identity
77 TopicsAzure AD SSPR Password write back issue
Hi all, A company I work for have issues with the reset password function with AD Connect. In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'OnPremisesAdminActionRequired', with a follow up event log within the AD connect server: event ID: 33004 with error "hr=80230626, message=The password could not be updated because the management agent credentials were denied access" I face this issue before and this was causing because the AD DS connector account did not have the right permissions. In this case this is not. What I have done so far: - Updated AD Connect from 2.0.89.0 to 2.0.91.0 - enforced TLS 1.2: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement - Checked AD DS connecter account 'MSOL_xxxxxxxx' permissions: https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#verify-that-azure-ad-connect-has-the-required-permissions - the user do not have the options 'password never expires' or 'user cannot change password' configured - Let AD connect talk to another DC dc02 instead of dc01 - Checked connection to SSPR service from DC's : Test-NetConnection -ComputerName ssprdedicatedsbprodscu.servicebus.windows.net -Port 443 - The action 'Change password (self-service)' are successful (via my account portal) , only action 'Reset password (self-service)' face this issue (via passwordreset.microsoftonline.com) -- both use the same OnPremisesAgent ->> AADConnect Have anyone a idea what else I can try more? Regards, RicardoSolved26KViews0likes13CommentsHotmail to Outlook Migration Broke My Account
A year or two ago, I updated my Microsoft account to try and migrate from hotmail.com to @outlook.com. Since then, my Microsoft account is broken. I log in with my @outlook.com email, but account.microsoft.com displays my hotmail.com email everywhere. Mobile apps will not stay logged in properly and kick me out after a day. On my account info page my @outlook.com email isn't even listed and hotmail.com is listed as primary, but only logging in with @outlook works. I'm pretty sure when I originally tried to migrate my account some exception wasn't handled properly part way through the process and my account is in some sort of database limbo. Is there anyone at Microsoft here that can help with this? Also, sorry if this isn't the right place to post this, but a call with Microsoft support pointed me here and there doesn't seem to be a "Microsoft Account Support" hub or space on this platform. If anyone knows of a better location feel free to suggest that as well. Thanks!90Views0likes1CommentDevice Bound Session Credentials Edge
Hi everyone, For a customer i did some research about token protection within M365. I did find a lot information what to configure within M365 to get a multi layer protection (CA, Identity Protection, device compliance, etc). What i didn't found was a solution for token/cookie protection from the browser, until i found this article: https://en.ittrip.xyz/windows/edge/edge-147-device-bound#index_id0 This article states that edge 147 supports Device Bound Session Credentials which makes it much harder to do a off-device replay of a cookie. It also is saying: If you buy rather than build, ask your identity provider or SaaS vendor a direct question: do you have a roadmap for Device Bound Session Credentials or an equivalent browser-session binding model? So my question is: Does M365 (via the browser) supports Device Bound Session Credentials or will it be supported any time soon? Hope you have a nice day! Regards, MJSolved85Views0likes2CommentsAAD multiple accounts from same realm is not supported by clients.
I've signed out of Excel for iPadOS 2.101.25100311. I've closed (not forced shutdown) and reopened the app. I'm trying to sign in with a different Microsoft account. However, it shows the error: "Another account from your organization is already signed in on this device". How can I completely sign out of that other account? The troubleshooting details are below. Correlation Id: 5520852a-4877-ec4c-97be-f3de2c079058 Timestamp: 2026-06-21T22:49:29.000Z DPTI: FAF41146-8AF4-425C-95EE-1654DD13C47C Message: AAD multiple accounts from same realm is not supported by clients. Tag: 5pzx9Solved153Views0likes1CommentWeb-signin 3rd party IDP not working
We have a working Entra ID SAML federation to a third-party IdP that uses FIDO2/WebAuthn (IdP as Relying Party) for browser sign-in, and we are trying to use the same federation through Windows Web sign-in on an Entra-joined Windows 11 device — but the IdP page loads blank in the WebView and Microsoft-Windows-WebAuthN/Operational records zero events, while the same security key works fine for FIDO2 sign-in with login.microsoft.com as RP on the same device. Questions: - Is WebAuthn brokering to third-party Relying Parties inside the Web sign-in WebView supported? - If not, is it on the roadmap? - What is the supported architectural path for delivering passwordless Windows sign-in using a federated IdP's own FIDO2/WebAuthn credentials, given Graph API passkey provisioning is Beta-only?86Views0likes1CommentO365 Email Migration to Another Tenant while Deferring Migration of Sharepoint files
Hi, This is the context: ChildCompany has O365 and it has an Azure AD in hybrid mode synchronizing to a on-prem AD server. They have an internal domain ChildCompany.com, and an external domain ChildCompany.com where they also receive and send email using O365. ParentCompany is going absorb the ChildCompany some time in next year, and I was asked about the integration options. According to this https://download.microsoft.com/download/b/a/1/ba19dfe7-96e2-4983-8783-4dcff9cebe7b/microsoft-365-tenant-to-tenant-migration.pdf I could do a phased migration, where the end state is that they decomm their onprem AD and that they only use our ParentCompany systems. The business requirement is to start their integration with Email, and then in later phases do the Sharepoint integration as that requires way more analysis on their data sources, as they also have wikis and many other on prem legacy stuff. They are less than 50 users, so I can use Quest migration tools for the email part, but I wonder what needs to happen in what order. This is what I have in mind: Migrate their current O365 into our ParentCompany Office 365 subscription, so that they can continue logging in into their domain joined windows machines using childCompany.co, so they start using ParentCompany.com email addresses, but the problem then is how can they continue using their sharepoint and onedrive resources associated with the Azure and local domain at ChildCompany.com? This is more or less what I have in mind, for the intermediate step, the cutover: Child Company ParentCompany --------------------- ---------------- On-Prem | MS Cloud: | MS Cloud: ---------------|----------------------|-------------- Local AD (ADFS)| Azure Subscription | Azure Sub | Azure AD | Azure AD |--------------------- |--------------------- | O365 Sub -> | O365 Sub | Exchange mailboxes-> | Exchange mailboxes | Sharepoint? -> | ??? | -------------------- |--------------------- I wonder how could it be possible to defer the sharepoint and onedrive migration, so that the child company users can still work on their sharepoint files using their normal auth methods, while disabling childcompany.com as MX so they start using ParentCompany.com mailboxes.Is that even possible? Would make more sense to try to migrate everything at once? That is way more work, but I'm weighting my options.1.4KViews0likes7CommentsHow to target Azure VPN (Microsoft-Registered) app with Conditional Access Policies?
I have an Azure Point-to-Site VPN Gateway configured using the Microsoft-registered Azure VPN Client App ID (Audience value: c632b3df-fb67-4d84-bdcf-b95ad541b5c8). Everything is working correctly for our users. The issue I am having is that anyone with an Entra account can connect to the VPN and I want to restrict this with a blocking Conditional access policy. I do not want to create a custom app registration, because then I will have to change the 'audience' value on the app gateway and all user's will need to modify their VPN clients. The problem is I need to target the Microsoft-registered Azure VPN app in a Conditional Access policy but it does not appear in my Enterprise Applications list or in the CA app picker when searching. My questions: Why does the Microsoft-registered app not automatically create a service principal in my tenant the way other Microsoft apps do? Is there a supported way to make it appear in the CA app picker without creating a custom app registration or changing the gateway Audience value? Has anyone successfully targeted c632b3df-fb67-4d84-bdcf-b95ad541b5c8 in a CA policy while keeping it as the gateway Audience value? Thanks for the assistance here102Views0likes1CommentHow Do I Target the Azure VPN Client in a Conditional Access Policy?
I am using the Azure VPN Client to connect users to an Azure VPN Gateway using their Entra ID credentials to authenticate. I want to target this application with a CA policy that requires MFA every time it connects. The problem is that I don't see the applications in my Enterprise Apps and all of my searching says that it won't appear because it was "pre-certified" by Microsoft. In the Gateway setup I used the Audience GUID of c632b3df-fb67-4d84-bdcf-b95ad541b5c8. And this is working as expected. The only solution that I have found for targeting the Azure VPN Client app is to create a Service Principal using that Audience GUID. This seems like a bit of a hack, so I am posting here to see if there are any other methods that I am missing to target this app when it doesn't appear in my Enterprise Apps list.704Views1like4CommentsBroken Account Recovery (discontinued product)
Hello everyone, We have the MSFT Office Family plan which has the now discontinued custom domain support that used to be an option as a "Premium" feature. Back in August we upgraded the phone of one of the account members on the family plan and lost connection to their MS Office account with the only device that was accessing to the account (the phone with access was reset as part of the upgrade/trade in process). I have tried the account recovery form and it simply doesn't work. I have tried to explain to MSFT support that the tool is broken but can't get anywhere. For the account in question we have an Outlook email client (with non working password) that has a cache of all of the email until loss of access occurred. So when I do the account recovery form, I have name, DOB, region, past passwords and data for all fields including sent email Id's and send subjects, But every time the MSFT recovery mechanism says "Unfortunately, we have determined that the information provided was not sufficient...". WTF. Every time I contact MSFT support I get the same answer, an explanation of the point system used to reset the the account. Same steps to recover....based on this, the recovery should work...yet it doesn't. I have tried somewhere 50+ attempts now over the last 9 months. I even have a contact who is VP level at MSFT who sponsored a support ticket internally but that just ended up with the support person sending me a link to the account recovery form and closed the ticket without looking in the details of the ticket. I can't modify / add a new account as MSFT has as a discontinued product no longer allow members to add/change id's. So I'm locked at the current user set. I have created another email address by saving the cached data to OLM file and importing via the Outlook client but that doesn't restore use of the @mydomain.com for that person. I even retained a lawyer who send a demand to MSFT legal...but the email address didn't go anywhere so at the point of needing to do this on headed paper/send via snail mail. Does anyone have any idea how to get through to MSFT explain the recovery tool is broken? I assume there are so few accounts using custom domains pin family plans that they simply don't test this recovery path. At this point without some internal guidance is a) lawyer and force a demand for password reset b) give up, ditch all of the users using the custom domain, configure an alias for all of the accounts and then change my MX record to a company doing email forwarding and then forward to the new/old legacy accounts (i.e. the ones with the mailto:email address removed for privacy reasons).93Views0likes1CommentAlternative hostname for ADFS proxy possible?
Dear Community, I have setuped a ADFS server with "adfs.customer.com" and a ADFS proxy, who also externally listening on this URL. Here is my question: Can I configure an additional "external" URL like "adfs.bla.com" in the ADFS proxy so, that its listening to incoming requests and redirect it to adfs.customer.com? Thanks André797Views0likes1Comment