What’s the Best Way to Manage Guest Accounts?
Guest account management should be a part of every Microsoft 365 tenant administrator’s checklist, unless the tenant has no guests. That’s possible but given the way that workloads like Teams and SharePoint Online create new guest accounts, the average tenant is likely to have quite a few guests. The question is how to manage guests – with Microsoft’s tools or using tenant-designed PowerShell scripts? https://office365itpros.com/2025/09/18/guest-account-management/
SSPR for synced account failed — error: OnPremisesUserNotFound
Hello, I’m encountering the following error for all synchronized accounts when attempting to use Self-Service Password Reset (SSPR): Error: OnPremisesUserNotFound Details: Synchronization Engine returned an error hr=80230405, message: "The operation failed because the object cannot be found." Here are some details about the current setup: The Entra ID Connect agent is running without any errors. The service account used for synchronization has the necessary permissions. Password writeback is enabled. All synchronized accounts have a P1 license. SSPR is enabled for all users. Could you please assist me in resolving this issue? Thank you,
Profile photo component adds unwanted overlay
Component https://myaccount.microsoft.com Run command: ms-settings:yourinfo Environment Profile picture uploaded through https://myaccount.microsoft.com Profile picture uploaded through Run command (WIN+R): ms-settings:yourinfo Retrieved via Microsoft Graph SDK / Graph REST API endpoint /v1.0/me/photos/$value Steps to Reproduce Go to https://myaccount.microsoft.com. Upload a new profile picture (no presence, badge, or branding requested). Retrieve the profile picture using Microsoft Graph endpoint: GET https://graph.microsoft.com/v1.0/me/photos/$value Render the image in the client application. Expected Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding. Actual Result The component renders an overlay (e.g., presence badge/ring/branding) on top of the photo, altering the image. Impact Users see altered profile photos, leading to inconsistencies with expectations. Breaks brand/UX design guidelines that rely on unmodified profile images. Severity Medium–High (affects identity consistency across apps using Graph). Notes This happens even though no overlay option was requested in either the upload or retrieval flow. Alternative: Steps to Reproduce and working as expected Run command (WIN+R): ms-settings:yourinfo Upload a new profile picture (no presence, badge, or branding requested). Retrieve the profile picture using Microsoft Graph endpoint: GET https://graph.microsoft.com/v1.0/me/photos/$value Render the image in the client application. Expected Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding. Actual Result The raw profile photo is shown exactly as stored—no overlays, rings, badges, or branding.
My Azure login is stuck at MFA and cannot proceed
In August, I was still able to log in to Azure, and by logging in through GitHub I could bypass 2FA. But now, no matter how I try, logging in via GitHub always requires 2FA. I can’t access my Azure account anymore—nothing works. The system prompts me to use Microsoft Authenticator to confirm a two-digit code in real time. My Microsoft Authenticator on my iPhone is logged into the same Microsoft account, but I’m not receiving any verification requests for Azure login. No matter how much I refresh, nothing shows up. I’ve already updated the Microsoft Authenticator app to the latest version from the App Store. However, my personal Microsoft account works fine and can log in without any issues.Automating Microsoft 365 with PowerShell Second Edition
The Office 365 for IT Pros team are thrilled to announce the availability of Automating Microsoft 365 with PowerShell (2nd edition). This completely revised 350-page book delivers the most comprehensive coverage of how to use Microsoft Graph APIs and the Microsoft Graph PowerShell SDK with Microsoft 365 workloads (Entra ID, Exchange Online, SharePoint Online, Teams, Planner, and more). Existing subscribers can download the second edition now free of charge. https://office365itpros.com/2025/06/30/automating-microsoft-365-with-powershell2/TAP Question
Hi All I hope you are well. Anyway, I'm looking for some clarification over Temporary Access Passes (TAP) as our testing seems to reveal some different results from those listed in the MS documentation. Here's the scenario's. My understanding: Require MFA policy deployed via Conditional Access New user F3 user starts Issue TAP to user where they can then setup MFA themselves via My Security Info etc Testing results: Require MFA policy deployed via Conditional Access New user F3 user starts User can setup MFA themselves via MS Auth app on a mobile device or via My Security Info in a browser MS TAP Info page: "The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts." Ref: Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods - Microsoft Entra ID | Microsoft Learn Have I missed understood something here and if a new user can indeed still setup MFA is there any real need for a TAP for first time user? Info appreciated. SKReporting Authentication Method Usage Data via the Graph
Three new Graph API resources provide easy access to Entra ID authentication method summary usage data. The information is helpful to understand the type of sign-ins that happen, and the authentication methods used by user connections. The article includes a script based on the MFA sign-in summary to highlight non-MFA connections and the apps users connect to. https://office365itpros.com/2025/08/21/authentication-methods-graph/
Microsoft Places Analytics - Missing data
Hi! I'm looking to hear if anyone has succesfully configured Microsoft Places Analytics according to the guidelines here: https://learn.microsoft.com/en-us/microsoft-365/places/places-analytics I've reached out to Microsoft Support several months ago regarding this but the case has not progressed at all unfortunately when it comes to actually reaching a solution. I'm struggling to get enough data to show even though the following is OK: All buildings have analytics enabled The name of the building matches the attribute "Office Location" in Entra ID. A mail-enabled security group is used for assigning permissions to Places Analytics (as-per the requirements). All users of the above group have Teams Premium I'm mostly focusing on the building analytics here since that one is most interesting for us. Example of charts with missing or incomplete data: The above one shows nothing even though it should be fetched from the work location in conjuction with the leader's organisation data. In the above chart it's succesfully mapping the headcount of the number of people that have set their work plan with a chosen building, however it's completely ignoring the "remote" parts. Also ignoring the people that have no work plan set but do have the same Office location as the building name - which it should fetch from according to the "?" button: It's even more clear further down in the same "?": In my case it's ONLY showing the ones with a work plan set and with the actual building in question set. It's the same type of issue for most of the data but I believe that solving it on one end will solve the rest. So I'm really hoping there's someone else out there that has succesfully configured Places Analytics and might shed some light on what my configuration might be missing. Thanks!Issuing Custom Claims Using Directory Extension Attributes in Microsoft Entra ID
Overview In some scenarios, organizations may need to pass custom data about users like internal identifiers or sponsorship info to applications during SSO. Microsoft Entra ID supports this using directory extension attributes, which can be registered and referenced in claims. This blog outlines how to register and use custom directory extension attributes in an Enterprise Application and configure them to issue claims conditionally based on group membership. Step 1: Register Directory Extension Attributes Use Graph Explorer to register two custom attributes, for example sponsorid1 and sponsorid2, in the target application. Send a POST request to: POST https://graph.microsoft.com/v1.0/applications/{AppObjectId}/extensionProperties Request body example: { "name": "sponsorid1", "dataType": "String", "targetObjects": ["User"] } Repeat the process for sponsorid2. After registration, the system will return the full attribute names in this format: extension_<AppClientID>_sponsorid1 extension_<AppClientID>_sponsorid2 Note these exact names for future use. Step 2: Assign Extension Attributes to Users Use Graph Explorer again to PATCH user objects and assign values to these extension attributes. Request URL: PATCH https://graph.microsoft.com/v1.0/users/{UserObjectId} Request body: { "extension_<AppClientID>_sponsorid1": "ABC123" } Repeat this for each user, assigning the corresponding attribute (sponsorid1 or sponsorid2). Step 3: Create Claims in Enterprise Application Navigate to Entra ID > Enterprise Applications > [App Name] > Single Sign-On > Attributes & Claims. 1. Click Add new claim 2. Provide a name (e.g., sponsorClaim1) 3. Under Claim conditions, select Member and choose the group that should receive the claim 4. In the source attribute, use the directory extension attribute name (e.g., extension_<AppClientID>_sponsorid1) Repeat for the second group and attribute. Step 4: Handle Claim Mapping Error If you see the error "Application requires custom signing key to customize claims" You can temporarily bypass this by updating the app registration manifest: "acceptMappedClaims": true This allows claims customization without custom signing keys. Step 5: Test the Configuration Call the application using https://login.microsoftonline.com/(Tenant ID)/oauth2/v2.0/authorize?client_id=(Client ID) &response_type=id_token&redirect_uri=https://jwt.ms&scope=openid&state=12345&nonce=12345 and sign in with users who belong to the defined groups. You should see the expected custom claims (sponsorid1 or sponsorid2) issued in the SAML or OIDC token in https://jwt.ms. Users not in any of the groups will not receive any sponsor claim. Conclusion Directory extension attributes are a powerful way to issue dynamic claims in Microsoft Entra ID. By combining them with conditional claim issuance based on group membership, you can tailor your application's SSO experience to meet specific business logic.How Microsoft Graph PowerShell SDK Access Tokens Work
If you use the Microsoft Graph PowerShell SDK, you don’t need to worry about obtaining an access token because SDK cmdlets include automatic token management. Although you don’t need to know the details of the access token used in an SDK session, it’s possible to find and examine its contents, and even use the token with a Graph request. Knowing the details of the access token is something that you’ll probably never need in practice, but good to know none the same. https://office365itpros.com/2025/08/04/access-token-graph-sdk/
