GSA - Web content filtering - Custom blocked page
Hello everyone, I have a quick question. I just tested the 'Web Content Filtering' of Global Secure Access. However, in Microsoft's documentation, two processes are mentioned for displaying blocked sites (related to HTTP and HTTPS). I wanted to know if it is possible to create a custom page (for example, adding the company logo, indicating the reason for blocking such as the associated web category, etc.). I tried to search, but no documentation related to this is available (or at least I couldn't find it). Thanks in advance for the help!
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, Garima
How to Recover a Global admin account without MFA
Hi Community I have created a Global admin account in a tenant, unfortunately I had to reset my mobile device, and the MFA codes / setup are gone. I know the password for the account though, without being able to access MFA, I'm not able to login anymore. I have no other admin accounts / Privileged accounts setup. Is there any way to recover from this situation?"sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?Registered App > Grant Permission to OneDrive?
Hello everyone, I'm trying to connect an automation platform (N8N) to our OneDrive. What I did: registered an app create a secret for it gave n8n the client id and secret value gave the app various api permissions (i.e. files.readwrite.all) created an app role (users & apps) added myself as an owner Error I'm running into: "Forbidden - perhaps check your credentials? You do not have access to create this personal site or you do not have a valid license." I know that I have all the needed permissions, because in another automation platform which is more hands-off (Make.com), everything works fine. Unfortunately, I need it in N8N, which requires more setup. My question: What permissions do I need to give the registered app? Did I miss a step in the grand scheme of things? Thanks a lot in advance!! Tom
Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all, We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective. The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap. Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures. We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?
Access Review on multiple Management Groups and Subscriptions
Hi everyone, We are facing the challenge of managing numerous Subscriptions and Management Groups in Azure. Our goal is to make Access Reviews more efficient by conducting them at a higher level, such as the Tenant Root or a central Management Group. Additionally, it would be ideal if roles like "Global Administrator" or "Owner" could be centrally configured for such structures (Tenant Root => All Management Groups => Subscriptions) to reduce administrative effort. Does anyone have experience or tips on how to optimize Access Reviews and role configurations for large and complex Azure environments? Thanks in advance for your help!Can I configure authentication to be application specific?
Hi Community, I've been searching but could not get an answer. Here's my scenario which I hope someone can point me in the right direction or documentation. The organisation's Microsoft Office 365 uses an external IdP (let's say Okta) for federated login. Now I have a separate application registered via Entra admin centre using App registration and the requirement is to have it use Microsoft passwordless authentication method for login. After I done all the necessary OIDC config for this new app, testing the application login led me to the external IdP for authentication. I guess that's because the Microsoft tenant is configured to use the external IdP as default. Is there any way I can configure application specific authentication? e.g. O365 uses external IdP for authentication while my custom app uses Microsoft passwordless login, and other apps may use some other login mechanisms. Users for all apps are company's employees. Any guidance is much appreciated. Thank you.
Conditional policies to access to SharePoint and Files (not Apps)
Hi Team!! I'm looking for a way to restrict SharePoint access from outside of my office network (typically using the static public IP address). My understanding is that to do so, I require configuring conditional access policies in Azure (which in turn requires Entra ID P1 license for each user). Is my understanding correct? If so, do I have to licenses each and every user to do so? And the other clarifications I'm looking for is; Does conditional access policy apply universally to all users when enabled? or only to those with Entra ID P1 license? Reason for this clarification is that I tried applying this using a trial license by setting up a policy to block SharePoint access outside our office network but it ended up applying to all users instead of the ones with trial license assigned. Further I noticed that, when setting this policy blocks the entire Microsoft Teams app as well, where as my objective is to limit access to the files in Teams as they are part of the SharePoint. Is there a way to control access to SharePoint files in Teams without blocking the whole Teams app? Do let me know if I'm doing something wrong here?
