Forum Widgets
Latest Discussions
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed tohttps://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- Be able to exclude Microsoft App Access Panel from Conditional Access · Community (azure.com) Support conditional access for MyApps.microsoft.com · Community (azure.com) Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabledIntroducing the Azure Roadmap
We launched the Azure Roadmap on Azure.com in June of this year and have received a tremendous response from our customers. For the first time in one place, customers can see what we are working on for future releases, see related feedback, and subscribe to updates. The Roadmap is also integrated with Azure Updates so that customers can see how we are delivering against our plans. We are excited to start working with the Microsoft Tech Community to further reach customers. You can now find the link to the Azure Roadmap under More Resources in the community. We are always looking to improve and would love to hear from you. Please e-mailazroadmapfeedback@microsoft.comwith your comments and questions. Below are FAQs to help you get started exploring the roadmap! What is the Azure Roadmap? The Azure roadmap provides a central place where Azure customers can see what’s new and what’s coming next for Azure Where is the public Azure Roadmap? You can find it under More Resources in the community or you can go directly tohttps://azure.microsoft.com/en-us/roadmap/orhttp://aka.ms/azureroadmap What kind of posts can I expect on the Azure Roadmap? The posts you will see on the Azure Roadmap are the key features and services that have launched or are coming soon. For details on incremental updates and/or improvements to features and services, please visit Azure Updates -https://azure.microsoft.com/en-us/updates/ How do I find a specific post on the Azure Roadmap? The Azure Roadmap page provides filters (by Product Category and/or Status), tags, and search functionality to help you quickly navigate to your area of interest. What do the different Statuses (In development, Inpreview, Now available) mean? In development – updates that are currently in development and testing In preview – preview; updates in preview that may not be available broadly and to all customers Now available – generally available; fully released updates How can I learn about changes in the Azure Roadmap? You can subscribe to notifications so you’ll always be in the know. Where can I find service availability by region? On the right navigation menu under “Explore” there is a link to “Check product availability in your region.” You may also find this detail by visiting:https://azure.microsoft.com/en-us/regions/
How to Skip Country Code Selection Screen in Azure AD B2C for US Users?
Hi all, We’re using Azure AD B2C for user sign-in and sign-up, and we’ve customized the process with custom HTML templates. Currently, the sign-in flow involves three steps: Users enter their phone number. Users select their country and phone number. Users enter the OTP sent via SMS. Since our users are all based in the USA (with country code +1), we’ve set the country code to +1 by default using custom HTML templates. However, we’d like to skip the screen where users manually select the country code to further streamline the process. Is there a way to fully bypass this step and automatically use the default country code (+1) without requiring users to interact with that screen? Thanks for your help!How to Automatically Pre-fill Phone Number in Azure AD B2C User Flow?
Hi all, We’re using Azure AD B2C for user sign-in and sign-up and have customized the process with custom HTML templates. The current sign-in flow involves three steps: Users enter their phone number. Users select their country and phone number. Users enter the OTP sent via SMS. We’d like to automatically pre-fill the phone number in the user flow, perhaps by passing it as a query parameter or using another method. Is this possible? If so, how can we achieve it? Thanks in advance!Issue with Identity Governance Access Package Failing in Restricted Admin Unit
Good evening and happy New Year! We are experiencing difficulties integrating a restricted management administrative unit (AU) with an existing Microsoft Entra Identity Governance Access Package. Specifically, Access Package administrative assignments fail when a security group is added to the restricted management AU. Context and Configuration: Purpose of the Setup: We are configuring an Entra ID Administrative Unit (AU) as a Restricted Management Administrative Unit. The purpose of this AU is to: o Provide a specific Cloud Operator ("Cloud Operator (May, Shawn)") with Groups Administrator access to manage a specific security group: "Cloud Operators for Role - Group Administrator." o Restrict changes to the group membership of "Cloud Operators for Role - Group Administrator" to only the Access Package. I have an Identity Governance Access Package that allows help desk personnel to administratively assign people to this group via the Entra ID Access Package web interface. This Access Package works perfectly (admin-assignment of the group) when not integrated with the restricted management AU. Administrative Unit Configuration: Name: Cloud Operators for Role - Groups Administrator Type: Restricted Management Administrative Unit Scope: Cloud Operators for Role - Groups Administrator Role: Groups Administrator Administrative Unit Role Assignments: Eligible Assignments: Role: Groups Administrator o Principal: Cloud Operator (May, Shawn) o Scope: Cloud Operators for Role - Group Administrator Active Assignments: Role: Groups Administrator o Principal: Service Principal ("Azure AD Identity Governance - User Management") o Scope: Cloud Operators for Role - Group Administrator Directory Role Assignments: Active Assignments: Role: Global Reader o Principal: Service Principal ("Azure AD Identity Governance - User Management") o Scope: Directory Problem Description: When the security group "Cloud Operators for Role - Groups Administrator" is added to the restricted management AU, Access Package administrative assignments fail. Upon removing the group from the restricted management AU, the service principal is again able to successfully assign users to the Access Package. Access Package Error Message: { "error": { "code": "GroupOperationNotAllowed", "message": "Insufficient privileges to complete the operation. Target object is a member of a restricted management administrative unit and can only be modified by administrators scoped to that administrative unit. Check that you are assigned a role that has permission to perform the operation for this restricted management administrative unit. Learn more: https://go.microsoft.com/fwlink/?linkid=2197831", "details": [] } } This issue seems to stem from the documented limitation that groups within a restricted management AU cannot be managed using Microsoft Entra Identity Governance features. This is detailed in the Microsoft documentation: Admin units with restricted management Desired Outcome: I need guidance on how to: Allow the Access Package service principal to manage the group "Cloud Operators for Role - Group Administrator" while retaining the restricted management AU. Confirm if there are any workarounds or configurations to bypass this limitation. The issue affects a critical administrative process. Any assistance in resolving this limitation or providing alternative approaches would be greatly appreciated.API-driven provisioning to on-premises Active Directory mapping of the manager not working anymore
Hello Guys, I have a problem with the provisioning service of the above enterprise application. The whole time it was working fine until yesterday when I changed an attribute mapping (not the manager mapping) and now the manager is not sync because he can't lookup the manager, with every user even though the all worked before. Error: UnableToResolveReferenceAttributeValue Someone have an Idea or the same problem?How to Recover a Global admin account without MFA
Hi Community I have created a Global admin account in a tenant, unfortunately I had to reset my mobile device, and the MFA codes / setup are gone. I know the password for the account though, without being able to access MFA, I'm not able to login anymore. I have no other admin accounts / Privileged accounts setup. Is there any way to recover from this situation?
Block none enrolled device to user who have enrolled devices
First of all, thank you for everything. I have users who have their device enrolled with the company. I have others who don't yet. I need to block access with personal devices to those users who already have their device enrolled. I do NOT have a group that identifies which users have it and which don't, it's random. Thanks for the help !!!
SCIM and mapping to a 3rd party app
hello, got a SCIM question: we have a 3rd party application we are hooking up to SCIM (call it AppXYZ). The group we want to put people into in AppXYZ is called 'Group1'. On the MS Entra side, the MS Entra group is called "Testing Users". When I setup SCIM, how do I map the MS Entra group "Testing Users" to the group inside of AppXYZ called Group1. Note: I cannot change the name of the group in AppXYZ - it must be called Group1, no exceptions and the MS Entra user group must be called "Testing Users" cannot alter the name. thanks everyone.
