How to exclude security group members using dynamic query
Hi, I'm trying to build a dynamic query for a security group and want to exclude members of a certain group in this. Example- Let's say there's a security group A and I'm building a new security group B and I want to exclude members of group A to be added to this group B. I'm struggling to find the right query for this. Any ideas?
Reset guest redemption status not possible after creating Multitenant Organization (MTO)
Hi all, we're on the path to creating a Multitenant Organization (MTO) for our global organization. We already have a relationship with one partner tenant which has B2B Collaboration and B2B Direct Connect set-up and is working well. We took the step of creating a Multitenant Organization in our 365 admin center and started testing with a sandbox tenant, which has since been removed. The issue we are having now, is that guest users which are not part of B2B Collaboration or an MTO cannot have their redemption status reset. I first found this wasn't possible from the error in a Power Automate workflow using Microsoft Graph, then confirmed I got the same error in Entra ID. The documentation for MTO was updated a few days ago and includes this, saying that as part of a multitenant organization, reset redemption for an already redeemed B2B user is currently disabled. But should this be the case for guest users not part of B2B Collaboration or Multitenant? Is this an error or expected behaviour, I wonder? Thanks!
Entra ID Connect Sync - Issue Updating the SQL 2019 Local DB
Hello, Does anyone know how to patch/update the SQL Server 2019 LocalDB utilised by Microsoft AD Connect / Entra Connect? We have identified vulnerabilities on the version of SQL 2019 LocalDB used by Microsoft Entra Connect. The trace file in C:\ProgramData\AADConnect shows the following version: Package=Microsoft SQL Server 2019 LocalDB , version=15.0.4138.2 (CU11) We are attempting to update this local database to version 15.0.4415.2 (CU30), using the following package: https://www.microsoft.com/en-us/download/details.aspx?id=100809 However, when we run the package it cannot identify the SQL Server 2019 LocalDB server instance. There is a message stating: "The version of SQL Server instance Shared Component does not match the version expected by the SQL Server update. The installed SQL Server product version is 11.4.7001.0, and the expected SQL Server version is 15.0.2000.5" The version it references is SQL Server 2012, however the logs show the database as SQL 2019 and the database instance name within the Entra Connect / AD Connect agent includes 2019. I have attempted leaving the service running, manually starting the database instance, running as admin, and running the package via command prompt targeting the instance. Any insight would be greatly appreciated. Many thanks.Security Info blocked by conditional access
Hello, We have a conditional access policy in place where a specific group can only access Microsoft 365 (deny all apps, except Office 365). The moment a user clicks on Security Info in My Account, the user is blocked by this policy. I cant find a way to exclude the app "My Signins" (AppId 19db86c3-b2b9-44cc-b339-36da233a3be2). Since MFA is forced for this group, they can't change their authenticator app registration. Is there a solution for this? Initial MFA setup works by the way. UPDATE jan 23, 2025: I contacted Microsoft support and this was their answer (in short): " MySignin is a very sensitive resource that is not available in the picker and cannot be excluded in the conditional access policy. Also, the application is calling Microsoft Graph. I understand that this is not the information you are looking to hear at this time, I would have loved to help but the application cannot be excluded from the policy. "
Disabling Directory Sync for Hybrid - Overthinking?
Hi all, I am at the finish line for decommissioning On-Prem AD and moving from our Hybrid environment to managing our identities in Entra. About to cut off the Directory Sync. Weirdly couldn't find a concrete answer on this question online, but I might just be overthinking this. **Devices are Entra enrolled + Intune Managed, NOT Domain Joined.** User profiles that originate from On-Prem AD on the endpoints still show as DOMAIN\username. User profiles that originate from Cloud on the endpoints show as AzureAD\email address removed for privacy reasons. What happens to these On-Prem User Profiles when we disable Directory Sync? Do they change over auto-magically to "AzureAD\email address removed for privacy reasons" on the endpoints? Am I missing something here? Thanks in advance.Entra ID expressions for attribute mapping
Hi All, we have the following requirement. if [StatusEndEmploymentDate] is null or if its grater than today's date and city value is present the user should move to repective OU if [StatusEndEmploymentDate] is less than today's date than user should move to the staging OU. we have tried following query but there is no luck. need your help to achieve the requirement. Switch([StatusEndEmploymentDate],Switch([City],"OU=Users,DC=abc,DC=com", "Amsterdam", "OU=Users,OU=Amsterdam,DC=abc,DC=com", "Antwerp", "OU=Users,OU=Antwerp,DC=abc,DC=com", "Bengaluru", "OU=Users,OU=Bengaluru,DC=abc,DC=com", "Copenhagen", "OU=Users,OU=Copenhagen,DC=abc,DC=com"),IIF(DateDiff("d", Now(), [StatusEndEmploymentDate])>"-1",Switch([City],"OU=Users,OU=IAM,DC=abc,DC=com","Amsterdam","OU=Users,OU=Amsterdam,DC=abc,DC=com","Antwerp","OU=Users,OU=Antwerp,DC=abc,DC=com","Bengaluru","OU=Users,OU=Bengaluru,DC=abc,DC=com","Copenhagen"))
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Generating proxyaddresses during user provisioning
Hi All, we have requirement to generate alias email addresses during user provisioning. we tried to use selectunique function in the proxyaddresses generation and mapping to ad proxyaddresses but we are not able to achieve it. can you please help thanks, shashidhar joliholi
Entra hybrid join issue caused maybe by 2 M365 accounts
Hello to everyone, one of my collegue has 2 Microsoft 365 accounts on its notebook when we tried to do the procedure to hybrid join his device; I suppose the other account give us problem in the procedure; now, there is only one account even if I can see in event log, in AAD log, that there is an error and 2 warnings bound to the old account. However, I tried to repeat the procedure but without any luck; what I see that it is different from the other devices, if I give the cmd dsregcmd /status is in these 2 lines: DisplayNameUpdated : YES OsVersionUpdated : YES while on other devices I see: DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM We have all a Microsoft 365 Business subscription and the configuration and steps for the other devices was: We have all devices with Entra registered user, we started with this when we have only the Microsoft 365 Basic subscription We enrolled all devices, with group policy, in MDE when we upgraded to the business Installed the Azure AD Connect Users sync Devices sync So, in the Entra portal we have first only the entry for registered, then when we synced the devices we have a second entry with hybrid registered and finally only one entry with Owner, MDM and Settings field filled with correct data; for example, when I make an hybrid join device, initially in the row I see MDE as MDM, then when the hybrid and registered compose one row I see Intune in that field. For the device that give us problems, I see a row like this in Entra portal while in Intune Any help is greatly appreciated.
