Private Network is currently disabled in my tenant
Hi All, I am interested to test the Entra ID private access, but when I go to the connectors, it shows as "Private Network is currently disabled for your tenant.". Does anyone knows what is the reason for this and How should I overcome this? Thanks in advance, Dilan
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- https://feedback.azure.com/d365community/idea/d5253b08-d076-ed11-a81b-000d3adb7ffd https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789 Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabled
Conditional Access Policy require domain joined device error
A lot of our customers are complaining about the Require Domain Joined device feature in Azure Active Directory. We've configured Hybrid Azure AD through AAD Connect. Devices are now Hybrid Azure AD joined also dsregcmd /status also shows that the device is Hybrid Azure AD Joined. We've created some Conditional Access Policies where access is blocked when a device is not Hybrid Azure AD Joined. In our Azure AD Sign-in logs we see blocked attempts because the device is not Hybrid Azure AD Joined even when they work on a corporate PC. What is the reason that sometimes connections are allowed and sometimes the connection is blocked?
Blocking of Outlook desktop using Conditional Access also effects Skype for Business and MS Teams.
Hi All, I need to block users using their Outlook desktop application using Azure Conditional Access (Office 365 Exchange Online Mobile apps and desktop clients). The problem I am having is the blocking of Outlook desktop also effects Skype for Business and MS Teams. Is there a way I can block Outlook desktop without effecting Skype for Business and MS Teams? Also, I need a list of what effects of enabling Conditional Access will have on applications. For Example, enabling of Office 365 Exchange Online Conditional Access will effect Outlook, Skype for business, and MS Teams. I hope you can help. Thanks. Colin
Excessive MFA prompts for a specific user
One specific user in my tenant is prompted for MFA multiples times/day. Our conditional access policies specify that a user must re-authenticate every 90 days with MFA. All other users do not get prompted daily without a new risk factor like new device/unknown IP address. I have tried the following: Re-registered authentication methods and revoked previous multifactor auth sessions. Enabled Multifactor Authentication in Security Defaults for this user (Rather than conditional access) Exempted this user from the standard CA policy, and created a new one. None of these steps have helped. Microsoft support was no help. Some other information: This user uses 1 to 2 IP addresses throughout the week. (Home and office) This user is using the same devices every day. We have replaced the devices and issue persists. There are at least 1, up to 5 prompts daily. No other users are experiencing this issue, and MFA behaves as expected. Azure Identity Protection lists the risk for this user as none. Zero risk detections within the last 90 days. Any suggestions are appreciated.Block Access from private Devices to Microsoft Apps.
Hello, i got a question: We are planning to Buy Microsoft 365 Business Premium and Microsoft 365 Business Standard + Intune Device License. My problem is that our Company doesn´t want to have Access to Mail/Onedrive/Microsoft Applications ... on private Devices. How can i block the Access? The Devices will be Managed by Intune, Win10 Pro, IOS and maybe some Samsung Galaxy´s. Is There an option to only allow managed devises to Access Microsoft Data? And Do i need some additional Lisense? Best Regards, Phil
Conditional access policy & IPv6
Hi there, I created a conditional access policy to block all locations, excluding Australia and Singapore. This works great for users logging in using IPv4, however it blocks those using IPv6. I logged a call with MS and got confirmation that "at the moment by Design, the Countries tab in Conditional Access feature does not include IPV6 addresses option. It only covers IPV4.". One of the largest ISPs (if not the largest) here in Australia uses dynamic IPv6 by default! Loction can't be be mapped to Australia, so conditional access blocks the sign in! Why can't Conditional Access do an IPv6 lookup? Thats what the team over at APNIC do? Any thoughts on the matter? Ta.
