Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
The salt sizes required for signing with RSAPSS do not match those used by TPM.
Good evening everyone. I'm getting this error when I try to perform the first sync on my Windows Server 2022. I'm trying to sync the entire directory to manage my employees' licenses. I already have a tenant with users who can stay there without any problems. I had already synced the tenant with my old server in the past. For business reasons, the infrastructure has changed, and so has the server. In Entra ID, I don't see any old syncs, but in Admin Center, I do. Could this be the problem? Any advice is invaluable, as I'm at my wits' end.
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
Cross-tenant synchronization and resource access
Hello My company is investigating options pertaining to the separation of a splitting a set of users into a separate Entra ID tenant. This is being driven from a political and governance perspective whereby a portion of the organisation is looking to split away from the conglomerate for their cloud identifies only (not the on-premises AD). They effectively want their users and Entra ID identities to be moved to a new Entra ID tenant however still want to maintain access to the source tenant resources and applications for a period of time (potentially ongoing). For the purpose of my questions, assume that: existing on-premises domain is orga.internal existing EntraID tenant is OrgA.onmicrosoft.com new EntraID tenant is OrgB.onmicrosoft.com Ultimately the goal is to migrate user identities, their M365 license and mailbox to OrgB.onmicrosoft.com whilst still enabling them to access the cloud resources attached to OrgA.onmicrosoft.com. Looking at the capabilities of the cross-tenant synchronisation service to sync users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com, I'm not sure if this will meet my requirements as it will effectively sync the users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com as B2B guests. Is that correct? If my understanding is correct what we really need to do is: Migrate EntraId identities and mailboxes to OrgB.onmicrosoft.com, removing the OrgA.onmicrosoft.com account in the process Use cross-tenant synchronisation to sync the new OrgB.onmicrosoft.com identities back to OrgA.onmicrosoft.com as B2B guests whereby access to resources is provided to the guest account. If this is correct then is it technically supported to have multiple instances of Entra ID Cloud Sync synchronsing a subset of the orga.internal users to Entra ID OrgB.onmicrosoft.com whilst another instance of the Cloud Sync continues to sync orga.internal users to the existing OrgA.onmicrosoft.com EntraID tenant? I can't seem to find any reference to this architecture in the MS doco. I can see this scenario references in the legacy Cloud Connect doco but not the newer Cloud Sync agent doco. Any advise is appreciated.
Azure AD DS custom attributes sync
Hello everyone, I make this post to ask if you know if there is the possibility to synchronize Azure AD custom attributes over to Azure AD Domain Services. I could not find any documentation about this, plus I see inside Azure AD DS an OU named ADDSSyncCustomAttributes. Could it may be a reference for the question I am asking? Thanks everyone!Entra ID Connect Sync - Issue Updating the SQL 2019 Local DB
Hello, Does anyone know how to patch/update the SQL Server 2019 LocalDB utilised by Microsoft AD Connect / Entra Connect? We have identified vulnerabilities on the version of SQL 2019 LocalDB used by Microsoft Entra Connect. The trace file in C:\ProgramData\AADConnect shows the following version: Package=Microsoft SQL Server 2019 LocalDB , version=15.0.4138.2 (CU11) We are attempting to update this local database to version 15.0.4415.2 (CU30), using the following package: https://www.microsoft.com/en-us/download/details.aspx?id=100809 However, when we run the package it cannot identify the SQL Server 2019 LocalDB server instance. There is a message stating: "The version of SQL Server instance Shared Component does not match the version expected by the SQL Server update. The installed SQL Server product version is 11.4.7001.0, and the expected SQL Server version is 15.0.2000.5" The version it references is SQL Server 2012, however the logs show the database as SQL 2019 and the database instance name within the Entra Connect / AD Connect agent includes 2019. I have attempted leaving the service running, manually starting the database instance, running as admin, and running the package via command prompt targeting the instance. Any insight would be greatly appreciated. Many thanks.
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Cloud only Entra ID Domain Services and Seamless SSO from Entra ID Joined machines
Hello I am currently implementing Entra ID Domain Services with one customer (he has no on-premises active directory). We now face the issue that an Entra ID joined client is not able to access ressources on machines that are joined to Entra ID Domain Services without entering his username and password. The authentication fails with incorrect username and password (event id 200) message and the Security-Kerberos eventlog reports that it was not able to contact a domain controller for the AzureAd Domain (so he is not using the Domain name of the target domain). However has someone already tried this and is there something I am overlooking or is that something that simply can not work. Thank you very much in advance for any ideas.
User and Permissions Management Issues in Microsoft Entra ID (Assigned Roles)
Hello everyone, I’m encountering some challenges with user and permission management in Microsoft Entra ID. Here are the main issues I'm facing: Revoking Local Administrator Permissions: After removing a user from the Local Device Administrator group in Microsoft Entra, the device continues to recognize the user as an administrator, even after multiple synchronization attempts. What’s the recommended procedure to force a permissions update on the associated devices? Device Join Issue via PowerShell: I'm trying to join a device to Microsoft Entra ID using PowerShell with the command dsregcmd /join to force a policy update, but I'm encountering the following error: Error 0x80041326: "Failed to schedule Join Task. Error: 0x80041326." Does anyone know how to resolve this issue or have suggestions for an alternative approach to join the device or enforce the policy? I’ve checked permissions and task scheduling services, but the problem persists. Has anyone experienced similar issues or have suggestions on how to address these challenges? Any advice would be greatly appreciated! Thanks so much in advance!No Application acces policy found fpr graph API in MS Teams Virtual Integration
Hello , I’ve encountered an issue while integrating Microsoft Teams Virtual Events using Microsoft Graph API and would appreciate any guidance on how to resolve it. Here’s the setup: I have registered an application in Microsoft Entra ID. The app is granted application-level permissions: 1. VirtualEvent.Read.All 2. VirtualEventRegistration-Anon.ReadWrite.All I’ve set up an OAuth flow for users to authenticate with their Microsoft accounts and approve these permissions. After authentication, the user is redirected back to our app, where we fetch an application access token. The issue: We receive an access token successfully. The Entra ID dashboard shows that the app has the required permissions. However, when using the Graph API to access virtual events (Teams webinars), I receive the following error: GET: https://graph.microsoft.com/beta/solutions/virtualEvents/webinars/:id Response: { "error": { "code": "General", "message": "No application access policy found for the app (707b5896-7828-4010-834e-74d3201a3137) on the user (7f27a9fb-af1a-4d36-a102-3a9591e6aaf9).", "innerError": { "request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c", "date": "2024-10-02T09:10:26", "client-request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c" } } } My question: What does this error mean? Could this issue be related to any additional application access policies that need to be set up for Microsoft Teams or Exchange? How should I go about troubleshooting or resolving this issue? Any help or pointers would be much appreciated! Thank you!
