Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where: Business users authenticate via their corporate accounts (OIDC or SAML) Individual customers use username/password or social providers (OIDC) Tenant details / Terminology: CIAM tenant: External ID tenant for customer-facing applications IdP tenant: Example Partner's organizational Entra ID tenant with business accounts Custom domain: mycustomdomain.com (example domain for the IdP tenant) Configuration steps taken Step 1: IdP Tenant (Entra ID) - Created SAML App Set up Enterprise App with SAML SSO Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/ Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf NameID: Persistent format Claim mapping: emailaddress → user.mail Step 2: CIAM Tenant (External ID) - Added SAML IdP (Initially imported from the SAML metadata URL from the above setup) Federating domain: mycustomdomain.com Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/ Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2 DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2 Step 3: Attached to User Flow Added SAML IdP to user flow under "Other identity providers" Saved configuration and waited for propagation The problem It doesn't work. When testing via "Run user flow": No SAML button appears (should display "Sign in with mycustomdomain") Entering email address removed for privacy reasons doesn't trigger federation The SAML provider appears configured but never shows up in the actual flow Also tried using the tenant GUID in the passive endpoint instead of the domain - same result My question Is SAML federation from External ID to regular Entra ID tenants actually possible? I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works. Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?Add members to a dynamic sec-grp excluding users with a specific "serviceplanid" assigned license
Hello, I am trying to populate dynamically a security group that shoud contain all members with a specific attribut value and trying to filter the groupe membership based on a serviceplanId assigned to members (user.extensionAttribute9 -startsWith "83") -and (user.accountEnabled -eq True) -and (user.mail -ne null) -and (User.AssignedPlans -any (assignedPlan.servicePlanId -ne "818523f5-016b-4355-9be8-ed6944946ea7" -and assignedPlan.capabilityStatus -eq "Enabled")) How to exclude members with the ServicePlanId : "818523f5-016b-4355-9be8-ed6944946ea7" from the list of the groupe members ?How to move Active Directory Source of Authority to Microsoft Entra ID and why
This gives you seamless access for your teams, stronger authentication with MFA and passwordless options, and centralized visibility into risks across your environment. Simplify hybrid identity management by reducing dual overhead, prioritizing key groups, migrating users without disruption, and automating policies with Graph or PowerShell. Jeremy Chapman, Microsoft 365 Director, shows how to start minimizing your local directory and make Microsoft Entra your source of authority to protect access everywhere. Strengthen your identity security. Sync your on-prem AD with Microsoft Entra ID, adding MFA and Single Sign-on. Start here. Gain full visibility into risky sign-ins. Minimize dual management by moving the source of authority to Microsoft Entra. Check it out. Automate moving groups and users to the cloud. Streamline your identity management using Graph API or PowerShell. Take a look. QUICK LINKS: 00:00 — Minimize Active Directory with Microsoft Entra 00:34 — Build a Strong Identity Foundation 01:28 — Reduce Dual Management Overhead 02:06 — Begin with Groups 03:04 — Automate with Graph & Policy Controls 03:50 — Access packages 06:00 — Move user objects to be cloud-managed 07:03 — Automate using scripts or code 09:17 — Wrap up Link References Get started at https://aka.ms/CloudManagedIdentity Use SOA scenarios at https://aka.ms/usersoadocs Group SOA scenarios at https://aka.ms/groupsoadocs Guidance for IT Architects on benefits of SOA at https://aka.ms/SOAITArchitectsGuidance Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -Your identity system is your first and last line of defense against unauthorized access, data exfiltration, and lateral movement. And now with AI agents acting on behalf of users, identity is more critical than ever. Today we’re going to explain and demonstrate how moving more of your groups and users to centralized management in the cloud can increase your identity security posture without breaking access and authorization to the resources that you have running on premises so that your users don’t even notice anything changed. If we step back in an architectural level, if yours is like most organizations, you’re probably running hybrid identity, where core identity management tasks happen on your local infrastructure, and many of your user, group, app and device accounts are still created or exist on-prem. -And as you’ve started using cloud services, you’ve also set up identity synchronization between your local Active Directory and Microsoft Entra ID so that you can synchronize on-prem objects like usernames, passwords, and groups to the cloud. And if you’ve then gotten the extra step of a Cloud first approach, your new users, apps, and groups are managed in Microsoft Entra by default, and your new managed devices are Entra Joined. Now, you should have implemented multifactor authentication, ideally phish-resistant MFA with device compliance checks along with Single Sign-on for your apps. In both cases, these are really strong foundations. -That said, though, you’re dealing with dual management overhead, on-premises and in the cloud, which can result in less visibility and policy gaps. Moving the Source of Authority to Microsoft Entra to manage identity from the cloud across your digital estate, solves this. Here you’re minimizing your local directory services to only what’s necessary and bringing your existing groups, users and devices as well as your apps and cloud services wherever they live, into Microsoft Entra, which gives you holistic visibility and access control into user sign-ins, risky behaviors, and more across your environment. -In fact, as I’ll show you, this approach even improves controls as users access on-premises resources. The best path to making Microsoft Entra the source of authority is to start with your Active Directory Security Groups where you’ll prioritize the apps that you want to move to cloud-based authentication. Then after working through those, you’ll turn your attention to moving existing user accounts to the cloud. Let me show you how, starting with groups. So here you’re seeing a synced group in Microsoft Entra. The ExpenseAppUsers group has its source in Windows Server Active Directory, as you can see here. In fact, if I move over to the server itself and into Active Directory, you’ll see this group here on top. -Now I’m going to go open that up and you’ll take a look at the group membership tab here, and you’ll see that the group currently has two members, Dan and Sandy. And this is the expense app that we actually want to move. It’s a local on-premises line of business app. So let’s go back to Microsoft Entra and move this group. So we’re going to use Graph API to do this, and for that we’ll need the Object ID. So I’ve already copied the Object ID and I’ve pasted that value into this URI and the Graph Explorer. And of course this can be done using PowerShell or in code, too. And I’ve already run a GET command on this Object ID. And you can see that this new parameter IsCloudManaged equals False below. Now, to change this group to be cloud managed, I just need to patch this object with IsCloudManaged:true. Then I’ll run it. -Now if I select the GET command for that same object. Below, we’re going to see that it’s changed from False to True for IsCloudManaged. And if I go back to Microsoft Entra, we can confirm that it’s cloud managed as the group Source. So now we can add users to the group from Microsoft Entra using Access Packages. So from Access Packages, I’m going to open up the one for our app. Then under Policies, I can see the Initial Policy and edit it. Now moving to the Request tab, I’ll add our newly cloud managed group. There it is, ExpenseAppUsers, and confirm. Now I’ll just click through the tabs and finally update the policy. Of course, self-service access requests and reviews will work as well. And now we can actually try this out by adding users from the Microsoft Entra admin center to grant them access to our on-premises Expense App. -So back in our group for the Expense App, I’ll go ahead and navigate to members and there are the two that we saw before from Active Directory. Now let’s add another member. So I’m going to search here for Mike, there he is, and pick his account, then select to confirm. Now if I take a look at Mike’s account properties and scroll down, we’ll see that he’s an On-premises synced account account. So this account is managed in our local Active Directory, but now the group source of authority is actually in Microsoft Entra and I can grant the account access to on-premises resources as well from the cloud. In fact, let’s take a look at how this appears in our local AD. -So now if I open up our ExpenseAppUsers group and I go to the Members tab, you can see that Mike is there as a new member, synced down from the cloud. Under the covers, this is using a matching Group SID and assigning new members to our local group based on our configurations in Microsoft Entra. So, no changes are even necessary in the local directory or the app. And the point of doing this was to ensure that Mike could be granted access to our on-premises Expense App. So let’s see if that worked. So from Mike’s PC, this is his view of the Expense App and he now has access to that local resource even though I made all the configurations in the cloud. So that was how to get groups managed in the cloud and you’d work through other groups based on the priority of the apps and corresponding groups that you want to move to the cloud. -Now the next step is then to move your user objects to be cloud managed by Microsoft Entra. So here I’m in Microsoft Entra, and I’m looking at our Sandy Pass user account, and we saw her account before in Active Directory. And if I scroll down, you’ll see that her account is indeed managed on premises and synced up to Microsoft Entra. Now the goal here is to ensure that we maintain seamless access to on-premises resources like our app that we saw before, or also file shares, for example, with better security using passwordless authentication. So if I move over to the view from Sandy’s PC, you’ll see that she has a hybrid joined account, and I can access local file shares like this one, for example, for DanAppServer. -Now if I head over to the System Tray, you’ll see that this machine also has Global Secure Access running for on-premises resource access. And next, I’ll open up a command prompt and I’ll run klist to see the issued Kerberos Tickets to show domain authorization is indeed working. So now let’s move this account to be cloud managed like we did with our group before. And the process is pretty similar and equally automatable using scripts or code. Again, we’ll need the Object ID from Microsoft Entra. Remember this text string. Now if I move over to Graph Explorer again in the URI, you’ll see that the Object ID for Sandy’s account is already there and I’ve already run the GET command and IsCloudManaged as you would expect is currently False. So let’s change that property to True. And again, I’ll use the PATCH command like we do with the Group, and I’ll run it. So now if I go over to the dropdown and rerun the GET command, you’ll see that IsCloudManaged is now True. -So if I go back to the Entra portal, we can then head over to the account properties and scroll down and then we’ll see that On-premises sync enabled says No. So, Sandy is now managed in the cloud. In fact, let’s head back over to Sandy’s machine and I’m going to purge the klist just to ensure that there aren’t any residual tickets to grant access to on-premises resources. Now I’m going to run dsregcmd and a switch for refreshprt to refresh the primary refresh token. Then running the status switch, I can get all of the details for the device registration. Then if I scroll down, eventually I can see the OnPremTgt and CloudTgt are both YES, which means the Kerberos ticket, granting ticket is working. -So now if I sign out of this machine then sign back in, the meerkat on screen looks pretty optimistic. So I’ll go ahead and open the Start menu, then I’ll head over to our file share from before and no problems. And I still have write permissions, too. So I’ll go ahead and create a folder, now I’ll name it Employee Data, then drag a file into it just to make sure that my experience wasn’t compromised and everything works. So now if I open up Start and then the Command Prompt and then run klist, there are my two issued tickets for the login as well as the file share access respectively. Again, the account is cloud managed now and we moved from on-premises and we haven’t even affected access or authorization to our resources on the local network. We’re still getting Kerberos Tickets, and our user didn’t even notice the change. -Moving your on-premises groups and user objects to be cloud managed is one of the strongest ways to improve your security posture, add control and better visibility. Now to find out more and get started, check out aka.ms/CloudManagedIdentity and keep checking back to Microsoft Mechanics for the latest tech updates, and thanks so much for watching.
Cybersecurity Starts Here: Strong Passwords for Nonprofits
In the nonprofit world, trust is everything. Whether you're protecting donor data, safeguarding beneficiary information, or managing internal systems, your digital security matters. One of the simplest—and most powerful—ways to protect your organization is by using strong passwords. These tools form the first line of defense against cyber threats and help ensure your mission stays on track. Why Strong Passwords Matter Weak passwords are like unlocked doors—they invite trouble. Cybercriminals often exploit simple or reused passwords to gain unauthorized access, impersonate staff, steal sensitive data, or disrupt operations. A strong password acts as a digital lock: hard to guess, harder to crack. Characteristics of a strong password: At least 12 characters long A mix of uppercase, lowercase, numbers, and symbols Unique for every account Not based on personal info (no pet names, birthdays, or favorite sports teams!) Microsoft Tools That Help You Stay Secure Microsoft offers nonprofit-friendly tools to help enforce strong password policies and protect user identities: Microsoft Entra ID (formerly Azure Active Directory) Centralized identity and access management Multi-factor authentication (MFA) to prevent unauthorized logins Conditional access policies and role-based access control Microsoft 365 Security Center Monitor password-related alerts and suspicious sign-ins Enforce password expiration and complexity policies View security recommendations tailored to your organization Microsoft Defender for Endpoint Detects brute-force password attacks and credential theft Protects devices from malware and phishing attempts Integrates with Microsoft 365 for unified threat response Tips for Nonprofit Teams Building a culture of cybersecurity starts with small, consistent actions: Make it policy: Require strong passwords use across your organization Train your team: Host a lunch-and-learn or share a how-to guide on password safety Enable MFA: Add multi-factor authentication for all accounts Audit regularly: Review access and update credentials when staff roles change Clean up old accounts: Remove unused logins and shared credentials Your Mission Deserves Protection Cybersecurity isn’t just an IT issue—it’s a mission-critical priority. By adopting strong password practices, you’re taking a proactive step to protect your people, your data, and your impact. Microsoft’s ecosystem offers scalable, nonprofit-friendly tools to help you build a secure foundation—so you can focus on what matters most: serving your community.Cybersecurity 101: Protecting Your Nonprofit with Microsoft Tools
Cybersecurity isn’t just an IT concern—it’s a mission-critical priority. For nonprofits, safeguarding sensitive data, maintaining donor trust, and ensuring operational continuity are foundational to achieving impact. In an increasingly digital world, cyber threats are evolving rapidly, and nonprofits—often operating with limited resources—can be especially vulnerable. The good news? Microsoft offers a suite of powerful, easy-to-use tools designed to help nonprofits build a resilient security posture without needing a full-time IT department. What Is Cybersecurity? Cybersecurity is the practice of protecting systems, networks, and data from unauthorized access, attacks, or damage. For nonprofits, this means defending the integrity of: Donor and beneficiary information: Personal data that must be protected to maintain trust and comply with privacy laws. Financial records: From grant funding to payroll, financial data is a prime target for cybercriminals. Internal communications: Sensitive discussions around strategy, staffing, and partnerships. Program data and impact reports: Valuable insights that drive funding and stakeholder engagement. A breach in any of these areas can lead to reputational damage, legal consequences, and disruption of services—making cybersecurity a strategic imperative. Microsoft Tools That Help You Stay Secure Microsoft’s ecosystem is designed to meet nonprofits where they are—whether you're just starting your digital journey or managing complex operations across borders. Microsoft Defender Built-in protection against viruses, malware, ransomware, and phishing attacks Available across Windows devices and Microsoft 365 environments Real-time threat detection, automatic updates, and endpoint protection Microsoft Entra ID (formerly Azure Active Directory) Centralized identity and access management Multi-factor authentication (MFA) to prevent unauthorized logins Role-based access control to ensure staff and volunteers only access what they need Microsoft Purview Advanced data governance and compliance tools Helps classify, label, and protect sensitive information Supports regulatory compliance (e.g., HIPAA, GDPR) for nonprofits handling health or financial data Microsoft Outlook + Exchange Online Protection Filters out spam, phishing attempts, and malicious attachments Encryption options for secure email communication Safe Links and Safe Attachments features to prevent accidental clicks on harmful content Microsoft 365 Security Center Unified dashboard to monitor and manage security across your organization Actionable alerts and recommendations tailored to your environment Designed for ease-of-use, even for teams without dedicated IT staff Cybersecurity Best Practices for Nonprofits Technology alone isn’t enough—building a culture of security is key. Here are essential practices every nonprofit should adopt: Use strong, unique passwords and consider a password manager for staff Enable MFA on all accounts to add an extra layer of protection Educate your team on phishing, social engineering, and safe online behavior Keep software and systems updated to patch known vulnerabilities Limit access to sensitive data based on roles and responsibilities Back up data regularly using secure, encrypted methods Your Mission Deserves Protection Whether you're a small grassroots organization or a global NGO, your mission depends on trust, continuity, and resilience. Cybersecurity isn’t a luxury—it’s a necessity. Microsoft’s tools are designed to be scalable, affordable, and accessible, helping nonprofits protect what matters most: their people, their data, and their impact. By investing in cybersecurity today, you’re not just protecting your organization—you’re strengthening your ability to serve tomorrow.Introducing Microsoft Sentinel graph (Public Preview)
Security is being reengineered for the AI era—moving beyond static, rulebound controls and after-the-fact response toward platform-led, machine-speed defense. The challenge is clear: fragmented tools, sprawling signals, and legacy architectures that can’t match the velocity and scale of modern attacks. What’s needed is an AI-ready, data-first foundation—one that turns telemetry into a security graph, standardizes access for agents, and coordinates autonomous actions while keeping humans in command of strategy and high-impact investigations. Security teams already center operations on their SIEM for end-to-end visibility, and we’re advancing that foundation by evolving Microsoft Sentinel into both the SIEM and the platform for agentic defense—connecting analytics and context across ecosystems. And today, we announced the general availability of Sentinel data lake and introduced new preview platform capabilities that are built on Sentinel data lake (Figure 1), so protection accelerates to machine speed while analysts do their best work. We are excited to announce the public preview of Microsoft Sentinel graph, a deeply connected map of your digital estate across endpoints, cloud, email, identity, SaaS apps, and enriched with our threat intelligence. Sentinel graph, a core capability of the Sentinel platform, enables Defenders and Agentic AI to connect the dots and bring deep context quickly, enabling modern defense across pre-breach and post-breach. Starting today, we are delivering new graph-based analytics and interactive visualization capabilities across Microsoft Defender and Microsoft Purview. Attackers think in graphs. For a long time, defenders have been limited to querying and analyzing data in lists forcing them to think in silos. With Sentinel graph, Defenders and AI can quickly reveal relationships, traversable digital paths to understand blast radius, privilege escalation, and anomalies across large, cloud-scale data sets, deriving deep contextual insight across their digital estate, SOC teams and their AI Agents can stay proactive and resilient. With Sentinel graph-powered experiences in Defender and Purview, defenders can now reason over assets, identities, activities, and threat intelligence to accelerate detection, hunting, investigation, and response. Incident graph in Defender. The incident graph in the Microsoft Defender portal is now enriched with ability to analyze blast radius of the active attack. During an incident investigation, the blast radius analysis quickly evaluates and visualizes the vulnerable paths an attacker could take from a compromise entity to a critical asset. This allows SOC teams to effectively prioritize and focus their attack mitigation and response saving critical time and limiting impact. Hunting graph in Defender. Threat hunting often requires connecting disparate pieces of data to uncover hidden paths that attackers exploit to reach your crown jewels. With the new hunting graph, analysts can visually traverse the complex web of relationships between users, devices, and other entities to reveal privileged access paths to critical assets. This graph-powered exploration transforms threat hunting into a proactive mission, enabling SOC teams to surface vulnerabilities and intercept attacks before they gain momentum. This approach shifts security operations from reactive alert handling to proactive threat hunting, enabling teams to identify vulnerabilities and stop attacks before they escalate. Data risk graph in Purview Insider Risk Management (IRM). Investigating data leaks and insider risks is challenging when information is scattered across multiple sources. The data risk graph in IRM offers a unified view across SharePoint and OneDrive, connecting users, assets, and activities. Investigators can see not just what data was leaked, but also the full blast radius of risky user activity. This context helps data security teams triage alerts, understand the impact of incidents, and take targeted actions to prevent future leaks. Data risk graph in Purview Data Security Investigation (DSI). To truly understand a data breach, you need to follow the trail—tracking files and their activities across every tool and source. The data risk graph does this by automatically combining unified audit logs, Entra audit logs, and threat intelligence, providing an invaluable insight. With the power of the data risk graph, data security teams can pinpoint sensitive data access and movement, map potential exfiltration paths, and visualize the users and activities linked to risky files, all in one view. Getting started Microsoft Defender If you already have the Sentinel data lake, the required graph will be auto provisioned when you login into the Defender portal; hunting graph and incident graph experience will appear in the Defender portal. New to data lake? Use the Sentinel data lake onboarding flow to provision the data lake and graph. Microsoft Purview Follow the Sentinel data lake onboarding flow to provision the data lake and graph. In Purview Insider Risk Management (IRM), follow the instructions here. In Purview Data Security Investigation (DSI), follow the instructions here. Reference links Watch Microsoft Secure Microsoft Secure news blog Data lake blog MCP server blog ISV blog Security Store blog Copilot blog Microsoft Sentinel—AI-Powered Cloud SIEM | Microsoft Security
Windows Live Custom Domains causes Entra account lockout
Hi everyone, we have an on-prem AD connected with EntraConnect to EntraID since about 3 years. We only sync users and groups, no password hash or anything else. Since a few days 4 (out of about 250) users are constantly being locked out due to failed login attempts on an Application called "Windows Live Custom Domains". All 4 users are locked out not at the same time but within 30 min to an hour. This happens multiple times a day. As far as I was able to investigate Windows Live Custom Domains is a service no longer offered by MS or has been replaced with something else. How am I able to find out where this failed login attempts come from? If someone could point me in the right direction I would be very happy. Thanks DanielIntroducing Microsoft Security Store
Security is being reengineered for the AI era—moving beyond static, rulebound controls and after-the-fact response toward platform-led, machine-speed defense. We recognize that defending against modern threats requires the full strength of an ecosystem, combining our unique expertise and shared threat intelligence. But with so many options out there, it’s tough for security professionals to cut through the noise, and even tougher to navigate long procurement cycles and stitch together tools and data before seeing meaningful improvements. That’s why we built Microsoft Security Store - a storefront designed for security professionals to discover, buy, and deploy security SaaS solutions and AI agents from our ecosystem partners such as Darktrace, Illumio, and BlueVoyant. Security SaaS solutions and AI agents on Security Store integrate with Microsoft Security products, including Sentinel platform, to enhance end-to-end protection. These integrated solutions and agents collaborate intelligently, sharing insights and leveraging AI to enhance critical security tasks like triage, threat hunting, and access management. In Security Store, you can: Buy with confidence – Explore solutions and agents that are validated to integrate with Microsoft Security products, so you know they’ll work in your environment. Listings are organized to make it easy for security professionals to find what’s relevant to their needs. For example, you can filter solutions based on how they integrate with your existing Microsoft Security products. You can also browse listings based on their NIST Cybersecurity Framework functions, covering everything from network security to compliance automation — helping you quickly identify which solutions strengthen the areas that matter most to your security posture. Simplify purchasing – Buy solutions and agents with your existing Microsoft billing account without any additional payment setup. For Azure benefit-eligible offers, eligible purchases contribute to your cloud consumption commitments. You can also purchase negotiated deals through private offers. Accelerate time to value – Deploy agents and their dependencies in just a few steps and start getting value from AI in minutes. Partners offer ready-to-use AI agents that can triage alerts at scale, analyze and retrieve investigation insights in real time, and surface posture and detection gaps with actionable recommendations. A rich ecosystem of solutions and AI agents to elevate security posture In Security Store, you’ll find solutions covering every corner of cybersecurity—threat protection, data security and governance, identity and device management, and more. To give you a flavor of what is available, here are some of the exciting solutions on the store: Darktrace’s ActiveAI Security SaaS solution integrates with Microsoft Security to extend self-learning AI across a customer's entire digital estate, helping detect anomalies and stop novel attacks before they spread. The Darktrace Email Analysis Agent helps SOC teams triage and threat hunt suspicious emails by automating detection of risky attachments, links, and user behaviors using Darktrace Self-Learning AI, integrated with Microsoft Defender and Security Copilot. This unified approach highlights anomalous properties and indicators of compromise, enabling proactive threat hunting and faster, more accurate response. Illumio for Microsoft Sentinel combines Illumio Insights with Microsoft Sentinel data lake and Security Copilot to enhance detection and response to cyber threats. It fuses data from Illumio and all the other sources feeding into Sentinel to deliver a unified view of threats across millions of workloads. AI-driven breach containment from Illumio gives SOC analysts, incident responders, and threat hunters unified visibility into lateral traffic threats and attack paths across hybrid and multi-cloud environments, to reduce alert fatigue, prioritize threat investigation, and instantly isolate workloads. Netskope’s Security Service Edge (SSE) platform integrates with Microsoft M365, Defender, Sentinel, Entra and Purview for identity-driven, label-aware protection across cloud, web, and private apps. Netskope's inline controls (SWG, CASB, ZTNA) and advanced DLP, with Entra signals and Conditional Access, provide real-time, context-rich policies based on user, device, and risk. Telemetry and incidents flow into Defender and Sentinel for automated enrichment and response, ensuring unified visibility, faster investigations, and consistent Zero Trust protection for cloud, data, and AI everywhere. PERFORMANTA Email Analysis Agent automates deep investigations into email threats, analyzing metadata (headers, indicators, attachments) against threat intelligence to expose phishing attempts. Complementing this, the IAM Supervisor Agent triages identity risks by scrutinizing user activity for signs of credential theft, privilege misuse, or unusual behavior. These agents deliver unified, evidence-backed reports directly to you, providing instant clarity and slashing incident response time. Tanium Autonomous Endpoint Management (AEM) pairs realtime endpoint visibility with AI-driven automation to keep IT environments healthy and secure at scale. Tanium is integrated with the Microsoft Security suite—including Microsoft Sentinel, Defender for Endpoint, Entra ID, Intune, and Security Copilot. Tanium streams current state telemetry into Microsoft’s security and AI platforms and lets analysts pivot from investigation to remediation without tool switching. Tanium even executes remediation actions from the Sentinel console. The Tanium Security Triage Agent accelerates alert triage, enabling security teams to make swift, informed decisions using Tanium Threat Response alerts and real-time endpoint data. Walkthrough of Microsoft Security Store Now that you’ve seen the types of solutions available in Security Store, let’s walk through how to find the right one for your organization. You can get started by going to the Microsoft Security Store portal. From there, you can search and browse solutions that integrate with Microsoft Security products, including a dedicated section for AI agents—all in one place. If you are using Microsoft Security Copilot, you can also open the store from within Security Copilot to find AI agents - read more here. Solutions are grouped by how they align with industry frameworks like NIST CSF 2.0, making it easier to see which areas of security each one supports. You can also filter by integration type—e.g., Defender, Sentinel, Entra, or Purview—and by compliance certifications to narrow results to what fits your environment. To explore a solution, click into its detail page to view descriptions, screenshots, integration details, and pricing. For AI agents, you’ll also see the tasks they perform, the inputs they require, and the outputs they produce —so you know what to expect before you deploy. Every listing goes through a review process that includes partner verification, security scans on code packages stored in a secure registry to protect against malware, and validation that integrations with Microsoft Security products work as intended. Customers with the right permissions can purchase agents and SaaS solutions directly through Security Store. The process is simple: choose a partner solution or AI agent and complete the purchase in just a few clicks using your existing Microsoft billing account—no new payment setup required. Qualifying SaaS purchases also count toward your Microsoft Azure Consumption Commitment (MACC), helping accelerate budget approvals while adding the security capabilities your organization needs. Security and IT admins can deploy solutions directly from Security Store in just a few steps through a guided experience. The deployment process automatically provisions the resources each solution needs—such as Security Copilot agents and Microsoft Sentinel data lake notebook jobs—so you don’t have to do so manually. Agents are deployed into Security Copilot, which is built with security in mind, providing controls like granular agent permissions and audit trails, giving admins visibility and governance. Once deployment is complete, your agent is ready to configure and use so you can start applying AI to expand detection coverage, respond faster, and improve operational efficiency. Security and IT admins can view and manage all purchased solutions from the “My Solutions” page and easily navigate to Microsoft Cost Management tools to track spending and manage subscriptions. Partners: grow your business with Microsoft For security partners, Security Store opens a powerful new channel to reach customers, monetize differentiated solutions, and grow with Microsoft. We will showcase select solutions across relevant Microsoft Security experiences, starting with Security Copilot, so your offerings appear in the right context for the right audience. You can monetize both SaaS solutions and AI agents through built-in commerce capabilities, while tapping into Microsoft’s go-to-market incentives. For agent builders, it’s even simpler—we handle the entire commerce lifecycle, including billing and entitlement, so you don’t have to build any infrastructure. You focus on embedding your security expertise into the agent, and we take care of the rest to deliver a seamless purchase experience for customers. Security Store is built on top of Microsoft Marketplace, which means partners publish their solution or agent through the Microsoft Partner Center - the central hub for managing all marketplace offers. From there, create or update your offer with details about how your solution integrates with Microsoft Security so customers can easily discover it in Security Store. Next, upload your deployable package to the Security Store registry, which is encrypted for protection. Then define your license model, terms, and pricing so customers know exactly what to expect. Before your offer goes live, it goes through certification checks that include malware and virus scans, schema validation, and solution validation. These steps help give customers confidence that your solutions meet Microsoft’s integration standards. Get started today By creating a storefront optimized for security professionals, we are making it simple to find, buy, and deploy solutions and AI agents that work together. Microsoft Security Store helps you put the right AI‑powered tools in place so your team can focus on what matters most—defending against attackers with speed and confidence. Get started today by visiting Microsoft Security Store. If you’re a partner looking to grow your business with Microsoft, start by visiting Microsoft Security Store - Partner with Microsoft to become a partner. Partners can list their solution or agent if their solution has a qualifying integration with Microsoft Security products, such as a Sentinel connector or Security Copilot agent, or another qualifying MISA solution integration. You can learn more about qualifying integrations and the listing process in our documentation here.
External ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!
