GSA client exclamation mark, Forwarding policy dosen't exist in registry
Good day, Have difficult time getting Entra Private Access working. Entra portal --------------- GSA > Dashboard > Device Status says : 0 have the Global Secure Access Client installed: 0.0% The client pc is entra joined and is compliant, the client user has Entra ID Suite Trail license assigned. Traffic forwarding > Private access is enabled, have Quick Access application configured for SMB access. User and group assigments is set to a group where the user resides. Microsoft traffic profile and Internet access profile = disabled (as for now i just want to make the Private acces profile working) Enterprise applications = 1 active Connectors are online with status active. Client PC ------ Event log of client pc says the understated: Error occurred while requesting a new forwarding profile: The SSL connection could not be established, see inner exception.. Request Parameters: Microsoft Entra Device ID: 61ma02-9453-1277-98gz-hkdhksa3d0, Correlation vector: kdfhkshfkashdJ.0, APS URL: https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0. The client will continue working with the existing forwarding profile. GSA Advanced diagnostics: Username : empty Tenant ID : empty Forwarding profile ID: empty Client version 2.8.45.0 Health check = is green till Policy server is reachable, after that exclamation mark. https://aps.globalsecureaccess.microsoft.com/api/v3/AgentSettings?os=Windows%2010&clientVersion=2.8.45.0 if i try the above url in the browser then i get invalid request, this means that the client is able to reach the server, which means network or DNS issues are unlikely and the The SSL handshake is successful, and the certificate is valid. Need guidance as to understand why the client is not able to retreive profiles, i am using windows 11. Tried with disabling firewall too. Thanks!
Entra ID expressions for attribute mapping
Hi All, we have the following requirement. if [StatusEndEmploymentDate] is null or if its grater than today's date and city value is present the user should move to repective OU if [StatusEndEmploymentDate] is less than today's date than user should move to the staging OU. we have tried following query but there is no luck. need your help to achieve the requirement. Switch([StatusEndEmploymentDate],Switch([City],"OU=Users,DC=abc,DC=com", "Amsterdam", "OU=Users,OU=Amsterdam,DC=abc,DC=com", "Antwerp", "OU=Users,OU=Antwerp,DC=abc,DC=com", "Bengaluru", "OU=Users,OU=Bengaluru,DC=abc,DC=com", "Copenhagen", "OU=Users,OU=Copenhagen,DC=abc,DC=com"),IIF(DateDiff("d", Now(), [StatusEndEmploymentDate])>"-1",Switch([City],"OU=Users,OU=IAM,DC=abc,DC=com","Amsterdam","OU=Users,OU=Amsterdam,DC=abc,DC=com","Antwerp","OU=Users,OU=Antwerp,DC=abc,DC=com","Bengaluru","OU=Users,OU=Bengaluru,DC=abc,DC=com","Copenhagen"))
Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, GarimaLimitations on Modifying Enterprise Applications in Azure AD
Hi All, I'm curious about the limitations on modifying Enterprise Applications in Azure AD. Specifically, are there any restrictions on how frequently we can make changes to attributes, ACS, or reply URLs? I understand that modifying these settings can impact user access, but I'm concerned about potential rate limits or other restrictions that might prevent frequent updates. Any insights or best practices for managing these changes would be greatly appreciated. Post Script We don't have a dedicated QA environment, so understanding these limitations will help us plan our changes carefully.
SCIM provisioning - custom app authentication
Hi, in the documentation for handling endpoint authentication, two methods are given: 1) a "long-lived token" (i.e. a secret key that has to be pasted in-clear by the admin) 2) "Microsoft Entra bearer token" - similar to other services (e.g. callbacks for MS Teams bots), Microsoft sign the outgoing calls, and the app being provisioned can validate them against Microsoft's public keys To me, option (2) is by far the best - each message is signed individually, there is no manual handling of secrets etc. As said in the documentation - "Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token." - great! So why on earth does it then say "The token generated by the Microsoft Entra ID should only be used for testing. It shouldn't be used in production environments." ? Why not? The whole system of Entra bearer tokens is only for test? And production should go back to secret keys, with all the problems they have? It doesn't seem right.. What am I missing here?
No Application Access Policy Found for Graph API in MS Teams Virtual Events Integration
Hello Microsoft Community, I’ve encountered an issue while integrating Microsoft Teams Virtual Events using Microsoft Graph API and would appreciate any guidance on how to resolve it. Here’s the setup: I have registered an application in Microsoft Entra ID. The app is set up with application-level permissions: VirtualEvent.Read.All VirtualEventRegistration-Anon.ReadWrite.All I’ve configured an OAuth flow for users to authenticate with their Microsoft accounts and grant these permissions. After authentication, the user is redirected to our app, where we successfully fetch an application access token. The app is registered as a multi-tenant application. The issue: We are using application permissions and receiving an access token correctly. The Entra ID dashboard shows that the app has been granted the required permissions. However, when using the Graph API to access virtual events (Teams webinars), I get the following error: bash Copy code GET: https://graph.microsoft.com/beta/solutions/virtualEvents/webinars/:id Response: { "error": { "code": "General", "message": "No application access policy found for the app (707b5896-7828-4010-834e-74d3201a3137) on the user (7f27a9fb-af1a-4d36-a102-3a9591e6aaf9).", "innerError": { "request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c", "date": "2024-10-02T09:10:26", "client-request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c" } } } Additional Details: The app is meant to access data related to Microsoft 365 services (especially Teams). We are using application permissions and not delegated permissions. The app needs to work across multiple tenants. My question: Do I need to configure additional application access policies for Microsoft Teams or Exchange Online to allow this app to access Teams-related data? Should I use Exchange PowerShell to create this policy, given the data is related to Microsoft 365 services (like Teams webinars)? Is there anything else I should verify for multi-tenant application permissions? Any insights or troubleshooting guidance would be much appreciated! Thank you!
Idle Session Timeout policy for Entra ID - Enterprise applications
Hi All, I would like to understand the limitations of having Idle session timeout policies for Enterprise applications in Entra ID. Although we do have Session based sign-in CAP option in Entra ID configuration, but that is something not customer's requirement, they want to have idle session timeout option to be configured for their set of applications. During research I got to know that, we can configure Idle session timeout through admin.microsoft.com portal by visiting Org Settings >> Security & Privacy tab>> Idle session timeout, but that is something applicable for M365 apps only like Outlook web apps, OneDrive, SharePoint, Microsoft Fabric, M365 Defender portal, M365 Admin portal etc., but there is no such resource available which covers the Entra ID Enterprise applications. Thanks 🙂
Updated Multi-Tenant App permissions missing on new customer consent.
I have a multi tenant application using Microsoft Entra Id. I have added additional permissions to the application. These additional permissions do not show up in the consent dialog for new customers. New customers are only asked to consent to the original permissions. Manually triggering the admin consent dialog(https://login.microsoftonline.com/<TenantId>/adminconsent?client_id=<ClientId>) retrieves the latest permissions for consent. Shouldn't new customers always consent to the latest permissions? Environment Details: There are 2 Application Registrations, both are multi-tenant applications. The first is an app registration for my web frontend client. The second is an app registration for my backend api, it has authorized the frontend client application in the "Expose an API" section
Doubt about passwordless authentication
I have security keys enrolled for the users on my organization. Now I want them to sign in to an app with delegated access. They are able to open the app, it redirects to the Microsoft login page, there they choose to sign in with security keys, connect the key to the USB port, type the pin of the security key, tap the key and it logs in. I would want a method to be able to disable the user verification, since it is slowing down the log in process. The app is not a sensitive app. I would like the users to be able to just insert the security key into the USB port, and touch the key to be able to log in, instead of typing the pin of the security key. P.S. The users use Yubikey 5.Grant user consent for the delegated Graph API permissions without the UI flow
There are two types of the Graph API permissions we can grant for an AD application. 1. Application permissions 2. User Delegated permissions For the application permissions: AAD portal provides UI to Grand the Admin consent: For the user delegated permissions: For the delegated permissions to provide the consent, user need to login to the application requires the access and using the UI flow grant the permissions. This is possible for the application which has the web UI, but for the backend without any UI this is not possible. Questions: 1. Can we avoid the UI flow for granting the consent for the user delegated permissions? 2. Is there a way we can grant consent for the user delegated permissions from the Azure AD portal like we do for the Admin consent? 3. If it is not supported from the AD portal, is there a Graph APIs to grant the permissions? 4. If it is supported by the Graph APIs links to the documentation/example will help.
