Join Merill Fernando and other guests for our Identity and Network Practitioner Webinar Series!
This October, we’re hosting a three-part webinar series led by expert Merill Fernando for Identity and Network Access practitioners. Join us as we journey from high-level strategy to hands-on implementation, unifying identity and network access every step of the way. Each session builds on the last, helping you move from understanding why a unified approach matters to what are the foundations to get started, and finally to how to configure in practice. The goal is to equip you with actionable skills, expert insights, and resources to secure your organization in a unified, Zero Trust way. Register below: Identity and Network Security Practitioner Webinar Series | Microsoft Community Hub
Conditional Access - Block all M365 apps private Mobile Device
Hello, Ive try to block all private mobile phone from accessing all apps from m365, but it wont work. Im testing it at the moment with one test.user@ I create a CA rule: Cloud Apps Include: All Cloud Apps Exclude: Microsoft Intune Enrollment Exclude: Microsoft Intune Conditions Device Platforms: Include: Android Include: iOS Include: Windows Phone Filter for Devices: Devices matching the rule: Exclude filtered devices from Policy device.deviceOwnership -eq "Company" Client Apps Include: All 4 points Access Controls Block Access ----------------------- I take a fresh "private" installed mobile android phone. Download the Outlook App and log in with the test.user@ in the outlook app and everything work fine. What im doing wrong? Pls help. Peter
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
Problems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-saml-idp#supported-bindings and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, NickUsers is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled
Force Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? ThanksEntra ID Dynamic User security group - Syntax rule
Attempting to create a Dynamic user group for Microsoft consumer accounts in my B2B tenant. This should be very simple. Background data: Collection or array object - User.identities (Collection or array) - User.identities.issuer (Collection or array only when B2B guest/member) - User.identities.issuer (string when internal member) - User.identities.IssuerassignedID (Collection or array only when B2B guest/member) - User.identities.IssuerassignedID (string when internal member) - User.identities.SignInType (Collection or array only when B2B guest/member) - User.identities.SignInType (String when internal member) There seems to be ongoing issuers querying or filtering for user.identities.issuer, along with use of various filter combinations. Again, this should be very simple. I've tried multiple combinations of the below syntax rule. Does anyone have something that has worked for you? (user.identities -any (objectIdentity.issuer -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId -eq null)) (user.identities -any (objectIdentity.issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (objectIdentity.issuerAssignedId (_ -eq null))) (user.identities -any (issuer -any (_ -eq "MicrosoftAccount")) -and (user.identities -any (issuerAssignedId (_ -eq null)))How to exclude security group members using dynamic query
Hi, I'm trying to build a dynamic query for a security group and want to exclude members of a certain group in this. Example- Let's say there's a security group A and I'm building a new security group B and I want to exclude members of group A to be added to this group B. I'm struggling to find the right query for this. Any ideas?Entra Private Access: Location awareness- GSA Client
Hi there, I’ve recently started researching Entra Private Access, and it looks promising. However, one thing I have noticed in various online discussions is that the GSA client installed on end-user machines isn't location aware. That is, even when a user is working from the office, the client continues to tunnel traffic, which results in added latency. Technically speaking, if an end user is in the office, the client should automatically detect this and disable itself. Unfortunately, this doesn't seem to be the case with the current GSA client. So, does anyone—especially from the Entra Team—know if there are any plans to include a feature that mitigates this issue in the future? Thanks, Article: https://www.reddit.com/r/sysadmin/comments/1je18et/entra_private_access_disable_when_onprem/
