identity
130 TopicsDevice Bound Session Credentials Edge
Hi everyone, For a customer i did some research about token protection within M365. I did find a lot information what to configure within M365 to get a multi layer protection (CA, Identity Protection, device compliance, etc). What i didn't found was a solution for token/cookie protection from the browser, until i found this article: https://en.ittrip.xyz/windows/edge/edge-147-device-bound#index_id0 This article states that edge 147 supports Device Bound Session Credentials which makes it much harder to do a off-device replay of a cookie. It also is saying: If you buy rather than build, ask your identity provider or SaaS vendor a direct question: do you have a roadmap for Device Bound Session Credentials or an equivalent browser-session binding model? So my question is: Does M365 (via the browser) supports Device Bound Session Credentials or will it be supported any time soon? Hope you have a nice day! Regards, MJSolved53Views0likes2CommentsAAD multiple accounts from same realm is not supported by clients.
I've signed out of Excel for iPadOS 2.101.25100311. I've closed (not forced shutdown) and reopened the app. I'm trying to sign in with a different Microsoft account. However, it shows the error: "Another account from your organization is already signed in on this device". How can I completely sign out of that other account? The troubleshooting details are below. Correlation Id: 5520852a-4877-ec4c-97be-f3de2c079058 Timestamp: 2026-06-21T22:49:29.000Z DPTI: FAF41146-8AF4-425C-95EE-1654DD13C47C Message: AAD multiple accounts from same realm is not supported by clients. Tag: 5pzx9Solved122Views0likes1CommentData and identity controls for the browser and network
Sensitive data doesn't stay still. It moves through browsers, SaaS apps, generative AI tools, and prompts; often beyond the visibility of traditional controls. In this session, see how Microsoft Entra and Purview bring real-time visibility and control to sensitive data in motion across the network. You’ll learn how integrated data security and secure access controls can help reduce leakage risk, support responsible AI adoption, and enable modern work without slowing the business down. How do I participate? Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. Not able to attend live? This session will be recorded and available on demand shortly after airing. Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation. This session is part of Securing data and access in the era of AI with Microsoft Entra and Microsoft Purview. View the full agenda for more insights to help you move from experimenting with AI to deploying it at scale, securing sensitive data, access, and AI usage.242Views0likes0CommentsWeb-signin 3rd party IDP not working
We have a working Entra ID SAML federation to a third-party IdP that uses FIDO2/WebAuthn (IdP as Relying Party) for browser sign-in, and we are trying to use the same federation through Windows Web sign-in on an Entra-joined Windows 11 device — but the IdP page loads blank in the WebView and Microsoft-Windows-WebAuthN/Operational records zero events, while the same security key works fine for FIDO2 sign-in with login.microsoft.com as RP on the same device. Questions: - Is WebAuthn brokering to third-party Relying Parties inside the Web sign-in WebView supported? - If not, is it on the roadmap? - What is the supported architectural path for delivering passwordless Windows sign-in using a federated IdP's own FIDO2/WebAuthn credentials, given Graph API passkey provisioning is Beta-only?83Views0likes1CommentHow to target Azure VPN (Microsoft-Registered) app with Conditional Access Policies?
I have an Azure Point-to-Site VPN Gateway configured using the Microsoft-registered Azure VPN Client App ID (Audience value: c632b3df-fb67-4d84-bdcf-b95ad541b5c8). Everything is working correctly for our users. The issue I am having is that anyone with an Entra account can connect to the VPN and I want to restrict this with a blocking Conditional access policy. I do not want to create a custom app registration, because then I will have to change the 'audience' value on the app gateway and all user's will need to modify their VPN clients. The problem is I need to target the Microsoft-registered Azure VPN app in a Conditional Access policy but it does not appear in my Enterprise Applications list or in the CA app picker when searching. My questions: Why does the Microsoft-registered app not automatically create a service principal in my tenant the way other Microsoft apps do? Is there a supported way to make it appear in the CA app picker without creating a custom app registration or changing the gateway Audience value? Has anyone successfully targeted c632b3df-fb67-4d84-bdcf-b95ad541b5c8 in a CA policy while keeping it as the gateway Audience value? Thanks for the assistance here97Views0likes1CommentProtect and govern every tenant with Microsoft Entra Tenant Governance
This event will no longer take place on July 1. Please follow this page to be notified of the new date and time once scheduled. As organizations scale, tenant sprawl becomes inevitable. Legacy test tenants, employee‑created environments, and forgotten tenants create blind spots for security and identity teams. Get to know Microsoft Entra Tenant Governance, a new Entra capability that provides centralized visibility and control across multi‑tenant environments. We'll cover how Tenant Governance enables tenant discovery, secure governance relationships, configuration monitoring, and governed tenant creation from day one. You'll see how organizations can apply consistent security baselines, detect configuration drift, and reduce operational overhead all while maintaining autonomy across teams. Walk away with a clear framework for bringing order, visibility, and governance to your multi‑tenant identity landscape. How do I participate? Registration is not required. Add this event to your calendar, then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.793Views2likes0CommentsStop identity attacks in real time with Microsoft Entra ID Protection
Modern identity security means stopping attacks before they escalate and extending protection beyond human users to apps and agentic identities across your identity fabric. Learn how Microsoft Entra ID Protection delivers premium, real-time identity protection with adaptive risk remediation, comprehensive detections, and expanded coverage for human and non-human identities. Powered by trillions of Microsoft Security signals and natively integrated with Microsoft Defender and Security Copilot workflows, Entra ID Protection enables faster and more accurate Conditional Access decisions that stop threats like lateral movement and privilege escalation before they spread. We'll show you how identity and security operations teams scale risk remediation with Entra ID, and how these capabilities extend across your broader identity security portfolio to strengthen protection in both cloud and hybrid environments. To learn more, read the Microsoft Entra ID Protection report. How do I participate? Registration is not required. Add this event to your calendar, then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast.2KViews0likes1CommentStrengthen your security posture with Microsoft Entra Conditional Access
Learn how Microsoft Entra Conditional Access, our Microsoft Zero Trust policy engine, protects access for your workforce and for agents by enforcing real‑time adaptive access policies that continuously assess risk signals and use AI‑driven automation to dynamically allow, challenge, or block access for every identity. Join Microsoft experts as they walk through real‑world scenarios and share practical guidance to help your identity team address policy sprawl, enforce consistent Conditional Access policies, and strengthen security posture across your environment. How do I participate? Registration is not required. Add this event to your calendar, then sign in to the Tech Community and select Attend to receive reminders. Post your questions in advance, or any time during the live broadcast. Note: This session was originally scheduled for June 8, 2026 and will now take place on June 24, 2026.3.3KViews0likes8CommentsBroken Account Recovery (discontinued product)
Hello everyone, We have the MSFT Office Family plan which has the now discontinued custom domain support that used to be an option as a "Premium" feature. Back in August we upgraded the phone of one of the account members on the family plan and lost connection to their MS Office account with the only device that was accessing to the account (the phone with access was reset as part of the upgrade/trade in process). I have tried the account recovery form and it simply doesn't work. I have tried to explain to MSFT support that the tool is broken but can't get anywhere. For the account in question we have an Outlook email client (with non working password) that has a cache of all of the email until loss of access occurred. So when I do the account recovery form, I have name, DOB, region, past passwords and data for all fields including sent email Id's and send subjects, But every time the MSFT recovery mechanism says "Unfortunately, we have determined that the information provided was not sufficient...". WTF. Every time I contact MSFT support I get the same answer, an explanation of the point system used to reset the the account. Same steps to recover....based on this, the recovery should work...yet it doesn't. I have tried somewhere 50+ attempts now over the last 9 months. I even have a contact who is VP level at MSFT who sponsored a support ticket internally but that just ended up with the support person sending me a link to the account recovery form and closed the ticket without looking in the details of the ticket. I can't modify / add a new account as MSFT has as a discontinued product no longer allow members to add/change id's. So I'm locked at the current user set. I have created another email address by saving the cached data to OLM file and importing via the Outlook client but that doesn't restore use of the @mydomain.com for that person. I even retained a lawyer who send a demand to MSFT legal...but the email address didn't go anywhere so at the point of needing to do this on headed paper/send via snail mail. Does anyone have any idea how to get through to MSFT explain the recovery tool is broken? I assume there are so few accounts using custom domains pin family plans that they simply don't test this recovery path. At this point without some internal guidance is a) lawyer and force a demand for password reset b) give up, ditch all of the users using the custom domain, configure an alias for all of the accounts and then change my MX record to a company doing email forwarding and then forward to the new/old legacy accounts (i.e. the ones with the mailto:email address removed for privacy reasons).93Views0likes1CommentLogin Catch-22: locked out of Work account due to MFA mismatch.
"I am the owner of the domain mydomain.be, registered at one.com. I have a Microsoft 365 Business Premium subscription. I am locked out of my work/school tenant admin account (mailto:email address removed for privacy reasons) due to an MFA issue — the Microsoft Authenticator is configured but not delivering push notifications, and the TOTP code length does not match what the login screen expects. I cannot access the admin center. I need to recover Global Admin access to my flavo.be tenant so I can manage users and licenses. I can prove domain ownership via DNS if required.98Views0likes1Comment