Entra ID Connect Sync - Issue Updating the SQL 2019 Local DB
Hello, Does anyone know how to patch/update the SQL Server 2019 LocalDB utilised by Microsoft AD Connect / Entra Connect? We have identified vulnerabilities on the version of SQL 2019 LocalDB used by Microsoft Entra Connect. The trace file in C:\ProgramData\AADConnect shows the following version: Package=Microsoft SQL Server 2019 LocalDB , version=15.0.4138.2 (CU11) We are attempting to update this local database to version 15.0.4415.2 (CU30), using the following package: https://www.microsoft.com/en-us/download/details.aspx?id=100809 However, when we run the package it cannot identify the SQL Server 2019 LocalDB server instance. There is a message stating: "The version of SQL Server instance Shared Component does not match the version expected by the SQL Server update. The installed SQL Server product version is 11.4.7001.0, and the expected SQL Server version is 15.0.2000.5" The version it references is SQL Server 2012, however the logs show the database as SQL 2019 and the database instance name within the Entra Connect / AD Connect agent includes 2019. I have attempted leaving the service running, manually starting the database instance, running as admin, and running the package via command prompt targeting the instance. Any insight would be greatly appreciated. Many thanks.
SCIM and mapping to a 3rd party app
hello, got a SCIM question: we have a 3rd party application we are hooking up to SCIM (call it AppXYZ). The group we want to put people into in AppXYZ is called 'Group1'. On the MS Entra side, the MS Entra group is called "Testing Users". When I setup SCIM, how do I map the MS Entra group "Testing Users" to the group inside of AppXYZ called Group1. Note: I cannot change the name of the group in AppXYZ - it must be called Group1, no exceptions and the MS Entra user group must be called "Testing Users" cannot alter the name. thanks everyone.
General Question About Federation
Hello, We have a federated domain and to my knowledge this means that all authentication for this domain will be send to ADFS and will not be directly handled in Azure Entra ID. Is the following statement correct: When I register an APP in Entra ID the authentication will still be handed off to ADFS. (when my user types in email address removed for privacy reasons. I will first go to microsoft that will then hand it off to ADFS. Will there by any additional config required on the ADFS server for the registered application? If i would like to bypass this federated authentication the only way to do this is change it to a managed domain removing the federation or do a staged rollout as described below Microsoft Entra Connect: Cloud authentication via Staged Rollout - Microsoft Entra ID | Microsoft LearnCan we use On-Behalf-Of-User flow and Client Credential Flow for same API
I have developed few API and its using on behalf of user flow. We get the delegated access for respective users to perform action. But we have several background jobs so can i switch to client credential flow for just these background jobs? By doing this the same API has both "on behalf of user flow" and "Client Credential flow"!
Client approval of PIM requests for Partner GDAP users
Hi, I have a client who would like to manage PIM eligibility and approval for role elevation for GDAP partner service techs. Essentially even though GDAP gives the Exchange administrator role the client still wants the tech to request elevation and for the approval to go to the client for approval. I see there is a way to manage this from a partner level where the partner would have PIM and manage approvals but this seems to be global across all clients and not a single client. To answer the client, is there a way the client can manage PIM from their side for partner GDAP users?
Improving Secure Score
Increasing Secure Score Ensure multifactor authentication is enabled for all users. I wanted to enable this feature in my organization but faced this issue. Posting it if it helps someone. The issue faced: when trying to deploy this feature on the organization. I saw a Low-security option enabled by default. Solution. Sign in to the Azure portal with your admin credentials. Navigate entra.microsoft.com à Security à Conditional Access. Enable or disable based on your organization's needs. entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade
New Blog Post | Act now: Turn on or customize Microsoft-managed Conditional Access policies
As part of our Secure Future Initiative, we announced Microsoft-managed Conditional Access policies in November 2023. These policies are designed to help you secure your organization's resources and data based on your usage patterns, risk factors, and existing policy configuration, all while minimizing your effort. Our top recommendation for improving your identity secure posture is enabling multifactor authentication (MFA), which reduces the risk of compromise by 99.2%. This is why our first three policies are all related to MFA for different scenarios. Since we announced Microsoft-managed Conditional Access policies, we’ve rolled out these policies to more than 500,000 tenants in report-only mode. In this mode, the policies don’t impact access but log the results of policy evaluation. This allows administrators to assess the impact before enforcing these policies. Thanks to proactive actions taken by administrators to enable or customize these policies, over 900,000 users are now protected with MFA. We’ve been actively listening to your feedback. Customers shared that Microsoft-managed policies impact the number of Conditional Access policies that organizations can create. We’ve addressed this by making a significant change: Microsoft-managed policies will no longer count towards the Conditional Access policy limit. Another adjustment relates to existing Conditional Access policies. If you already have a policy in the “On” state that meets or exceeds the requirements set by the Microsoft-managed policy, the latter will not be automatically enforced in your tenant. Initially, we communicated that these policies would be automatically enabled 90 days after creation. However, based on customer feedback, we recognize that some customers need additional time to prepare for these policies to be enforced. As a result, we have extended the time frame before enforcing the policies for this initial set of policies. For these three policies, you will have more than 90 days to review and customize (or disable) your Microsoft-managed Conditional Access policies before they are automatically enforced. Rest assured, you’ll receive an email and a Message Center notification providing a 28-day advance notification before the policies are enforced in your tenant. Call to Action Review these policies in the Conditional Access policies blade. Add customizations such as excluding emergency accounts and service accounts. Read the full story here: Act now: Turn on or customize Microsoft-managed Conditional Access policies - Microsoft Tech CommunityAuthentication from multiple, but certain, tenants to OAuth apps
Got an SPA App and Api I'm using MSAL for authentication. The endusers come from a limited set, but not a singular, tenant. Since for the application authentication I can only select a single tenant, or all the tenants I'm looking for solutions here. One is tenant collaboration/ multitenant organization but it seems like overkill for this need. Another is multiple authorities but isn't it then tricky to wrangle multiple client ids, selecting the right authority etc. Is there a way of doing this I'm missing?New Blog | Microsoft Entra ID Governance licensing for business guests
Thousands of customers have tested or deployed Microsoft Entra ID Governance since it launched on July 1, 2023, seeing the value in governing the identities of their workforce. Many of those customers have asked about extending this governance to the identities of their business guests—contractors, partners, and external collaborators—to more fully follow least privilege access principles while still enabling seamless collaboration. We are pleased to announce that we're helping organizations to more easily manage this situation by creating a new ID Governance license for business guests. This license will operate on a monthly active usage (MAU) model. Customers will be able to acquire licenses matching their anticipated business guest MAU. Read the full blog here: Microsoft Entra ID Governance licensing for business guests - Microsoft Community HubNew Blog | Microsoft Entra Expands into Security Service Edge with Two New Offerings
Flexible work arrangements and accelerating digital transformation changed the way we secure access. Traditional network security approaches just don’t scale to modern demands. They not only hurt end user experience but also grant each user excessive access to the entire corporate network. All it takes is one compromised user account, infected device, or open port for an attacker to access and laterally move anywhere inside your network, exposing your most critical assets. Read the full blog here: Microsoft Entra Expands into Security Service Edge with Two New Offerings - Microsoft Community Hub
