employeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, B
Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksWarning: PIM disconnects users from Teams Mobile
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble. Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying "Open Teams to continue receiving notifications for <email address>", or "<email address> needs to sign in to see notifications". Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles. Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users' tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep: "When a user's role changes (either due to activation or expiration), Skype AAD[?] will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior and is working as designed. These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well." Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this.What is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple years, and there's a buildup of alerts for sign-in attempts I can't even pull logs for. These users would've been required to change their password since the date on most of these, and we have some hybrid environments I plan on enabling self-clearing for. But wondering what other MSPs have done in this scenario?
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Risky sign-ins not showing anything
Hi, For some time already, I am not sure why but I cannot see anything in risky sign-ins in Identity Protection (MS Entra). Even when I receive a summary email (Microsoft Entra ID Protection Weekly Digest) mentioning there were risky sinn-ings detected. When I click on the risky signings directly in the email to take me to the report, I see no data there at all... When I modify filters to include all, nothing shows up either. It has been like this for few months already. Before, I could see them with no issues. Has anything changed? Or why I can't see any records?Conditional Access falsely detects logins from Android as Linux (and blocks them)
Hi everyone, we're facing an issue which we can't solve correctly: Scenario: Users are accessing M365 Content from Windows, iOS and Android Devices. Conditional Access is configured to block Logins from "unknown platforms", so only Win, iOS and Android are allowed. Issue: Some users experience weird issues: They're using an app with m365 SSO. The App opens up the Edge Browser for handling the login-flow. Afterwards the login fails. As i can see in the Entra SIgn-in Logs the user-agent is linux. (Therefore it gets blocked correctly) A few minutes before the same user, with the same mobile phone, with the same app access isn't blocked, because the login was recognized correctly as android. Currently i don't have any ideas and i was hoping some of you have great ideas. 🙂 (Adjusting the Conditional Access Policy to allow linux isn't an option, of course.) Regards, Patrick
New Blog | Meet us at Identiverse: May 28-31 in Las Vegas
By Nichole Peterson (SHE/HER) The annual Identiverse conference is a great opportunity to meet with our community, immerse in the latest challenges and innovations, and hear from leaders in the identity industry. And it’s happening soon! Identiverse 2024 is taking place from May 28 to 31 in Las Vegas, Nevada at ARIA Resort & Casino. By attending, you’ll be among the first to hear about what’s new with Microsoft Entra, our work in identity standards, and how it will help you navigate the constantly evolving identity and network access threat landscape. Plus, you can request a 1:1 meeting with a Microsoft identity expert and drop by Booth #2423 in the expo hall to ask questions and see the latest demos of identity solutions and Microsoft Copilot for Security. Featured Microsoft sessions at Identiverse We’ve got a powerhouse lineup of topics showcasing our latest innovations to help you get the most from Microsoft Entra. During our session, Secure access for any trustworthy identity, anywhere, to anything, on Wednesday, May 29 at 2:00 PM, we'll update you on Microsoft’s progress to enabling the trust fabric, our vision for how organizations can secure every digital interaction from today into the future. Understanding that a Zero Trust approach to identity security is an ongoing journey, we’ll talk about four focus areas to consider and prioritize, including strengthening your identity foundation, securing access for your workforce and external identities, and securing access in multicloud. Read the full post here: Meet us at Identiverse: May 28-31 in Las VegasEnable MFA for external idetnities in MS Entra
Hi all, I am planning to enable MFA for guest accounts and external identities using Conditional Access in MS Entra. I am however wondering how I can select what Authentication methods can they use - or what would be the default behaviour. Currently, I am still using legacy MFA for internal users. I will migrate MFA to MS Entra later this year however, not sure how this is working when enabling MFA for external users. As I do use legacy MFA, my setting in " Authentication methods > Policies" have MS Authenticator set to NO. Now, do I need to switch MS Authenticator to YES if I want guests to use that app? And if I enable it, how do I assign it to External identities only? I do not see that kind of option there at all... I can assign it to all, for example, but I am not yet ready to migrate internal users as well... Would be happy to get some clarification on this. Thank you
