Entra Risky Users Custom Role
My customer implemented unified RBAC (Defender Portal) and removed the Entra Security Operator role. They lost the ability to manage Risky Users in Entra. Two options explored by the customer - Protected Identity Administrator role (licensing unclear) or create a custom role with microsoft.directory/identityProtection/riskyUsers/update, which they couldn't find under custom role. Do you know if there are other options to manage Risky Users without using the Security Operator role?
Dynamic group membership rules stopped working
We've been using the following the following dynamic membership rule to check if a user is a member of another group: user.memberOf -any (group.objectId -in ['2b930be6-f46a-4a70-b1b5-3e4e0c483fbf']) The group is an Active Directory group that is represented in Entra with the stated Entra group object Id. The validation fails for every user and looks like this: It seems that all out dynamic groups are affected and stopped working. Have you seen this before? Thanks.
👉 Microsoft Entra in Action: From Conditional Access to Identity Protection
One of the areas I’m most passionate about is identity-driven security. Microsoft Entra makes it possible to apply Zero Trust principles directly at the identity layer. ⚡ Conditional Access – the backbone of modern access policies. 👤 Privileged Identity Management (PIM) – ensuring just-in-time, least privilege for admins. 🛡️ Identity Protection – risk-based policies to stop compromised sign-ins in real time. In my labs, I’ve seen how these features transform security posture without adding friction for users. Coming soon: - Step-by-step breakdown of a risky user detection scenario. - A visual guide to Conditional Access controls for critical apps. Would love to exchange insights with others experimenting in this space — what Entra features are you finding most impactful? #MicrosoftEntra | #ConditionalAccess | #IdentityProtection | #MicrosoftLearn | #PerparimLabsEntra App Gallery required for Excel AddIn
Hi, We have an Excel Addin published to Microsoft AppSource: https://appsource.microsoft.com/en-us/product/office/WA200009029?tab=Overview The Excel Addin uses Entra ID to obtain an OIDC token to securely / seamlessly access MS 365 SharePoint on behalf of the user. In order to achive this the Entra ID subscription needs the TR4E application registered as an Enterprise Application / App Registration. My question is whether I need to submit the TR4E application separately to the Entra App Gallery, so it can be installed by the Entra ID admin - or will the registration in Entra ID happen automatically when a new user first tries using TR4E? I note that MS has suspended new application submissions for Entra App Gallery, which means our customers would need to manually create the Entra ID Enterprise Application (which is not a great experience). Cheers, Andrew
Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app. Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones. Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated! Thanks in advance!
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp#supported-bindings and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, NickForce Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? Thanks
