AD Connect Start-ConnectivityValidation - GetDomain failing error while running adding directories
We have some 40 countries i.e. 40 local forests in our environment separated by firewalls. We are trying to onboard all our local forests on AD Connect and decommission MIM. We have this issue where the Start-ConnectivityValidation command of the ADConnectivityTool PS module, fails with the error “GetDomain failed. The specified domain does not exist or cannot be contacted”. The AD Connect servers are in a different forest than the country forests. Here are the configuration details:- ADC Architecture: Multi-forest, single tenant. Country Forests Network Architecture: All forests have a DMZ, that contains an additional DC with which AD Connect has connectivity. Local forest network doesn't have direct network connectivity with ADC forest. Firewall Settings: ADC Staging & Prod servers IP ranges are allowed in country forest's firewall. ADC forest firewall allows all traffic to & from all forest networks. Ports: 53, 88, 389 & 3268 are open for both TC & UDP protocols. DNS Request Routing: AD Connect uses Conditional Forwarders, MIM uses Hosts file or Fwd Zones. SRV Records: Configured for both LDAP & Kerberos on the country forest's local DNS for the DMZ ADC. Test-NetConnectivity: Successful for above mentioned ports. NSLookup/Ping: Successfully resolves the DCs, DMZ ADC also listed in the output. Confirm-DnsConnectivity: Successful Connectivity Validation: Start-ConnectivityValidation -Forest "contoso.com" -AutoCreateConnectorAccount $False -Username "contoso.com\username" fails with the above mentioned error. Even tried the Netbios name format, but still no success. MS Premier Support Directory Services, Network(DNS) & Identity support guys have all tried but can't resolve this issue. Any help will be highly appreciated.No password, phone sign in for Microsoft accounts!
Forgot your password? No problem. Now you can sign in without needing to remember a complicated string of characters, just using your phone! Phone sign-in for Microsoft accounts is now generally available. Add your account to our Authenticator app, enter your username and receive a notification on your phone. Once you approve the notification, you’re in! No password needed, and much more secure. Read more about it in the Enterprise Mobility and Security Blog.
Authentication from multiple, but certain, tenants to OAuth apps
Got an SPA App and Api I'm using MSAL for authentication. The endusers come from a limited set, but not a singular, tenant. Since for the application authentication I can only select a single tenant, or all the tenants I'm looking for solutions here. One is tenant collaboration/ multitenant organization but it seems like overkill for this need. Another is multiple authorities but isn't it then tricky to wrangle multiple client ids, selecting the right authority etc. Is there a way of doing this I'm missing?
New Blog | Microsoft Entra ID Governance licensing for business guests
Thousands of customers have tested or deployed Microsoft Entra ID Governance since it launched on July 1, 2023, seeing the value in governing the identities of their workforce. Many of those customers have asked about extending this governance to the identities of their business guests—contractors, partners, and external collaborators—to more fully follow least privilege access principles while still enabling seamless collaboration. We are pleased to announce that we're helping organizations to more easily manage this situation by creating a new ID Governance license for business guests. This license will operate on a monthly active usage (MAU) model. Customers will be able to acquire licenses matching their anticipated business guest MAU. Read the full blog here: Microsoft Entra ID Governance licensing for business guests - Microsoft Community HubNew Blog | Microsoft Entra Expands into Security Service Edge with Two New Offerings
Flexible work arrangements and accelerating digital transformation changed the way we secure access. Traditional network security approaches just don’t scale to modern demands. They not only hurt end user experience but also grant each user excessive access to the entire corporate network. All it takes is one compromised user account, infected device, or open port for an attacker to access and laterally move anywhere inside your network, exposing your most critical assets. Read the full blog here: Microsoft Entra Expands into Security Service Edge with Two New Offerings - Microsoft Community HubAdministrative Units (MDE,MDI,MDCA,Pureview,Endpoint mgmt)
Hello, The Microsoft documentation on Administrative Units (AUs) is not clear enough. I would like to know if I can use AUs in the following portals: security.microsoft.com: For example, can I create Defender for Office 365 policies for the users and groups within my AUs? compliance.microsoft.com: For example, can I create an Information Protection sensitivity label for the groups included in my AU? portal.azure.com: I know that I can create, delete, and modify users, as well as manage licenses within my AU. endpoint.microsoft.com: Can I create configuration profiles for devices within my dynamic device group in AU? Or is the term "AUs" restricted only to Azure Portal and MS Teams Devices? Please let me know if there are any specific limitations or restrictions regarding the use of AUs in these portals. Regards Farhad
New Blog Post | Act now: Turn on or customize Microsoft-managed Conditional Access policies
As part of our Secure Future Initiative, we announced Microsoft-managed Conditional Access policies in November 2023. These policies are designed to help you secure your organization's resources and data based on your usage patterns, risk factors, and existing policy configuration, all while minimizing your effort. Our top recommendation for improving your identity secure posture is enabling multifactor authentication (MFA), which reduces the risk of compromise by 99.2%. This is why our first three policies are all related to MFA for different scenarios. Since we announced Microsoft-managed Conditional Access policies, we’ve rolled out these policies to more than 500,000 tenants in report-only mode. In this mode, the policies don’t impact access but log the results of policy evaluation. This allows administrators to assess the impact before enforcing these policies. Thanks to proactive actions taken by administrators to enable or customize these policies, over 900,000 users are now protected with MFA. We’ve been actively listening to your feedback. Customers shared that Microsoft-managed policies impact the number of Conditional Access policies that organizations can create. We’ve addressed this by making a significant change: Microsoft-managed policies will no longer count towards the Conditional Access policy limit. Another adjustment relates to existing Conditional Access policies. If you already have a policy in the “On” state that meets or exceeds the requirements set by the Microsoft-managed policy, the latter will not be automatically enforced in your tenant. Initially, we communicated that these policies would be automatically enabled 90 days after creation. However, based on customer feedback, we recognize that some customers need additional time to prepare for these policies to be enforced. As a result, we have extended the time frame before enforcing the policies for this initial set of policies. For these three policies, you will have more than 90 days to review and customize (or disable) your Microsoft-managed Conditional Access policies before they are automatically enforced. Rest assured, you’ll receive an email and a Message Center notification providing a 28-day advance notification before the policies are enforced in your tenant. Call to Action Review these policies in the Conditional Access policies blade. Add customizations such as excluding emergency accounts and service accounts. Read the full story here: Act now: Turn on or customize Microsoft-managed Conditional Access policies - Microsoft Tech Community
Optimize powershell script when it is executed on a tenant with x thousands of users
hello Im facing a problem of latency when i excecute the script and also there are some limitations of azure ad : sign in and audit logs are available for 30 days only : getting blank cells in the csv reports The main problem is when i execute the script to audit 3000 guest user ( audit guest users) , it take a lot of time without results and errors like : error reading jtoken .. what can i do to better increase the speed of execution ??? Thank you 🙏
New blog post | Entra Identity Governance with Entra Verified ID
I’m excited to announce the integration of Entra Identity Governance Entitlement Management with a very cool technology we recently introduced, Microsoft Entra Verified ID! If you think about what you need to onboard new users including employees, contractors, partners, or other business guests, it often includes verifying identity information and credentials. This process can be tedious and time-consuming, requiring users to fill out redundant online forms or paperwork, ultimately delaying hiring timelines and ramp-up periods. Entra Identity Governance with Entra Verified ID – Higher Fidelity Access Rights + Faster Onboarding - Microsoft Community Hub
