Recent Discussions
Automating MFA Token Invalidation Upon User Account Disablement
We are looking for a way to automatically invalidate a user's MFA token as soon as their account is disabled. Currently, the leaver process flows from our IAM solution to on-prem AD, which then syncs to Entra ID. However, this process does not explicitly trigger MFA revocation. We’re exploring whether there’s a way to automate this, using any built-in mechanism within EntraID rather external scripts. Let us know if there are any recommendations.
GSA - Web content filtering - Custom blocked page
Hello everyone, I have a quick question. I just tested the 'Web Content Filtering' of Global Secure Access. However, in Microsoft's documentation, two processes are mentioned for displaying blocked sites (related to HTTP and HTTPS). I wanted to know if it is possible to create a custom page (for example, adding the company logo, indicating the reason for blocking such as the associated web category, etc.). I tried to search, but no documentation related to this is available (or at least I couldn't find it). Thanks in advance for the help!
Audit users to view who are guests in other tenants
We know that there are instances where personnel from our organization have been added as Guest users in an external organization's tenant. Is there anywhere in Entra, or another admin portal, where we can identify our users who are also guest users in a different tenant? Our Security IG team wants to block the ability for our users to be invited / added to other tenants, but first we'd like to run an audit to figure out who this is going to affect. We'd also like to figure out if there is any way to make exceptions in the case these users have a valid business justification for being Guest users in external tenants.
non-admin help desk manage user mfa settings
I have a requirement to grant the ability to provide our Help Desk staff the ability to enable or disable a user's MFA settings in Entra Admin Centre -> Users-> User and MFA. Definitely we do not want to grant the user Global Administrators membership. We added some members to the following roles but still they cannot change the setting -> User Administrator, Password Administrator, and Authentication Administrator. Any help is appreciated here. I am also open to custom roles that will work to accomplish this action.Security Info blocked by conditional access
Hello, We have a conditional access policy in place where a specific group can only access Microsoft 365 (deny all apps, except Office 365). The moment a user clicks on Security Info in My Account, the user is blocked by this policy. I cant find a way to exclude the app "My Signins" (AppId 19db86c3-b2b9-44cc-b339-36da233a3be2). Since MFA is forced for this group, they can't change their authenticator app registration. Is there a solution for this? Initial MFA setup works by the way. UPDATE jan 23, 2025: I contacted Microsoft support and this was their answer (in short): " MySignin is a very sensitive resource that is not available in the picker and cannot be excluded in the conditional access policy. Also, the application is calling Microsoft Graph. I understand that this is not the information you are looking to hear at this time, I would have loved to help but the application cannot be excluded from the policy. "
GSA client exclamation mark, Forwarding policy dosen't exist in registry
Good day, Have difficult time getting Entra Private Access working. Entra portal --------------- GSA > Dashboard > Device Status says : 0 have the Global Secure Access Client installed: 0.0% The client pc is entra joined and is compliant, the client user has Entra ID Suite Trail license assigned. Traffic forwarding > Private access is enabled, have Quick Access application configured for SMB access. User and group assigments is set to a group where the user resides. Microsoft traffic profile and Internet access profile = disabled (as for now i just want to make the Private acces profile working) Enterprise applications = 1 active Connectors are online with status active. Client PC ------ Event log of client pc says the understated: Error occurred while requesting a new forwarding profile: The SSL connection could not be established, see inner exception.. Request Parameters: Microsoft Entra Device ID: 61ma02-9453-1277-98gz-hkdhksa3d0, Correlation vector: kdfhkshfkashdJ.0, APS URL: https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0. The client will continue working with the existing forwarding profile. GSA Advanced diagnostics: Username : empty Tenant ID : empty Forwarding profile ID: empty Client version 2.8.45.0 Health check = is green till Policy server is reachable, after that exclamation mark. https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0 if i try the above url in the browser then i get invalid request, this means that the client is able to reach the server, which means network or DNS issues are unlikely and the The SSL handshake is successful, and the certificate is valid. Need guidance as to understand why the client is not able to retreive profiles, i am using windows 11. Tried with disabling firewall too. Thanks!
Disabling Directory Sync for Hybrid - Overthinking?
Hi all, I am at the finish line for decommissioning On-Prem AD and moving from our Hybrid environment to managing our identities in Entra. About to cut off the Directory Sync. Weirdly couldn't find a concrete answer on this question online, but I might just be overthinking this. **Devices are Entra enrolled + Intune Managed, NOT Domain Joined.** User profiles that originate from On-Prem AD on the endpoints still show as DOMAIN\username. User profiles that originate from Cloud on the endpoints show as AzureAD\email address removed for privacy reasons. What happens to these On-Prem User Profiles when we disable Directory Sync? Do they change over auto-magically to "AzureAD\email address removed for privacy reasons" on the endpoints? Am I missing something here? Thanks in advance.Unable to verify phone on MS 365 or Azure
Hey I am trying to signup for credits I recieve, but I keep getting this message "Oops, we're unable to verify your phone number" while I do so. I've tried a different mobile number, I've tried contact support apparently the support contact number provided for business aren't valid. kudos. with that being said, I'd like to setup ms 365, if not then probably need to switch a provided fast coz I cancelled zoho and now I am stuck with this.
How to map a user custom security attribute to OIDC id and access token ?
We are integrating keycloak with azure entra via OIDC. We have created custom security attribute to map some extension fields for the user. We tried to map these as tokens, but the custom security attributes doesn't show up in the dropdown under the token > add optional claims We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either ! Any help for this problem is deeply appreciated. Thanks, RaghavEntra ID expressions for attribute mapping
Hi All, we have the following requirement. if [StatusEndEmploymentDate] is null or if its grater than today's date and city value is present the user should move to repective OU if [StatusEndEmploymentDate] is less than today's date than user should move to the staging OU. we have tried following query but there is no luck. need your help to achieve the requirement. Switch([StatusEndEmploymentDate],Switch([City],"OU=Users,DC=abc,DC=com", "Amsterdam", "OU=Users,OU=Amsterdam,DC=abc,DC=com", "Antwerp", "OU=Users,OU=Antwerp,DC=abc,DC=com", "Bengaluru", "OU=Users,OU=Bengaluru,DC=abc,DC=com", "Copenhagen", "OU=Users,OU=Copenhagen,DC=abc,DC=com"),IIF(DateDiff("d", Now(), [StatusEndEmploymentDate])>"-1",Switch([City],"OU=Users,OU=IAM,DC=abc,DC=com","Amsterdam","OU=Users,OU=Amsterdam,DC=abc,DC=com","Antwerp","OU=Users,OU=Antwerp,DC=abc,DC=com","Bengaluru","OU=Users,OU=Bengaluru,DC=abc,DC=com","Copenhagen"))
Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksWhat is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple years, and there's a buildup of alerts for sign-in attempts I can't even pull logs for. These users would've been required to change their password since the date on most of these, and we have some hybrid environments I plan on enabling self-clearing for. But wondering what other MSPs have done in this scenario?Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Open Port Issue Exists after implementing Entra Id containers
Hi All, We are currently in PeopleSoft 8.61.07(FSCM) and recently implemented Entra ID containers for SSO. We see ports sometimes remain open between Entra ID container and Weblogic. Are there any recommendations to fix the open port issue ? Currently, we are bouncing the container when the open port count is going high (when TCP count goes more than 1000) Looking for recommendations to fix the open port issue as it creates more manual work to monitor the count and bounce it periodically. Please do let me know if you need any further information Thank you! Ramya SivasubramanianGenerating proxyaddresses during user provisioning
Hi All, we have requirement to generate alias email addresses during user provisioning. we tried to use selectunique function in the proxyaddresses generation and mapping to ad proxyaddresses but we are not able to achieve it. can you please help thanks, shashidhar joliholi
Entra hybrid join issue caused maybe by 2 M365 accounts
Hello to everyone, one of my collegue has 2 Microsoft 365 accounts on its notebook when we tried to do the procedure to hybrid join his device; I suppose the other account give us problem in the procedure; now, there is only one account even if I can see in event log, in AAD log, that there is an error and 2 warnings bound to the old account. However, I tried to repeat the procedure but without any luck; what I see that it is different from the other devices, if I give the cmd dsregcmd /status is in these 2 lines: DisplayNameUpdated : YES OsVersionUpdated : YES while on other devices I see: DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM We have all a Microsoft 365 Business subscription and the configuration and steps for the other devices was: We have all devices with Entra registered user, we started with this when we have only the Microsoft 365 Basic subscription We enrolled all devices, with group policy, in MDE when we upgraded to the business Installed the Azure AD Connect Users sync Devices sync So, in the Entra portal we have first only the entry for registered, then when we synced the devices we have a second entry with hybrid registered and finally only one entry with Owner, MDM and Settings field filled with correct data; for example, when I make an hybrid join device, initially in the row I see MDE as MDM, then when the hybrid and registered compose one row I see Intune in that field. For the device that give us problems, I see a row like this in Entra portal while in Intune Any help is greatly appreciated.
Trying to create a dynamic group of users
Good afternoon. I am trying to create a dynamic group in Entra ID of users who have the Microsoft Office Business Premium license. I have tried in the Groups area of Entra ID using the rule creation interface (assignedPlans.serviceID) and in Powershell using commands in the Microsoft Graph library. Nothing works, I get errors saying properties aren't supported or I get way too many results for a single user and single sku. Has anyone successfully done this? I have the SKU and the SKU ID. Thanks
Recent Blogs
- Improvements to monitoring systems in Microsoft Entra will help enhance tenant health and observability.Mar 11, 2025
- Turn your expertise into impact—and $25—by sharing your review of Microsoft Entra ID, Microsoft Entra ID Governance, or Microsoft Entra Verified ID on Gartner Peer Insights.Mar 10, 2025
