azure ad
543 TopicsUsing Graph Delta Queries with Entra ID Groups
Delta queries are a Microsoft Graph mechanism to allow applications to query resources to find objects that have changed since a baseline was established. The technique is most useful for applications that need to synchronize a local store with online content. It’s not an appropriate method to use for reporting changes to Entra ID groups because knowing that an object changed doesn’t mean much by itself. https://office365itpros.com/2026/06/25/graph-delta-queries-entra-id-groups/16Views0likes0CommentsMoving Office 365 Mailboxes to IMAP Servers - What’s the Best Approach
I’ve recently been looking into scenarios where organizations need to move mailboxes from Microsoft 365 to IMAP based email servers, and I noticed this is still a common requirement in many migrations. In most cases, the challenge is not just moving emails, but making sure everything like folder structure, old emails, and user data stays intact without creating too much disruption for users. From what I’ve seen, doing this manually can get very complex, especially when there are multiple mailboxes or large data volumes involved. That’s where migration tools usually come into the picture. Most tools simplify things by handling: 1. Secure connection to Microsoft 365 accounts 2. Bulk mailbox migration 3. Preserving folder hierarchy 4. Reducing downtime during the move 5. Avoiding duplicate data issues One thing I’ve noticed is that running a small pilot migration first always helps. It gives a clear idea of how the actual migration will behave before moving all users. Has anyone here worked on Office 365 to IMAP migration at scale? Would be good to know what approaches or tools worked best in your case and what challenges you faced during the process.89Views0likes2CommentsEntra ID Tightens Conditional Access Processing for Baseline Scopes
Microsoft is closing a gap in conditional access policies where apps that only request baseline scopes with at least one exclusion are not processed. The rollout has already started and should be finished by mid-August. For most tenants, the change shouldn’t be an issue, but it is possible that some apps are in use that fit the profile and cannot handle conditional access. If MC1223829 appeared in your tenant, it’s time to check. https://office365itpros.com/2026/06/19/baseline-scopes-ca/43Views0likes0CommentsMicrosoft Tightens Security for Self-Service Password Reset
Microsoft plans to improve the security of the Self-Service Password Reset (SSPR) facility in September 2026 by requiring users to register at least one authentication method. SSPR will then use the registered authentication method to verify user accounts when changing passwords. The change aligns SSPR with user sign-ins and improves security by removing fallback on directory attributes, which might be altered by attackers. https://office365itpros.com/2026/06/17/sspr-authentication-methods/83Views0likes0CommentsMicrosoft Launches Container Management Support for Security Groups
A recent blog from the Microsoft Digital (IT department) discusses the preview implementation of container management labels for security groups. The implementation is limited because it encompasses just one control: the ability to have guest accounts in the membership of security groups. However, just that limited control is sufficient to stop unintended access to sensitive information by guest accounts, and that’s a very good thing. https://office365itpros.com/2026/06/03/security-groups-labels/46Views0likes0CommentsWeb-signin 3rd party IDP not working
We have a working Entra ID SAML federation to a third-party IdP that uses FIDO2/WebAuthn (IdP as Relying Party) for browser sign-in, and we are trying to use the same federation through Windows Web sign-in on an Entra-joined Windows 11 device — but the IdP page loads blank in the WebView and Microsoft-Windows-WebAuthN/Operational records zero events, while the same security key works fine for FIDO2 sign-in with login.microsoft.com as RP on the same device. Questions: - Is WebAuthn brokering to third-party Relying Parties inside the Web sign-in WebView supported? - If not, is it on the roadmap? - What is the supported architectural path for delivering passwordless Windows sign-in using a federated IdP's own FIDO2/WebAuthn credentials, given Graph API passkey provisioning is Beta-only?81Views0likes1CommentHow to target Azure VPN (Microsoft-Registered) app with Conditional Access Policies?
I have an Azure Point-to-Site VPN Gateway configured using the Microsoft-registered Azure VPN Client App ID (Audience value: c632b3df-fb67-4d84-bdcf-b95ad541b5c8). Everything is working correctly for our users. The issue I am having is that anyone with an Entra account can connect to the VPN and I want to restrict this with a blocking Conditional access policy. I do not want to create a custom app registration, because then I will have to change the 'audience' value on the app gateway and all user's will need to modify their VPN clients. The problem is I need to target the Microsoft-registered Azure VPN app in a Conditional Access policy but it does not appear in my Enterprise Applications list or in the CA app picker when searching. My questions: Why does the Microsoft-registered app not automatically create a service principal in my tenant the way other Microsoft apps do? Is there a supported way to make it appear in the CA app picker without creating a custom app registration or changing the gateway Audience value? Has anyone successfully targeted c632b3df-fb67-4d84-bdcf-b95ad541b5c8 in a CA policy while keeping it as the gateway Audience value? Thanks for the assistance here95Views0likes1CommentNon profit business standard users join PCs to Active directory
Hi I have waded through masses of online stuff and can't get a clear answer to this. It is driving me insane! We have about 10 users on nonprofit business standard - all running win 10 or win 11 pro. I need to allow different users to share a PC - but have user restricted access to microsoft 365 online data - sharepoint - web apps etc Most older machines are domain aware as in you login with the domain account - they work fine. Newer machines cannot and all have only local accounts but have stored credentials for the main user for sharepoint etc. That is a problem when a PC is shared as someone may have logged in locally but they have left credentials for sharepoint allowing access. to privileged info If I upgrade one of the licenses to business premium would that enable me (with admin privs) to join existing and yet to be bought PCs to the domain or would I need a premium license for each user? We don;t need the higher up functionality such as intune as far as I know - just the ability for fred_AT_ourcharity.com to share a PC sensibly with bill_AT_ourcharity.com107Views0likes3CommentsEntra and Microsoft 365 Could Improve License Reporting
License insights is a new feature in the Entra admin center. The Microsoft 365 admin center also shows some license insights in a dashboard card. The two views don’t line up. This isn’t very surprising because different teams generated the information, but it would sure be nice if Microsoft delivered comprehensive license reporting for Microsoft 365 tenants, including the Entra premium licenses. https://office365itpros.com/2026/04/24/license-insights/35Views0likes0CommentsWriting PowerShell for the Eventually Consistent Entra ID Database
Entra ID uses an eventually consistent multi-region database architecture. PowerShell code that fetches and updates Entra ID objects needs to interact with the database in the most efficient manner. This article illustrates some guidance from Microsoft engineering with examples from the Microsoft Graph PowerShell SDK. I’m sure your scripts already use these techniques, but if not, we have some helpful pointers. https://office365itpros.com/2026/04/13/eventually-consistent-entra-id/42Views0likes0Comments