Migration from Hosted Exchange (Hybrid) to M365 Classic Outlook Client Problems and Solutions
Hello Everyone, I'm a tech who started on a 8088 processor in the 80's. Not mentioning the Vic20 and C64 since that hardly seem relevant! I'm posting here to hopefully help the next person with the issues I've had over the last few weeks. My client had to port his email from a provider with an on-perm Exchange server in a Hybrid setup with M365 to his own M365 environment. I expected this was to be about 3 hours of work for me - setup M365 environment, plan the cut-over window, update the Outlook clients on each PC. It ended up being roughly 20 hours of my time and at least 10 hours of dedicated time for my client. For those wanting to jump directly to what mostly fixed it use this link, it should get you past the dreaded "an encrypted connection to your mail server is not available" when trying to add the mail account into a clean profile. Use https://support.microsoft.com/en-us/windows/classic-outlook-troubleshooters-086e3d66-5404-4034-9cc5-545909dcc166 and pick "Classic Outlook Profile Setup Troubleshooter" Most hits are going to tell you its an autodiscovery issue, but if you're reading this I'm going to assume you've already confirmed that. Our issue was some ghost configuration, only on the PCs previously setup for mail on the old server. A new PC could add the same account without issue. Some of the research suggested this would not happen if the proper Microsoft migration process is followed to move the account - but in our case the previous provider was unable to perform the migration. I'll skip over the research we tried along the way, such as New Outlook Profiles, Registry entry changes, MS Personal users with the same email as MS Business Users, Autodiscover problems (including concerns that the base website for the client was offering invalid data), and so on. After each hit where we applied a fix we again had to try adding the mail to the profile, and each time we sat watching the little circle for up to 5 minutes only to get the same error. Now, once we found the link above - which did not come up in most searches - things got better, but not 100%. We added the profile ok but then Outlook gave a permission error while starting. To fix that, the user signed in must have administrative access and you use File Explorer to navigate to the folder identified in the error. In our case it was in folders kept under \Windows\System32\. When prompted that we need to grant permanent access we said yes. In our case this is where Outlook was storing the ost files. That worked for most of the clients, but we had one additional issue where the error was pointing to a folder that didn't exist. Just creating the folder was not enough, the final fix was to hold CTRL-SHIFT down while opening Outlook to start in administrative mode to allow it to create the ost file in the newly created folder. Finally 3 weeks after our cut over window, while the client had to use OWA, we were able to get outlook running. This was critical for my client because they did not have access to the mail history since the migration didn't happen - they had to open a copy of their PST in Outlook and use mail in OWA and constantly bounce back and forth. I hope this helps someone avoid the pain we went though!
Sole Microsoft 365 Admin Locked Out After Phone Replacement / Lost MFA Device
I am the sole admin for a Microsoft 365 tenant and I am currently locked out after replacing my phone. The old phone was wiped before Microsoft Authenticator was fully re-registered on the new device. Authenticator was the only MFA method configured on the account. Current situation: password is known, Teams desktop sessions are still active, Authenticator cloud backup restored successfully, but all Microsoft security and admin pages still require approval from the old Authenticator registration. I cannot access Security Info, Entra Admin, or Microsoft 365 Admin Center because every path loops back to the dead MFA registration. I have already attempted Microsoft business support phone lines, Authenticator restore and recovery, and existing desktop sessions, but support queues are disconnecting and I cannot open business support tickets because the admin account itself is MFA locked. Tenant: lowepfg.onmicrosoft.com What is the fastest recovery or escalation path to force MFA reset or re-register Microsoft Authenticator for the tenant admin account?
Web-signin 3rd party IDP not working
We have a working Entra ID SAML federation to a third-party IdP that uses FIDO2/WebAuthn (IdP as Relying Party) for browser sign-in, and we are trying to use the same federation through Windows Web sign-in on an Entra-joined Windows 11 device — but the IdP page loads blank in the WebView and Microsoft-Windows-WebAuthN/Operational records zero events, while the same security key works fine for FIDO2 sign-in with login.microsoft.com as RP on the same device. Questions: - Is WebAuthn brokering to third-party Relying Parties inside the Web sign-in WebView supported? - If not, is it on the roadmap? - What is the supported architectural path for delivering passwordless Windows sign-in using a federated IdP's own FIDO2/WebAuthn credentials, given Graph API passkey provisioning is Beta-only?
How to target Azure VPN (Microsoft-Registered) app with Conditional Access Policies?
I have an Azure Point-to-Site VPN Gateway configured using the Microsoft-registered Azure VPN Client App ID (Audience value: c632b3df-fb67-4d84-bdcf-b95ad541b5c8). Everything is working correctly for our users. The issue I am having is that anyone with an Entra account can connect to the VPN and I want to restrict this with a blocking Conditional access policy. I do not want to create a custom app registration, because then I will have to change the 'audience' value on the app gateway and all user's will need to modify their VPN clients. The problem is I need to target the Microsoft-registered Azure VPN app in a Conditional Access policy but it does not appear in my Enterprise Applications list or in the CA app picker when searching. My questions: Why does the Microsoft-registered app not automatically create a service principal in my tenant the way other Microsoft apps do? Is there a supported way to make it appear in the CA app picker without creating a custom app registration or changing the gateway Audience value? Has anyone successfully targeted c632b3df-fb67-4d84-bdcf-b95ad541b5c8 in a CA policy while keeping it as the gateway Audience value? Thanks for the assistance hereHow Do I Target the Azure VPN Client in a Conditional Access Policy?
I am using the Azure VPN Client to connect users to an Azure VPN Gateway using their Entra ID credentials to authenticate. I want to target this application with a CA policy that requires MFA every time it connects. The problem is that I don't see the applications in my Enterprise Apps and all of my searching says that it won't appear because it was "pre-certified" by Microsoft. In the Gateway setup I used the Audience GUID of c632b3df-fb67-4d84-bdcf-b95ad541b5c8. And this is working as expected. The only solution that I have found for targeting the Azure VPN Client app is to create a Service Principal using that Audience GUID. This seems like a bit of a hack, so I am posting here to see if there are any other methods that I am missing to target this app when it doesn't appear in my Enterprise Apps list.MacOS platform SSO deployment issues
Hello, We tried to deploy MacOS platform SSO but the devices are having problems with their authentication. The devices are connected through company portal but keep asking for logins and authentication, especially on reboot. Some users are prompted to sign-in to their entra account several times per hour. To Deploy it we used the configuration setting template: Authentication > Extensible Single Sign On (SSO) Settings: Extension Identifier: com.microsoft.CompanyPortalMac.ssoextension Authentication Method: Password Token To User Mapping: Account Name: preferred_username Full Name: name Use Shared Device Keys: Disabled Team Identifier: UBXXXXXX Type: Redirect Has anyone here experienced similar issues or found a fix for these constant re-authentication prompts? Thanks!Broken Account Recovery (discontinued product)
Hello everyone, We have the MSFT Office Family plan which has the now discontinued custom domain support that used to be an option as a "Premium" feature. Back in August we upgraded the phone of one of the account members on the family plan and lost connection to their MS Office account with the only device that was accessing to the account (the phone with access was reset as part of the upgrade/trade in process). I have tried the account recovery form and it simply doesn't work. I have tried to explain to MSFT support that the tool is broken but can't get anywhere. For the account in question we have an Outlook email client (with non working password) that has a cache of all of the email until loss of access occurred. So when I do the account recovery form, I have name, DOB, region, past passwords and data for all fields including sent email Id's and send subjects, But every time the MSFT recovery mechanism says "Unfortunately, we have determined that the information provided was not sufficient...". WTF. Every time I contact MSFT support I get the same answer, an explanation of the point system used to reset the the account. Same steps to recover....based on this, the recovery should work...yet it doesn't. I have tried somewhere 50+ attempts now over the last 9 months. I even have a contact who is VP level at MSFT who sponsored a support ticket internally but that just ended up with the support person sending me a link to the account recovery form and closed the ticket without looking in the details of the ticket. I can't modify / add a new account as MSFT has as a discontinued product no longer allow members to add/change id's. So I'm locked at the current user set. I have created another email address by saving the cached data to OLM file and importing via the Outlook client but that doesn't restore use of the @mydomain.com for that person. I even retained a lawyer who send a demand to MSFT legal...but the email address didn't go anywhere so at the point of needing to do this on headed paper/send via snail mail. Does anyone have any idea how to get through to MSFT explain the recovery tool is broken? I assume there are so few accounts using custom domains pin family plans that they simply don't test this recovery path. At this point without some internal guidance is a) lawyer and force a demand for password reset b) give up, ditch all of the users using the custom domain, configure an alias for all of the accounts and then change my MX record to a company doing email forwarding and then forward to the new/old legacy accounts (i.e. the ones with the mailto:email address removed for privacy reasons).M365 only admin locked out MFA error 53003
I am learning this the hard way....so here it goes. Currently I am locked out of as the only admin on the tenant with error 53003. I was updating some Microsoft MFA default policy settings in Entra and mistakenly deleted the admin user from the exclusions list, and got locked out. Thankfully I have another tenant, not as big the one locked out. Initiated several support tickets for which everyone calls, and despite of subline mentioning the issue says that they have to assign this ticket to Entra. Then the ticket gets updated and noone has been assigned every since. I have initiated severity A support tickets from Azure portal but no one has called in last 24 hours to help. We area business with Business Premium licenses with over 20 users, and now completely locked out. I have looked almost everywhere online. There is no phone number that takes you to a support agent - PLEASE HELP........
Outlook 2016 blank MFA screen for some users
I have a Conditional Access rule so that when someone connects from outside a trusted IP it requires MFA, I have a few users that get the "Requires password" message come up, they get a window and type in their username and click next, then the window disappears without prompting for MFA and it's back to where they were. Same thing if they go to File->Accounts if they are signed out and try to sign in they get asked for Email and then it just closes and they are still signed out. It's not for all users and everyone is using the same Office 365/2016 installation, monthly channel 1903, we use ADFS
