Issues with Passkey Login Hanging on "Connecting to Your Device"
Hi everyone, I'm currently working on enabling passkey login for some users. I have a test account where I enabled the passkey and enrolled it in Microsoft Authenticator. However, when I try to log in and scan the key, it hangs on "connecting to your device." Has anyone encountered this issue before? How can I find the root cause, and which log would show what might be blocking me? Thanks in advance for your help!
Two Severity A Cases Ignored for Days
Hello, We are trying to understand the status of the Azure support department. We currently have two Severity A issues open; one has been pending for 6 days without a response, and the other for 11 hours without a reply. We are on the STANDARD support plan, which promises responses within a few hours at most, but this has not been the case. Any advice would be greatly appreciated.
Cross-tenant synchronization and resource access
Hello My company is investigating options pertaining to the separation of a splitting a set of users into a separate Entra ID tenant. This is being driven from a political and governance perspective whereby a portion of the organisation is looking to split away from the conglomerate for their cloud identifies only (not the on-premises AD). They effectively want their users and Entra ID identities to be moved to a new Entra ID tenant however still want to maintain access to the source tenant resources and applications for a period of time (potentially ongoing). For the purpose of my questions, assume that: existing on-premises domain is orga.internal existing EntraID tenant is OrgA.onmicrosoft.com new EntraID tenant is OrgB.onmicrosoft.com Ultimately the goal is to migrate user identities, their M365 license and mailbox to OrgB.onmicrosoft.com whilst still enabling them to access the cloud resources attached to OrgA.onmicrosoft.com. Looking at the capabilities of the cross-tenant synchronisation service to sync users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com, I'm not sure if this will meet my requirements as it will effectively sync the users from OrgA.onmicrosoft.com to OrgB.onmicrosoft.com as B2B guests. Is that correct? If my understanding is correct what we really need to do is: Migrate EntraId identities and mailboxes to OrgB.onmicrosoft.com, removing the OrgA.onmicrosoft.com account in the process Use cross-tenant synchronisation to sync the new OrgB.onmicrosoft.com identities back to OrgA.onmicrosoft.com as B2B guests whereby access to resources is provided to the guest account. If this is correct then is it technically supported to have multiple instances of Entra ID Cloud Sync synchronsing a subset of the orga.internal users to Entra ID OrgB.onmicrosoft.com whilst another instance of the Cloud Sync continues to sync orga.internal users to the existing OrgA.onmicrosoft.com EntraID tenant? I can't seem to find any reference to this architecture in the MS doco. I can see this scenario references in the legacy Cloud Connect doco but not the newer Cloud Sync agent doco. Any advise is appreciated.
Control "preferredLanguage" for local AD synced accounts
We got a single tenant for several branches around the world. There is a single forest, single domain with Entra ID Connect in place. In AD the properties of the user accounts that are related to user location are populated according to this standard: branch AD attribute c AD attribute co AD attribute countryCode AD attribute msDS-preferredDataLocation Switzerland CH Switzerland 756 EUR Germany DE Germany 276 DEU Italy IT Italy 380 EUR Netherlands NL Netherlands 528 EUR Poland PL Poland 616 EUR UK GB United Kingdom 826 EUR US US USA 840 NAM There is a Entra ID user attribute called "preferredLanguage". This is not set for most of our users. How could we solve this? Which attribute in local AD do we have to use? Do we need to change anything in Entra ID Connect? Hopefully someone could give advice and the information needed to achieve being able to configure the Entra preferredLanguage for our synced users out of our local AD. Thanks in advance!
Users is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled
SCIM and Entra ID: remove Group from provisioning and member PATCH call
Problem: If a Group is removed from provisioning MS sends a Patch Request UpdateGroup with "add member" instead off "remove member" If I remove a group from provisioning MS Entra ID sends this PATCH operation: "Operations": [ { "op": "Add", "path": "members", "value": "user2" } ] Actually I thought that a remove patch request should be sent like: "Operations": [ { "op": "Remove", "path": "members", "value": "user2" } ] If the user is only member of 1 provisioning group thats no problem because afterwards the user is in my case deleted as well. But if we have the following szenario: 2 groups are configured in MS Entra ID for provisioning: Group A (with member user1 and user2) Group B (with member user2) If now Group B is removed the user object stays in my target system in both groups (A and B) because of the "member add" PATCH request. Does anyone have the some problem with "add member" instead of "remove member" or a solution for this behavior?In Entra ID, is it possible to link accounts (ex: google and facebook)
I couldn't find any reference in the documentation, which is why I'm asking here in the forum. Based on the sample https://woodgrovedemo.com/, if I perform a sign-up self-registration with email /password and then try to sign in via Google, it returns that an account already exists and requires me to log in using email and password. The same happens if I sign up with Google and later try to log in with FacebookâI am forced to sign in via Google. Is there no way to link accounts into a single user, allowing authentication with any of them? This is a feature that most CIAM solutions support. Maybe with PATCH /user graph API? Thank you.How to map a user custom security attribute to OIDC id and access token ?
We are integrating keycloak with azure entra via OIDC. We have created custom security attribute to map some extension fields for the user. We tried to map these as tokens, but the custom security attributes doesn't show up in the dropdown under the token > add optional claims We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either ! Any help for this problem is deeply appreciated. Thanks, RaghavAssistance Required: MFA Options for User without Microsoft Authenticator
Hello! I am currently assisting a user who is using an older phone that does not support Microsoft Authenticator. I am seeking guidance on whether there is a possibility to implement email-based multi-factor authentication (MFA) for this user, considering they have an Exchange Online Plan 1 license and do not have access to Azure AD Premium P1 or P2. Despite my efforts, the user continues to receive a prompt to set up Authenticator upon login. Thank you for your assistance. Best regards, Marco
