Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
How to resolve "AADST55203" error: Multi-factor authentication configuration blocked
{ "error": "access_denied", "error_description": "AADSTS55203: Configuring multi-factor authentication method is blocked. Trace ID: Correlation ID: Timestamp: 2025-09-17 20:48:30Z", "error_codes": [ 55203 ], "timestamp": "2025-09-17 20:48:30Z", "trace_id": "", "correlation_id": "", "suberror": "provider_blocked_by_rep" } SMS authentication method was previously configured in our B2C Entra and was functioning correctly until last week, when it suddenly stopped working. Currently, users can only authenticate via email. Conditional Access policy is also in place that requires Multi-Factor Authentication (MFA).
Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app. Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones. Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated! Thanks in advance!
Entra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, DanielConditional access, Persistant Browser sessions and Azure File shares in Storage Accounts
Hello, I am in the process of doing a POC for Azure file sync from DFS to Azure file shares with a end goal of using Azure files shares and getting rid of DFS. I want to use Entra for identity access. One of the changes I need to make is set Persistant browser session in our MFA all user policy to "Never" so that the storage enterprise app does not get targeted for MFA, otherwise it wont work. How do I go about doing this without effecting any other users as it's a global policy. I know I need to do this because I get this error when I add the Storage Account ent app to the targeted resources (formerly cloud apps) exclusion list; "Message from server: The server could not process the request because it is malformed or incorrect. 1032: ConditionalActionPolicy validation failed due to InvalidConditionsForPersistentBrowserSessionMode." Any ideas of how to get around this without affecting anyone else and only target the storage account ent app. Cheers
MFA claim expired - Breaking web apps
Hi All, Testing: - Passwordless (Phone Sign-in baseline) - Sign in Frequency (Shorter than tenant setting) - Desktops are hybrid, receiving their PRT but no not use WH4B - Tenant still has Remember Trusted device for X Days enabled I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state. Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues? Thanks!
Fido passkeys blocked by policy
Hi all I'm helping out a customer with deploying physical passkeys and I'm running into a weird error. I've activated the sign in method and selected the two AAGuids for the Authenticator app and I've added the right AAGuid for the brand and model of passkey we are using. We can select the authentication method and enroll the security correctly but when trying to sign in using it we get the error as displayed in the attached picture. When checking the sign in logs i get this error message FIDO sign-in is disabled via policy and the error code is: 135016 I've not been able to track down any policy that would be blocking passkeys. anyone got any ideas?
