Conditional policies to access to SharePoint and Files (not Apps)
Hi Team!! I'm looking for a way to restrict SharePoint access from outside of my office network (typically using the static public IP address). My understanding is that to do so, I require configuring conditional access policies in Azure (which in turn requires Entra ID P1 license for each user). Is my understanding correct? If so, do I have to licenses each and every user to do so? And the other clarifications I'm looking for is; Does conditional access policy apply universally to all users when enabled? or only to those with Entra ID P1 license? Reason for this clarification is that I tried applying this using a trial license by setting up a policy to block SharePoint access outside our office network but it ended up applying to all users instead of the ones with trial license assigned. Further I noticed that, when setting this policy blocks the entire Microsoft Teams app as well, where as my objective is to limit access to the files in Teams as they are part of the SharePoint. Is there a way to control access to SharePoint files in Teams without blocking the whole Teams app? Do let me know if I'm doing something wrong here?EntraID account on Windows 11 being started under a TEMP user profile
I have a EntraID user on Windows 11 (Intune Managed). User is the "primary user". The user started experiencing login issues where "user name or password not recognized". Password was reset in EntraID. PC recognized the new password and allows the user to login BUT the account profile is mapped to C:\Users\TEMP and not to their normal C:\Users\<UserName> profile. How do I reconnect the user with their profile?Double entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?
No Application Access Policy Found for Graph API in MS Teams Virtual Events Integration
Hello Microsoft Community, I’ve encountered an issue while integrating Microsoft Teams Virtual Events using Microsoft Graph API and would appreciate any guidance on how to resolve it. Here’s the setup: I have registered an application in Microsoft Entra ID. The app is set up with application-level permissions: VirtualEvent.Read.All VirtualEventRegistration-Anon.ReadWrite.All I’ve configured an OAuth flow for users to authenticate with their Microsoft accounts and grant these permissions. After authentication, the user is redirected to our app, where we successfully fetch an application access token. The app is registered as a multi-tenant application. The issue: We are using application permissions and receiving an access token correctly. The Entra ID dashboard shows that the app has been granted the required permissions. However, when using the Graph API to access virtual events (Teams webinars), I get the following error: bash Copy code GET: https://graph.microsoft.com/beta/solutions/virtualEvents/webinars/:id Response: { "error": { "code": "General", "message": "No application access policy found for the app (707b5896-7828-4010-834e-74d3201a3137) on the user (7f27a9fb-af1a-4d36-a102-3a9591e6aaf9).", "innerError": { "request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c", "date": "2024-10-02T09:10:26", "client-request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c" } } } Additional Details: The app is meant to access data related to Microsoft 365 services (especially Teams). We are using application permissions and not delegated permissions. The app needs to work across multiple tenants. My question: Do I need to configure additional application access policies for Microsoft Teams or Exchange Online to allow this app to access Teams-related data? Should I use Exchange PowerShell to create this policy, given the data is related to Microsoft 365 services (like Teams webinars)? Is there anything else I should verify for multi-tenant application permissions? Any insights or troubleshooting guidance would be much appreciated! Thank you!Conditional Access falsely detects logins from Android as Linux (and blocks them)
Hi everyone, we're facing an issue which we can't solve correctly: Scenario: Users are accessing M365 Content from Windows, iOS and Android Devices. Conditional Access is configured to block Logins from "unknown platforms", so only Win, iOS and Android are allowed. Issue: Some users experience weird issues: They're using an app with m365 SSO. The App opens up the Edge Browser for handling the login-flow. Afterwards the login fails. As i can see in the Entra SIgn-in Logs the user-agent is linux. (Therefore it gets blocked correctly) A few minutes before the same user, with the same mobile phone, with the same app access isn't blocked, because the login was recognized correctly as android. Currently i don't have any ideas and i was hoping some of you have great ideas. 🙂 (Adjusting the Conditional Access Policy to allow linux isn't an option, of course.) Regards, Patrick
Phishing resistant MFA options for Entra ID Guest users
What are the phishing resistant MFA options for Entra ID B2B guest users who authenticate from an IDP that is not configured for inbound cross tenant trust? From our testing, there does not appear to be any way to use fido2/passwordless/certificate-based authentication with the guest account on the resource tenant. The following links appear to indicate that this is not supported. Overview of custom authentication strengths and advanced options for FIDO2 security keys and certificate-based authentication in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn Microsoft Entra passwordless sign-in - Microsoft Entra ID | Microsoft Learn When we enable MFA requirements in conditional access policy for Guest users, the only option that seems to work is MS Authenticator which the user can enroll for on our tenant. Would switching the account from a B2B guest to an internal Guest allow something like CBA to function or is the only real option to enable cross tenant trust and force the user to enable MFA on the account in their home IDP?
Azure AD Role assignments - Export to CSV
Hello, Am trying to export all the Azure role assignments but unable to export. I have direct and group assignment types, eligible and active assignments. Download assignments in Role and Administrators is not giving the member details if its a group assignment. I tried few scripts but didnt work well so skipped to share it here. can anyone help me with a script to export the role assignment details ? i need role name and user details in the output file
