GSA client exclamation mark, Forwarding policy dosen't exist in registry
Good day, Have difficult time getting Entra Private Access working. Entra portal --------------- GSA > Dashboard > Device Status says : 0 have the Global Secure Access Client installed: 0.0% The client pc is entra joined and is compliant, the client user has Entra ID Suite Trail license assigned. Traffic forwarding > Private access is enabled, have Quick Access application configured for SMB access. User and group assigments is set to a group where the user resides. Microsoft traffic profile and Internet access profile = disabled (as for now i just want to make the Private acces profile working) Enterprise applications = 1 active Connectors are online with status active. Client PC ------ Event log of client pc says the understated: Error occurred while requesting a new forwarding profile: The SSL connection could not be established, see inner exception.. Request Parameters: Microsoft Entra Device ID: 61ma02-9453-1277-98gz-hkdhksa3d0, Correlation vector: kdfhkshfkashdJ.0, APS URL: https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0. The client will continue working with the existing forwarding profile. GSA Advanced diagnostics: Username : empty Tenant ID : empty Forwarding profile ID: empty Client version 2.8.45.0 Health check = is green till Policy server is reachable, after that exclamation mark. https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0 if i try the above url in the browser then i get invalid request, this means that the client is able to reach the server, which means network or DNS issues are unlikely and the The SSL handshake is successful, and the certificate is valid. Need guidance as to understand why the client is not able to retreive profiles, i am using windows 11. Tried with disabling firewall too. Thanks!
Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, Garima
Registered App > Grant Permission to OneDrive?
Hello everyone, I'm trying to connect an automation platform (N8N) to our OneDrive. What I did: registered an app create a secret for it gave n8n the client id and secret value gave the app various api permissions (i.e. files.readwrite.all) created an app role (users & apps) added myself as an owner Error I'm running into: "Forbidden - perhaps check your credentials? You do not have access to create this personal site or you do not have a valid license." I know that I have all the needed permissions, because in another automation platform which is more hands-off (Make.com), everything works fine. Unfortunately, I need it in N8N, which requires more setup. My question: What permissions do I need to give the registered app? Did I miss a step in the grand scheme of things? Thanks a lot in advance!! TomSCIM provisioning - custom app authentication
Hi, in the documentation for handling endpoint authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments." ? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?
Microsoft Entra Internet Access Location Awareness
Hi all, I'm currently evaluating Microsoft Entra Private and Internet Access (with good result until now). By default, the agent is started meaning that all Internet traffic goes to MS Edge. Is it possible to disable (automatically) the agent based on the location of the computer ? Example, if the device is connected to the corporate network, the service needs to be disabled... Another question, does it detect captive portal in case the device is connected to a "kiosk" network ? And finally (for Private Access), is it plan to support LDAP traffic over UDP and more generally UDP ?? Regards, HA
Create a new user in Power App through register/log-in function
Hi. I am trying to implement the log-in function in Power App. The user should be able to create their own account through Power App and log-in again next time since their log-in data will be saved in a database. In this case, I am using Microsoft Entra ID as my database. This is my code of the "Submit" button in my Power App: MicrosoftEntraID.CreateUser(EnableAccountToggle.Value;EMailTextInput.Text; PasswortTextInput.Text). I dont know what is wrong with my code, because when I try to create a new user account from Power App, the data of the new user does not show on my Microsoft Entra ID. I have already connected my app to the Microsoft Entra ID connector. I have not changed anything at all in my Microsoft Entra ID since having an account for it. Do I have to create a group or something in my Microsoft Entra ID? I really appreciate your advice! You can also recommend other data management tools to me or tell me what your experience with them.New Blog | Microsoft Entra Private Access: An Identity-Centric Zero Trust Network Access Solution
On July 11, 2023, we introduced Microsoft’s identity-centric security service edge (SSE) solution and two new services: Microsoft Entra Private Access and Microsoft Entra Internet Access, which are now in public preview. In this blog, we take a deeper look into Microsoft. Entra Private Access. Read the full blog here: Microsoft Entra Private Access: An Identity-Centric Zero Trust Network Access Solution - Microsoft Community Hub
Trying to force credentials on a powerapps through azure AD, URL modifiers
Hello! Powerapps guy here. Tried posting this question on the powerapps community with little response. I think I might do better here. What I'm trying to do: I'm trying to find a way to force credentials for a powerapp (canvas in browser) each time a user clicks the link to open it. In this world of everyone having work/personal accounts and teams, it's anything but elegant to tell a user to open a private browsing session first to avoid account confusion. Not everyone is computer savvy and knows how to setup multiple browsing profiles, and unfortunately SSO while trying to be helpful, doesn't always make it clear for the user what's happening and why they need different credentials. It feels like a clunky hand-off for apps that are made to be user friendly. Admittedly I'm much less experienced with azure AD than powerapps. So far I've been able to do some helpful things with the URL. However they don't seem to work with the typical powerapps weblinks (I could be doing it wrong). But I know there is a solution in here somewhere. I feel close. After much searching I've mashed together a bunch of links with varying results. I registered an app (lets call it Jumper) in azure AD that I'm using as a redirect to the powerapp. I can't seem to force credentials on the raw powerapps link, but using the Jumper app authentication endpoint, coupled with &login_hint, I'm able to give a personalized link that does prompt a user with the correct credential, only requesting their password. Then it redirects to the powerapp. Unfortunately from this point the redirect to the powerapp seems to lose track of which account is using it. So if they are signed in with multiple accounts (even though they just signed into the login_hint account) it can default to another causing the app to fail to load its data. I'm guessing the prompt for credentials is only valid for the registered app. I'm wondering if the solution requires the use of tokens and if so, how might I want to set that up. Or if anyone just has a simple URL modifier up their sleeve, or powershell trick, that would allow me to force credentials with each launch of a weblink powerapp, you would be my hero. Many thanks for any insight provided. Cheers!Securely sync Partner AD Users and groups to Azure deployed App Database
Planning for the migration of one of our web application being used by B2B customers. We have customers small to large scale enterprises. At the moment web app is deployed for each enterprise customer within there premises. Rollowing out new vesion and maintaince is just going very crazy on top of customization for some customers. For one business use case, Web App syncs the AD Users and Groups into its own database from the customers AD. Sync is not happening for the authentication or authorization scenario. For most of the migration things are sorted out including the identity federation, except for one scenario where there has been security concerns raised by customers. - Sync the users and groups from the AD to Web App database. PASSWORD / hash ofr PASSWORD is not synced. Only few user identification attributes and group information is synced. At the moment planned to have write new sync connector - similar to Azure AD Connect connect to securely transfer the data between on-premises AD to Azure hosted application database. What would be the secure and best alternate options to fetch the users and groups information from the customer on-premise AD into database of the Web App deployed in Azure.
