How to find "forbidden" messages for applications in Entra ID?
Hi, I thought to ask from here, but which different log methods Entra ID offers for troubleshooting login issues? In my case, I have had an application running on the VMs in Entra and it has been working fine. They are using the client secrets from the application registration to accessing Entra. Last Monday was the latest day when that application was working, and since then the app logs on the VMs are full of forbidden messages when it is trying to access to login.microsoftonline.com. The challenge I have is, I cannot find that forbidden message from anywhere on Entra logs? I can only see those "success" before Monday when the application has been working. But I'm a bit lost from where I should try to find those forbidden information? The client secrets are fine from the portal point of view. This have something to do with token, as part of the forbidden error it says: MSAL: Token Acquisition 1004 failed. But the question is, what log in Entra I should be using to find this issue? No, nothing has change 😄 As usually 😄
Access Package Policy via script
Think I'm going crazy wondering if anyone can help. I'm attempting to create a policy for an existing Access Package and set the duration time to 12 hours The intention is these packages will work a lot like a PIM group but they are for certain testing profiles Script looks like $allowedRequestors = @(@{ "@odata.type" = '#microsoft.graph.groupMembers' "id"= 'GroupIDRedacted' "description" = 'GroupNameRedacted' }) $params = @{ displayName = "12 Hour Tester Policy" description = "Provide access for 12 hours" allowedTargetScope = "notSpecified" expiration = @{ duration = 'PT12H' type = 'afterDuration' } requestorSettings = @{ "scopeType" = 'SpecificDirectorySubjects' "acceptRequests" = $true "allowedRequestors" = $allowedRequestors } requestApprovalSettings = @{ "isApprovalRequired" = $false "isApprovalRequiredForExtension" =$false "isRequestorJustificationRequired"= $false "approvalMode"= 'NoApproval' "approvalStages"= '[]' } accessPackage = @{ id = $ap.id } } This is to set the parameters I then run the command of New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $params -verbose And it will create the policy but the lifecycle expiration is still set to never while all other settings have worked. If I try the non beta command It prompts me for an AccessPackageID as tho none is in the parameters so I supply the same id of the access package as in $ap.id I get the error: "New-MgEntitlementManagementAccessPackageAssignmentPolicy_Create: The request URI is not valid. Since the segment 'accessPackages' refers to a collection, this must be the last segment in the request URI or it must be followed by an function or action that can be bound to it otherwise all intermediate segments must refer to a single resource." Has anyone successfully created an azure access package policy via PowerShell with a duration lifecycle? care to post and example of your parameters if so?When employee leave company
Hi, I went through our application registrations in Azure and noticed applications where owners were persons who are already left from company. How do you handle these cases? How do you query the whole Azure to secure that there are no orphan services/applications etc..? Application registrations are of course one story, but obviously not the only one.
[Entitlement Management] Please provide the possibility to assign roles on Access Package level
It would be very beneficial if it would be possible to assign fine grained role permission based on access package. Currently it is only available on catalog level. The approach to define permission based on catalog does not provide a secure but also flexible way to assign permission to the business users.
