Practical Graph: Nag Users to Upgrade to a Strong Authentication Method
Convincing people to use MFA is one challenge. Convincing them to use a stronger authentication method than SMS is another. This article explains how to use PowerShell to find people still using SMS for MFA and send email to ask them to upgrade their authentication method. https://practical365.com/upgrade-stronger-authentication-method-mfa/
Dynamic group based on custom security attribute
Can anyone answer this question. Can or should i be able to create a Dynamic group filtering on a customer security attribute. Yes I know you can filter based on extenstionattribute1-15 however i have noted that accounts create in Entra don't appear to have the option to view extension attributes plus these come from an on prem created account. So the questions are: Can I create a dynamic group using a custom security attribute and if so how because the custom attributes don't show up in the Property options when creating the dynamic group query How can I add to the extension attributes for non on prem sync accounts (accounts created in Entra)
Cannot sign into my M365 Account
I have a M365 Business Basic account. I am the only admin and only user in the system. I have MFA set up. I had to get a new phone about a month ago and unfortunately lost access to my only MFA device. I have my account in my authenticator app on my new phone, but the account needs to be refreshed and it's asking me to scan the QR code - in other words, MFA is not set up on my new device. Because I cannot sign into anything Microsoft, I am unable to reset my MFA, unable to open a support ticket, and pretty much unable to do anything. I called the MSFT support line and spoke to someone who transferred me to the Data Security team. I have been on hold for over 5 hours. Is there any alternative course of action I can take to open a support ticket or get help?Is PIM any good?
I'm planning a PIM implementation and am trying to understand a few things about PIM and certain recommendations. I have a OnPrem\Entra hybrid environment. I have many servers hosted both on prem in the on prem AD and in Azure. In traditional on prem environments this segregation has typically been achieved using separate admin accounts. This give you some segregation and protection in case an account was compromised. I'll accept its not bullet proof but a lot of things would have to work in the right order for a bad actor to compromise a separate admin account I've read and heard MS guys (probably driving license sales) saying that's not the right way anymore and JIT is the right way. Which of course requires license. I'm looking for opinions or observations from experience for the following: Why is doing one account (possibly the regular user account in a Hybrid environment) with PIM better that having a regular and admin accounts? Why not have a separate admin account with PIM implemented on the admin account in Entra? I can't see how this would be less secure that just one account with PIM. One argument I heard was you can require MFA to activate the access. Well right now i just use CA policies to require MFA for any use of a role I have nominated (portal\cli\PowerShell etc). How is Entra JIT with one account better than still having a admin account have a requiring MFA for them to log onto any of the the admin portals to use their privileged access? Another concern I have is controlling who is assigned to the roles. Right now I can add them one by one to the role in PIM but our MSP (who does the bulk of the management) wants to add a group to each role assignment and then they add people to the group to inherit the assignment of the role. For many reasons I cant go into there are large numbers of people who are in the group admin role. This basically means any of them could elevate theirs or someone else access into a Entra role if I'm using groups to assign groups to role. What if they start nesting groups into other groups and suddenly Domain Users has been nested and has Global Admin? How do I police this?M365 Entra ID Guest cannot set up mfa
Hi there, for a week now, Entra ID guests from Our M365 tenant have not been able to set up the Microsoft Authenticator app. Error message: "Unfortunately, an error occurred" after the number was confirmed in the app. We are sure that the problem is not in our tenant settings - but also dont find informations about a microsoft issue. Microsoft ticket opened. But Microsoft has been silent for a few days. Any ideas?Microsoft to Enforce Mandatory MFA Requirement for Microsoft 365 Admin Center
In February 2025, Microsoft will begin enforcing a mandatory MFA requirement for the Microsoft 365 admin center. All connections to the Microsoft 365 admin center must pass an MFA challenge. The move is to increase the percentage of Entra ID user accounts protected by MFA. This article explains what’s happening and outlines how to gain insight into who might be affected by the change. https://office365itpros.com/2024/11/18/mandatory-mfa-for-microsoft-365/
Disabling certain MFA methods
Hi, I am new to M365. Some of our users have set up MFA already. One method they use is "email OTP". When in Entra Admin Center I see the Authentication methods. Trying to disable EMail OTP is not possible, because the save button is greyed out. What is the reason for that? Could it be that because some users already using this method? What do I need to do to resolv this?
Clarification on Rate Limit for Message Trace API Integration
I am currently working on the integration of the Message Trace API and wanted to clarify some details regarding the rate limit. The REST API I am currently using for O365 Message Trace for my integration is: https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace[?ODATA options] As mentioned previously, The rate limits for the O365 Message Trace API are generally aligned with the Microsoft Graph API limits: Per-Minute Limit: Up to 60 requests per minute However, during testing the integration, I've noticed that my data is not being ingested within that specified timeframe and not aligning to the specified rate limit. Can someone please confirm if there are any additional limitations or conditions that might cause the rate limit to vary? Are there any other factors, such as throttling or specific request patterns, that could affect the rate limit during data ingestion? Your guidance on this would be greatly appreciated as it would help me optimize the integration process.
