Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Entra hybrid join issue caused maybe by 2 M365 accounts
Hello to everyone, one of my collegue has 2 Microsoft 365 accounts on its notebook when we tried to do the procedure to hybrid join his device; I suppose the other account give us problem in the procedure; now, there is only one account even if I can see in event log, in AAD log, that there is an error and 2 warnings bound to the old account. However, I tried to repeat the procedure but without any luck; what I see that it is different from the other devices, if I give the cmd dsregcmd /status is in these 2 lines: DisplayNameUpdated : YES OsVersionUpdated : YES while on other devices I see: DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM We have all a Microsoft 365 Business subscription and the configuration and steps for the other devices was: We have all devices with Entra registered user, we started with this when we have only the Microsoft 365 Basic subscription We enrolled all devices, with group policy, in MDE when we upgraded to the business Installed the Azure AD Connect Users sync Devices sync So, in the Entra portal we have first only the entry for registered, then when we synced the devices we have a second entry with hybrid registered and finally only one entry with Owner, MDM and Settings field filled with correct data; for example, when I make an hybrid join device, initially in the row I see MDE as MDM, then when the hybrid and registered compose one row I see Intune in that field. For the device that give us problems, I see a row like this in Entra portal while in Intune Any help is greatly appreciated.
Entra Private Access Licensing
I'm a bit stuck trying to figure out what licensing we need to get us working on BYOD devices such as iPads if we want to use the Private Access part of Global Secure Access. A few places on Microsoft's website mention that as long as we have an Entra ID P1 or P2 license and a Private Access license assigned to a user, we should be able to enrol mobile devices without any issues. However, when I try to sign into MS Defender on an iPad (tried 2 different ones), I get an error saying invalid license. One of the users I am currently testing has an Office 365 E3 license assigned as well. Where am I going wrong?Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all, We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective. The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap. Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures. We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?
Device registration issue in Entra
Log Name: Microsoft-Windows-User Device Registration/Admin Source: Microsoft-Windows-User Device Registration Date: 2/4/2025 1:12:48 AM Event ID: 304 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Servername.domain.com Description: Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c03f3 Server error: The device object by the given id (b1aa9a2c-e64c-4c8e-bfb9-1aaab093f9ff) is not found. Tenant type: Managed Registration type: sync Debug Output: joinMode: Join drsInstance: azure registrationType: sync tenantType: Managed tenantId: 5432c24e-7d1f-4efc-9410-01b73ea021e7 configLocation: undefined errorPhase: join adalCorrelationId: 043451f3-ad83-4b52-b48a-e9be735a446f adalLog: undefined adalResponseCode: 0x0 Log Name: Microsoft-Windows-User Device Registration/Admin Source: Microsoft-Windows-User Device Registration Date: 2/4/2025 1:12:48 AM Event ID: 204 Task Category: None Level: Error Keywords: User: SYSTEM Computer: Servername.domain.com Description: The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f3. Activity Id: 9d9f9396-134e-471e-8fc2-b16871520149 The server returned HTTP status: 400 Server response was: {"code":"invalid_request","subcode":"error_missing_device","message":"The device object by the given id (b1aa9a2c-e64c-4c8e-bfb9-1aaab093f9ff) is not found.","operation":"DeviceRenew","requestid":"9d9f9396-134e-471e-8fc2-b16871520149","time":"02-04-2025 6:12:52Z"}Conditional Access Policy - Only allow EntraID Joined devices to access SharePoint Online
Hi I have a cloud-only Microsoft 365 Tenant, 40 devices all EntraID joined and I want to only allow users to access SharePoint Online from the EntraID devices and not for example from their home computers. Is this achievable through Conditional Access policies? I see an option for hybrid joined but not EntraID joinedDouble entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?
No Application acces policy found fpr graph API in MS Teams Virtual Integration
Hello , I’ve encountered an issue while integrating Microsoft Teams Virtual Events using Microsoft Graph API and would appreciate any guidance on how to resolve it. Here’s the setup: I have registered an application in Microsoft Entra ID. The app is granted application-level permissions: 1. VirtualEvent.Read.All 2. VirtualEventRegistration-Anon.ReadWrite.All I’ve set up an OAuth flow for users to authenticate with their Microsoft accounts and approve these permissions. After authentication, the user is redirected back to our app, where we fetch an application access token. The issue: We receive an access token successfully. The Entra ID dashboard shows that the app has the required permissions. However, when using the Graph API to access virtual events (Teams webinars), I receive the following error: GET: https://graph.microsoft.com/beta/solutions/virtualEvents/webinars/:id Response: { "error": { "code": "General", "message": "No application access policy found for the app (707b5896-7828-4010-834e-74d3201a3137) on the user (7f27a9fb-af1a-4d36-a102-3a9591e6aaf9).", "innerError": { "request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c", "date": "2024-10-02T09:10:26", "client-request-id": "00af9b4e-043c-4f93-8a02-a5ee14e7d29c" } } } My question: What does this error mean? Could this issue be related to any additional application access policies that need to be set up for Microsoft Teams or Exchange? How should I go about troubleshooting or resolving this issue? Any help or pointers would be much appreciated! Thank you!
New Blog | Join us at the Microsoft Entra Suite Showcase!
By Kaitlin Murphy This fall, we are bringing the Microsoft Entra Suite Showcase to cities worldwide. Join us to explore how our latest advancements in secure identity and access management can help safeguard your organization's digital assets. Announced earlier this year, the Microsoft Entra Suite unifies identity and network access security—a novel and necessary approach for Zero Trust security. It provides everything you need to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Read the full post here: Join us at the Microsoft Entra Suite Showcase!New Blog | Omdia’s perspective on Microsoft’s SSE solution
By Ngoyal n July, we announced the general availability of the Microsoft Entra Suite and Microsoft’s Security Service Edge (SSE) solution which includes Microsoft Entra Internet Access and Microsoft Entra Private Access. Microsoft’s vision for SSE Microsoft’s SSE solution aims to revolutionize the way organizations secure access to any cloud or on-premises applications. It unifies identity and network access through Conditional Access, the Zero Trust policy engine, helping to eliminate security loopholes and bolster your organization’s security stance against threats. Delivered from one of the largest global private networks, the solution ensures a fast and consistent hybrid work experience. With flexible deployment options across other SSE and networking solutions, you can choose to route specific traffic profiles through Microsoft’s SSE solution. Omdia's perspective According to Omdia, a leading research and consulting firm, Microsoft’s entry into the SASE/SSE space is poised to disrupt the market. Omdia highlights that Microsoft’s focus is on an identity-centric SASE framework, which helps consolidate technologies from different vendors by extending identity controls to your network and enhancing team collaboration. A key strength for Microsoft, according to Omdia, is its ability to introduce Microsoft Entra Internet Access and Microsoft Entra Private Access seamlessly into existing identity management conversations—a strength that could lead to broader adoption of network access services as part of the same platform. Read the full post here: Omdia’s perspective on Microsoft’s SSE solution
