π Microsoft Entra in Action: From Conditional Access to Identity Protection
One of the areas Iβm most passionate about is identity-driven security. Microsoft Entra makes it possible to apply Zero Trust principles directly at the identity layer. β‘ Conditional Access β the backbone of modern access policies. π€ Privileged Identity Management (PIM) β ensuring just-in-time, least privilege for admins. π‘οΈ Identity Protection β risk-based policies to stop compromised sign-ins in real time. In my labs, Iβve seen how these features transform security posture without adding friction for users. Coming soon: - Step-by-step breakdown of a risky user detection scenario. - A visual guide to Conditional Access controls for critical apps. Would love to exchange insights with others experimenting in this space β what Entra features are you finding most impactful? #MicrosoftEntra | #ConditionalAccess | #IdentityProtection | #MicrosoftLearn | #PerparimLabsShape the future of our communities! Take this survey to share your practitioner insights. π‘ βοΈ π
This brief survey explores your experiences and preferences in professional identity and network security communities. Your feedback will help shape our team's approach to future community resources and engagement opportunities. Take the survey here! For any questions about this survey, please contact dansantos@microsoft.com. Privacy Statement: https://go.microsoft.com/fwlink/?LinkId=521839
User Identities in EntraID - how to remove?
I have a user that shows up with multiple identities. No other users are like this and we believe its stopping him from logging in with his alias email address. When i run get-entrauser it returns the following under Identities: {@{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=federated; issuer=MicrosoftAccount; issuerAssignedId=}, @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} Every other account just has this @{signInType=userPrincipalName; issuer=OURPRIMARYDOMAIN.onmicrosoft.com; issuerAssignedId=UPN}} How would i go about removing those identies from that user? Struggling to find any info online.
employeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, B
Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksWarning: PIM disconnects users from Teams Mobile
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble. Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying "Open Teams to continue receiving notifications for <email address>", or "<email address> needs to sign in to see notifications". Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles. Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users' tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep: "When a user's role changes (either due to activation or expiration), Skype AAD[?] will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior and is working as designed. These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well." Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this.What is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple years, and there's a buildup of alerts for sign-in attempts I can't even pull logs for. These users would've been required to change their password since the date on most of these, and we have some hybrid environments I plan on enabling self-clearing for. But wondering what other MSPs have done in this scenario?
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to βanyβ. Either βpasswordlessβ or βPushβ. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Risky sign-ins not showing anything
Hi, For some time already, I am not sure why but I cannot see anything in risky sign-ins in Identity Protection (MS Entra). Even when I receive a summary email (Microsoft Entra ID Protection Weekly Digest) mentioning there were risky sinn-ings detected. When I click on the risky signings directly in the email to take me to the report, I see no data there at all... When I modify filters to include all, nothing shows up either. It has been like this for few months already. Before, I could see them with no issues. Has anything changed? Or why I can't see any records?
