue gets addressed. It has happened multiple times. Calling them back results in hold times averaging over 2 hours. Does anyone have ideas how I can get my MFA issue solved perhaps by reaching the proper group at Microsoft in another fashion? Is there some customer advocate resource at Microsoft I can contact?Whenever login into the office applications different OTP needs to be applied Outlook and teams
When signing into Office applications, adifferent OTP is required for both Outlook and Teams. To address this issue, there is any resolution this issue supports or a supporting document as proof to confirm that this is a standard procedure.Identity Governance > Opt-in Preview Features appears to be malfunctioning
Identity Governance > Opt-in Preview Features appears to be malfunctioning We have two distinctly separate goals: Prevent administrative assignments of DISABLED access package policy(ies). By default, appropriate Entra Role, including built-in catalog roles, are able to administratively assign users to disabled access package policies. Limit administrative assignment of access packages to catalog roles only - basically, prevent Entra roles from bypassing catalog roles. (e.g., prevent GA or Identity Governance Administrator). We have an access package policy that is used only by administrators to assign users to one resource (security) group: Users who can request access: None (administrator direct assignments only). Regardless of whether we use elevated to GA, IG Admin, etc., hold an appropriate catalog RBAC role, or any combination thereof, enabling (checking) the following Opt-In Preview Feature disables EVERYONE from administratively being able to assign user(s) to an enabled/disabled access package. No required approval is configured. If unchecked (the following opt-in option), we're once again able to administratively assign users from any level and any policy regardless if that policy is enabled or disabled. Error: You don't meet policy requirements to request this entitlement. (Note: I'm unable to locate the log that has the associated Correlation ID) Lastly, I've tested the following in multiple tenants and the behavior is 100% the same. I feel like we're missing something. I've also posted this issue to the MS tech community to see if we can flush out anything. Identity Governance > Entitlement Management > Settings > Opt-in Features Enforce policy scope setting for admin direct assignments Enabling this feature will prevent global administrators from adding users to a package that are outside the scope of the selected policy. For example, an attempt to add an external user through a policy that is only configured for internal users will be blocked when this setting is enabled. Identify any workflows in which users require access to a package, but there is no policy that includes them within its scope. Create policies that will include these users.ERP decommissioning
Hello, We have the problem of decommissioning unmaintained ERPs from the acquisition. We replaced them with the group's standards. Details : - IFS version 8.0 on WS 2008 - DB Server 2012 on AWS Finance asks us to keep them accessible for the next 10 years on isolated servers. Guaranteeing access for the next 10 years to software that no one in IT knows anymore with older technologies seems impossible to me or at least very difficult. Do you have similar issues and if so how do you respond? Thank you for your return.