Recent Discussions
Restrict access to Microsoft Entra admin center
Hi, I know that setting this to Yes isn't considered a Security measure by Microsoft, but I really think that they need to rethink this and give a better warning Entra>Users>User Settings>Restrict access to Microsoft Entra admin center If this is left to, No, which is the default, then any user (Admin or Standard User) is able to access Entra, and for certain things this may be required, but it leaves a huge door open as well for the egress of data. For example, a Standard user can access Entra, select Users and or Devices from the left hand side and export a .csv file with all devices listed and or all Users in the estate listed with a lot of other information in this as well that is included in the exported file. Is there another way to allow users access to the portal to manage Groups or Apps that they are an Owner on (which is one of the reasons that I see for allowing any user to access the portal) but also to dramatically reduce the risk to the business for users also being able to see a lot of other information in Entra that we would not wish users to be able to see or indeed interact with, such as downloading a file of all Devices and Users in the estate.
Global Secure Access Per App segmentation
Hi, We are running a POC with Global Secure access and have the following situation. We have defined a traffic forwarding profile for Private Access and a Quick Access policy to allow access to certain applications. I have now create a seperate enterprise application and assigned it a different group then the quick access policy. for example an RDP/http to specific server. The following seem to be happening. When I check the private access rules on the GSA clients they are receiving all rules quick access + enterprise application rules even if they don't have a group assignment in the application segment. (default behaviour i am guessing) When a users defined in quick access only attempts to access the enterprise application het get's a prompt on his GSA client action required please sign in , when i then signs in he get's access denied message as expected. However he also get denied to the other quick access segment. To resolve this again i have to enable disable the client. Is this normal behaviour and is there a way around this? Can we for example not include the enteprise application in the private access rule if the group is not assigned. Any help would be appreciated.
Invitation Redemption modifying DisplayName attribute
Hi All, Haven't found much on this, other than someone with the same issue ~6 years ago and no further details. I'm generating guest user invites through Graph and configure the display name in a particular way. I've noticed that when that guest logs in for the first time, the display name changes, removing my custom configuration. I can see this in audit logs for the user account, corresponding to their login to the tenant for the first time where the account is moved from PendingAcceptance to Accepted. Activity Type: Update User Category: User Management Type: Application Display Name: Microsoft Invitation Acceptance Portal Is there a setting or flag to block this, ideally, they keep the same display name I set in the first place. Thanks!
Global Secure Access - Deleted Appliction still applies (and cannot be recreated)
Hello everyone, we currently face an issue with Global Secure Access - Private Access - Enterprise applications. An admin has delete and tried to recreate an enterprise application. When he tried added the ip address and the port he got an error, that this rule is already within another app. The link led to an "empty" app. It was found that under "app registrations" the previously deleted applicaiton is still there and it was permanently deleted. However the problem stays. If we try a connection to the ip address and port which was specified in the deleted policy, we can see an error in the GSA Event Log on the Client: Could not authenticate using a cached token... Error: 9, Message: IncorrectConfiguration {"Description":"V2Error: invalid_resource AADSTS500011: The resource principal named <id of the deleted application> was not found in the tenant named <ourTenant>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Unfortunatly, since the application is not permanently deleted, it cannot be restored. We tried to completly disable and reenable private access (in Entra!) but this did not fix the problem. For some reason the deleted policy is stuck in GSA and we have no idea how to get it out.Not able to get app roles assigned to groups
Hi everyone, I'm trying to get the app roles assigned to a certain group but I'm only able to get the ObjectId, ResourceDisplayName and PrincipalDisplayName and not the actual role assigned. I'm using the following command 'Get-AzureADGroupAppRoleAssignment -ObjectId'. Does anyone know how I can get the actual roles assigned?Block access to 365 Login page from overseas
Greetings, We are looking into options to prevent DOS attacks into our tenant. Is it possible to prevent a user from reaching the 365 login page from overseas? We currently have a CA enabled to prevent users from logging into 365 from overseas, however the CA only takes affect after implementing the first factor authentication. We would like to prevent the user from reaching the actual login page if their IP is coming from overseas, and not have them input their credentials.Entra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, DanielConditional access, Persistant Browser sessions and Azure File shares in Storage Accounts
Hello, I am in the process of doing a POC for Azure file sync from DFS to Azure file shares with a end goal of using Azure files shares and getting rid of DFS. I want to use Entra for identity access. One of the changes I need to make is set Persistant browser session in our MFA all user policy to "Never" so that the storage enterprise app does not get targeted for MFA, otherwise it wont work. How do I go about doing this without effecting any other users as it's a global policy. I know I need to do this because I get this error when I add the Storage Account ent app to the targeted resources (formerly cloud apps) exclusion list; "Message from server: The server could not process the request because it is malformed or incorrect. 1032: ConditionalActionPolicy validation failed due to InvalidConditionsForPersistentBrowserSessionMode." Any ideas of how to get around this without affecting anyone else and only target the storage account ent app. CheersProblems configuring federation to SAML IdP
Hi. I'm trying to configure our Entra domain to federate to our existing IdP, following the guidance found here and am having real problems when it comes to using the Microsoft Graph API in PowerShell. After eventually working out what permissions I needed to request (more than what is stated in the doc), I ran the New-MgDomainFederationConfiguration cmdlet, and received the following error: "FederatedIdpMfaBehavior cannot be empty" This parameter is not mentioned in the doc either. So, then I added that parameter, and got the following: "Domain already has Federation Configuration set." But when I run Get-MgDomainFederationConfiguration, I get: "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present." When I run Get-MgDomain, AuthenticationType shows as "Federated", but I still see a managed login when I check. So I seem to be stuck with it seemingly half-configured, with no way to view or remove the configuration. Any ideas? Thanks, NickGuest users in tenant enforcing phishing resistant MFA
If a tenant uses a third party MFA .. I.E. Okta or similar, and users are guests in a another tenant via B2B trust and the tenant accepting guest accounts is enforcing MS Phishing resistant MFA ... Will the tenant recognise "Okta" authenticated guests as Phishing resistant ? Or will guest accounts need a Conditional Access Policy applied to allow the guest users access to tenant enforcing MS Phishing resistant MFA ?
Users is AD synced, but not able to sync passsword
Hi, we use Entra ID Sync from on premises AD to Entra. In Entra users are shown as synced For some reason it is not possible, that the password that is set up in AD is synced to entra. Furthermore I am able to reset password in admin center On the other hand in Entra itself I cannot change the password How do I fix this. Problem is, that user must change passwords 2x times, first in AD and second in Admincenter. Last is needed so he can use Teams etc. I cheched the Entra ID Sync, but that works fine from what I can judge. Password write back is disabled
Force Domain takeover
Hello, Trying to add a custom domain to a new tenant gives me the error "We have confirmed that you own ***, but we cannot add it to this tenant at this time. The domain is already added to a different Office 365 tenant: **** We no longer have access to the different tenant, how can I remove or takeover the domain to use in the new tenant. Tried https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/domains-admin-takeover to no avail. Also used the PowerShell command for takeover force without success. How can I speedily resolve this? ThanksSecure Linux Logins with Azure Entra ID: MFA, Hello, Device Compliance & SSO with Himmelblau
As organizations adopt Azure Entra ID and Intune to secure their fleets, Linux has often been left behind — especially for modern authentication requirements like MFA, Conditional Access, and device compliance. Traditional Linux frameworks (PAM, NSS) were never designed for cloud identity or Zero Trust. Himmelblau is an open-source project that bridges this gap by integrating Linux systems directly with Entra ID. With Himmelblau, you can: Join Linux machines to Azure Entra ID, creating a device object in Entra ID to establish device identity and enable Conditional Access checks tied to trusted devices. Enroll Linux systems into Microsoft Intune (currently in beta), so they participate fully in compliance policies alongside Windows. Enforce MFA at the Linux login prompt, using your existing Entra ID Conditional Access configurations. Offer secure Hello for Business PIN authentication on Linux, providing end-users with a familiar, strong second factor that’s backed by hardware-bound credentials. Integrate Linux with SSO in Firefox and Chrome, allowing seamless access to Entra-protected web apps once the user is logged in. Manage Linux users and groups via Entra ID, with robust caching for reliable offline operation. Leverage TPM-backed certificates and secure key storage, so device credentials remain protected even if the system is compromised. For many IT teams, this means finally bringing Linux endpoints under the same Zero Trust umbrella as Windows — without compromising user experience or compliance. Get started: https://himmelblau-idm.org https://himmelblau-idm.org/landing.html https://github.com/himmelblau-idm/himmelblau We’d love your feedback — especially from organizations managing hybrid fleets. What other Entra scenarios would you like to see better supported on Linux?Passwordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app. Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones. Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated! Thanks in advance!Moving small business from local domain to Entra
I'm planning on moving a company of about 50 users and around 75 computers, from our local domain (2016 server) to 365/Entra. My biggest hurdle is that the company is heavy into Google Workspace, all our documents, email, etc., and our owners/management are heavy users and very comfortable with it. My initial plan was to set up MS 365 Business Standard and move the whole company over a long weekend, cloud migration from Google to 365, computers all in Entra, etc. However, I now think this a lot for even a long weekend and I was hoping to maybe do this in stages. Perhaps get us going with Microsoft Entra ID P1, move our domain computers to it and get my feet wet with Entra management, etc. Stage two would likely be hiring a company with experience to migrate us over from Workspace. So basically just looking for advice, would this work at all without also migrating users/email as well? Is it possible to just unhook our domain workstations and add them into Entra under a single, admin account? Thanks for any help, Andy
External ID login page not showing identity providers
I am trying to create a login flow using an custom OIDC identity provider, but the login page is just showing a prompt for email and password without a way to log in using the external identity provider. I have configured the identity provider in Entra, and created a new user flow that should include the identity provider. Additionally, when an application is added to the user flow, any login using that application shows an error saying "We couldn't find an account with this email address" when trying to log in with a user that was working previously. I'm not sure if this is related to the missing identity provider or not. Is there a way to fix this? Any help is appreciated!
Adding PIM enabled security group to an Access Package
Hi, Recently a new feature has gone in preview, it's now possible to add PIM enabled security group to an access package. explained here: Assign eligible group membership and ownership in access packages via Privileged Identity Management for Groups (Preview) I followed the instruction exactly on 2 different tenants, one tenant has Entra ID Governance licence, another has the Entra Suite licence. The result on both tenants was the same. When adding a PIM enabled group to an access package. I am presented only with 2 roles (member or owner) and not with the expected 4 roles. (member, owner, eligible member, eligible owner). The group I add is created for test purpose couple of weeks ago, and really is PIM enabled (discovered ). Is this a preview that has to be activated on a tenant? (its not in the "Entra -> Identity -> settings -> Preview features" list). Am i missing something? Cheers!
Recent Blogs
- Microsoft is releasing a new default background image for Microsoft Entra and consumer authentication flows. No action is required by end users or admins.Jul 30, 2025
- Identity professionals from around the world gathered in June to discuss agent identity, governance, security, and agent-to-agent experiences.Jul 30, 2025
