Does Rights Management Service currently support MFA claims from EAM?
We've been testing EAM (external authentication methods) for a few months now as we try to move our Duo configuration away from CA custom controls. I noticed today that when my Outlook (classic) client would not correctly authenticate to Rights Management Service to decrypt OME-protected emails from another org. It tries to open the message, fails to connect to RMS, and opens a copy of the email with the "click here to read the message" spiel. It then throws a "something is wrong with your account" warning in the Outlook client's top right corner. If I try to manually authenticate & let it redirect to Duo's EAM endpoint, it simply fails with an HTTP 400 error. When you close that error, it then presents another error of "No Network Connection. Please check your network settings and try again. [2603]". I can close/reopen Outlook and that warning message in the top right stays suppresses unless I attempt signing into RMS all over again. However.. If I do the same thing and instead use an alternate MFA method (MS Authenticator, for example), it signs in perfectly fine and will decrypt those OME-protected emails on the fly in the Outlook client, as expected. I verified that we excluded "aadrm.com" from SSL inspection and that we're not breaking certificate pinning. So all I can assume at the moment is that Rights Management Service isn't honoring MFA claims from EAM. Any experience/thoughts on this? Thanks in advance!
Disabling PIN-based login on Entra-joined PCs
Hi guys. Yesterday I took two machines off the domain and Entra joined them. The goal was 1) remove their access to domain resources 2) have tenant users login to the machine and get enriched tokens every time. this works as desired. The problem is every user gets prompted to set a pin. these are both shared secondary/tertiary PC's - there is no point to having a 6 digit PIN on them. I thought the new Authentication Methods tools had controls for this, but apparently not. A script was run to change certain related Reg Keys (by my onsite tech) but this had no change on reboot. textreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork" /v DisablePostLogonProvisioning /t REG_DWORD /d 1 /f HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork Enabled key was set to 0, and DisablePostLogonProvisioning was set to 1. These are from various help threads I found here and other resources. Unfortunately, they do not work. Not sure what to do here. I've read there are InTune controls for this - but I don't really have the time to work out WindowsPC ennrollment profiles for 2 machines. The site has InTune, but only for iOS mobile management. Thoughts?
Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp#supported-bindings and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, NickUsers is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled
Force Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? ThanksEntra ID Dynamic User security group - Syntax rule
Attempting to create a Dynamic user group for Microsoft consumer accounts in my B2B tenant. This should be very simple. Background data: Collection or array object - User.identities (Collection or array) - User.identities.issuer (Collection or array only when B2B guest/member) - User.identities.issuer (string when internal member) - User.identities.IssuerassignedID (Collection or array only when B2B guest/member) - User.identities.IssuerassignedID (string when internal member) - User.identities.SignInType (Collection or array only when B2B guest/member) - User.identities.SignInType (String when internal member) There seems to be ongoing issuers querying or filtering for user.identities.issuer, along with use of various filter combinations. Again, this should be very simple. I've tried multiple combinations of the below syntax rule. Does anyone have something that has worked for you? (user.identities -any (objectIdentity.issuer -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId -eq null)) (user.identities -any (objectIdentity.issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId (_ -eq null))) (user.identities -any (issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (issuerAssignedId (_ -eq null)))
