Microsoft Identity Manager
14 TopicsGeneral Question About Federation
Hello, We have a federated domain and to my knowledge this means that all authentication for this domain will be send to ADFS and will not be directly handled in Azure Entra ID. Is the following statement correct: When I register an APP in Entra ID the authentication will still be handed off to ADFS. (when my user types in email address removed for privacy reasons. I will first go to microsoft that will then hand it off to ADFS. Will there by any additional config required on the ADFS server for the registered application? If i would like to bypass this federated authentication the only way to do this is change it to a managed domain removing the federation or do a staged rollout as described below Microsoft Entra Connect: Cloud authentication via Staged Rollout - Microsoft Entra ID | Microsoft Learn29Views0likes1CommentCan we use On-Behalf-Of-User flow and Client Credential Flow for same API
I have developed few API and its using on behalf of user flow. We get the delegated access for respective users to perform action. But we have several background jobs so can i switch to client credential flow for just these background jobs? By doing this the same API has both "on behalf of user flow" and "Client Credential flow"!170Views0likes0CommentsClient approval of PIM requests for Partner GDAP users
Hi, I have a client who would like to manage PIM eligibility and approval for role elevation for GDAP partner service techs. Essentially even though GDAP gives the Exchange administrator role the client still wants the tech to request elevation and for the approval to go to the client for approval. I see there is a way to manage this from a partner level where the partner would have PIM and manage approvals but this seems to be global across all clients and not a single client. To answer the client, is there a way the client can manage PIM from their side for partner GDAP users?152Views0likes0CommentsImproving Secure Score
Increasing Secure Score Ensure multifactor authentication is enabled for all users. I wanted to enable this feature in my organization but faced this issue. Posting it if it helps someone. The issue faced: when trying to deploy this feature on the organization. I saw a Low-security option enabled by default. Solution. Sign in to the Azure portal with your admin credentials. Navigate entra.microsoft.com à Security à Conditional Access. Enable or disable based on your organization's needs. entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade440Views0likes0CommentsNew Blog Post | Act now: Turn on or customize Microsoft-managed Conditional Access policies
As part of ourSecure Future Initiative, we announcedMicrosoft-managed Conditional Access policiesin November 2023. These policies are designed to help you secure your organization's resources and data based on your usage patterns, risk factors, and existing policy configuration, all while minimizing your effort. Our top recommendation for improving your identity secure posture is enabling multifactor authentication (MFA), whichreduces the risk of compromise by 99.2%. This is why our first three policiesare all related to MFA for different scenarios. Since we announced Microsoft-managed Conditional Access policies,we’ve rolled out these policies to more than 500,000 tenants in report-only mode. In this mode, the policies don’t impact access but log the results of policy evaluation. This allows administrators to assess the impact before enforcing these policies.Thanks to proactive actions taken by administrators to enable or customize these policies, over900,000users are now protected with MFA. We’ve been actively listening to your feedback. Customers shared that Microsoft-managed policies impact the number of Conditional Access policies that organizations can create. We’ve addressed this by making a significant change: Microsoft-managed policies will no longer count towards the Conditional Access policy limit. Another adjustment relates to existing Conditional Access policies. If you already have a policy in the “On” state that meets or exceeds the requirements set by the Microsoft-managed policy, the latter will not be automatically enforced in your tenant. Initially, we communicated that these policies would be automatically enabled 90 days after creation. However, based on customer feedback, we recognize that some customers need additional time to prepare for these policies to be enforced. As a result, we have extended the time frame before enforcing the policies for this initial set of policies. For these three policies, you will have more than 90 days to review and customize (or disable) your Microsoft-managed Conditional Access policies before they are automatically enforced. Rest assured, you’ll receive an email and aMessage Centernotification providing a 28-day advance notification before the policies are enforced in your tenant. Call to Action Review these policies in the Conditional Access policies blade. Add customizations such as excluding emergency accounts and service accounts. Read the full story here:Act now: Turn on or customize Microsoft-managed Conditional Access policies - Microsoft Tech Community669Views0likes0CommentsAuthentication from multiple, but certain, tenants to OAuth apps
Got an SPA App and Api I'm using MSAL for authentication. The endusers come from a limited set, but not a singular, tenant. Since for the application authentication I can only select a single tenant, or all the tenants I'm looking for solutions here. One is tenant collaboration/ multitenant organization but it seems like overkill for this need. Another is multiple authorities but isn't it then tricky to wrangle multiple client ids, selecting the right authority etc. Is there a way of doing this I'm missing?1.9KViews0likes2CommentsNew Blog | Microsoft Entra ID Governance licensing for business guests
Thousands of customers have tested or deployed Microsoft Entra ID Governance since it launched on July 1, 2023, seeing the value in governing the identities of their workforce. Many of those customers have asked about extending this governance to the identities of their business guests—contractors, partners, and external collaborators—to more fully follow least privilege access principles while still enabling seamless collaboration. We are pleasedto announce that we're helping organizations to more easily manage this situation by creating a new ID Governance license for business guests. This license will operate on a monthly active usage (MAU) model. Customers will be able to acquire licenses matching their anticipated business guest MAU. Read the full blog here:Microsoft Entra ID Governance licensing for business guests - Microsoft Community Hub995Views0likes0CommentsNew Blog | Microsoft Entra Expands into Security Service Edge with Two New Offerings
Flexible work arrangements and accelerating digital transformation changed the way we secure access. Traditional network security approaches just don’t scale to modern demands. They not only hurt end user experience but also grant each user excessive access to the entire corporate network. All it takes is one compromised user account, infected device, or open port for an attacker to access and laterally move anywhere inside your network, exposing your most critical assets. Read the full blog here:Microsoft Entra Expands into Security Service Edge with Two New Offerings - Microsoft Community Hub888Views0likes0CommentsAdministrative Units (MDE,MDI,MDCA,Pureview,Endpoint mgmt)
Hello, The Microsoft documentation on Administrative Units (AUs) is not clear enough. I would like to know if I can use AUs in the following portals: security.microsoft.com: For example, can I create Defender for Office 365 policies for the users and groups within my AUs? compliance.microsoft.com: For example, can I create an Information Protection sensitivity label for the groups included in my AU? portal.azure.com: I know that I can create, delete, and modify users, as well as manage licenses within my AU. endpoint.microsoft.com: Can I create configuration profiles for devices within my dynamic device group in AU? Or is the term "AUs" restricted only to Azure Portal and MS Teams Devices? Please let me know if there are any specific limitations or restrictions regarding the use of AUs in these portals. Regards Farhad732Views0likes1CommentOptimize powershell script when it is executed on a tenant with x thousands of users
hello Im facing a problem of latency when i excecute the script and also there are some limitations of azure ad : sign in and audit logs are available for 30 days only : getting blank cells in the csv reports The main problem is when i execute the script to audit 3000 guest user ( audit guest users) , it take a lot of time without results and errors like : error reading jtoken .. what can i do to better increase the speed of execution ??? Thank you 🙏626Views0likes1Comment