GSA - Web content filtering - Custom blocked page
Hello everyone, I have a quick question. I just tested the 'Web Content Filtering' of Global Secure Access. However, in Microsoft's documentation, two processes are mentioned for displaying blocked sites (related to HTTP and HTTPS). I wanted to know if it is possible to create a custom page (for example, adding the company logo, indicating the reason for blocking such as the associated web category, etc.). I tried to search, but no documentation related to this is available (or at least I couldn't find it). Thanks in advance for the help!
Disabling Directory Sync for Hybrid - Overthinking?
Hi all, I am at the finish line for decommissioning On-Prem AD and moving from our Hybrid environment to managing our identities in Entra. About to cut off the Directory Sync. Weirdly couldn't find a concrete answer on this question online, but I might just be overthinking this. **Devices are Entra enrolled + Intune Managed, NOT Domain Joined.** User profiles that originate from On-Prem AD on the endpoints still show as DOMAIN\username. User profiles that originate from Cloud on the endpoints show as AzureAD\email address removed for privacy reasons. What happens to these On-Prem User Profiles when we disable Directory Sync? Do they change over auto-magically to "AzureAD\email address removed for privacy reasons" on the endpoints? Am I missing something here? Thanks in advance.
How to map a user custom security attribute to OIDC id and access token ?
We are integrating keycloak with azure entra via OIDC. We have created custom security attribute to map some extension fields for the user. We tried to map these as tokens, but the custom security attributes doesn't show up in the dropdown under the token > add optional claims We then tried to define them under the Enterprise App > Single SignOn > Attributes & Claims; but unable to find these custom security attributes in the drop down there either ! Any help for this problem is deeply appreciated. Thanks, Raghav
Entra ID expressions for attribute mapping
Hi All, we have the following requirement. if [StatusEndEmploymentDate] is null or if its grater than today's date and city value is present the user should move to repective OU if [StatusEndEmploymentDate] is less than today's date than user should move to the staging OU. we have tried following query but there is no luck. need your help to achieve the requirement. Switch([StatusEndEmploymentDate],Switch([City],"OU=Users,DC=abc,DC=com", "Amsterdam", "OU=Users,OU=Amsterdam,DC=abc,DC=com", "Antwerp", "OU=Users,OU=Antwerp,DC=abc,DC=com", "Bengaluru", "OU=Users,OU=Bengaluru,DC=abc,DC=com", "Copenhagen", "OU=Users,OU=Copenhagen,DC=abc,DC=com"),IIF(DateDiff("d", Now(), [StatusEndEmploymentDate])>"-1",Switch([City],"OU=Users,OU=IAM,DC=abc,DC=com","Amsterdam","OU=Users,OU=Amsterdam,DC=abc,DC=com","Antwerp","OU=Users,OU=Antwerp,DC=abc,DC=com","Bengaluru","OU=Users,OU=Bengaluru,DC=abc,DC=com","Copenhagen"))
Lighthouse - viewing CA configuration at-a-glance
Hi, first off - apologies if I'm in the wrong space. I really do not understand the community hub structure, and there doesn't seem to be one for lighthouse. recently came across our 2nd tenant this year that did not have any CA policies set. Assuming this was just overlooked during P1 purchasing or something. Is there a way to view CA status within Lighthouse for all tenants? We do not have the full granular admin setup - our customers are sub-tenants but only just. We have domain admins for each, but our personal accounts do not have Security Admin roles on them. Saying this because it locks me out of some Lighthouse features. But trying to find a way to check this easily. ThanksWhat is your SOP for old risky users?
Recently have been tasked with leveraging Entra ID to it's full potential. We've a suite of different tools we use for alerting, so the Risky Users component was essentially ignored for a couple years, and there's a buildup of alerts for sign-in attempts I can't even pull logs for. These users would've been required to change their password since the date on most of these, and we have some hybrid environments I plan on enabling self-clearing for. But wondering what other MSPs have done in this scenario?
Entra hybrid join issue caused maybe by 2 M365 accounts
Hello to everyone, one of my collegue has 2 Microsoft 365 accounts on its notebook when we tried to do the procedure to hybrid join his device; I suppose the other account give us problem in the procedure; now, there is only one account even if I can see in event log, in AAD log, that there is an error and 2 warnings bound to the old account. However, I tried to repeat the procedure but without any luck; what I see that it is different from the other devices, if I give the cmd dsregcmd /status is in these 2 lines: DisplayNameUpdated : YES OsVersionUpdated : YES while on other devices I see: DisplayNameUpdated : Managed by MDM OsVersionUpdated : Managed by MDM We have all a Microsoft 365 Business subscription and the configuration and steps for the other devices was: We have all devices with Entra registered user, we started with this when we have only the Microsoft 365 Basic subscription We enrolled all devices, with group policy, in MDE when we upgraded to the business Installed the Azure AD Connect Users sync Devices sync So, in the Entra portal we have first only the entry for registered, then when we synced the devices we have a second entry with hybrid registered and finally only one entry with Owner, MDM and Settings field filled with correct data; for example, when I make an hybrid join device, initially in the row I see MDE as MDM, then when the hybrid and registered compose one row I see Intune in that field. For the device that give us problems, I see a row like this in Entra portal while in Intune Any help is greatly appreciated.
Q: Restricting access to Business Web Application/Non-Enterprise Application
Hi all, We are in the middle of moving our on-prem infrastructure to Intune and more specifically, building out conditional access policies. All but one of our business applications have been straightforward with the process to limit access unless certain conditions are met from an authentication, device, or location compliance perspective. The one business application we are needing to find a solution for is a web-based application that we do not control outside of user administration and limited-customization. Typically this would be fine if SSO was leveraged, but this web application, unfortunately and not without several conversations with the developers due to the sensitive nature of the data being stored, does not have SSO on their roadmap. Users can access this application from any web browser using their username and password credentials and an application specific 2FA process using SMS code. There is no connection between our MS tenant and this web application. Due to the sensitive nature of the information stored within this application and the availability of this application from any device with a web browser has raised my antenna with security concerns. Especially in the case of a user downloading information from this site on their BYOD mobile device as they would may need to do in the course of their duties, but if they left the organization, we have no way of wiping that data through the removal of the work profile like we do with all other work data through Intune device compliance measures. We can limit what devices are allowed to connect to work resources (Complaint) and access work applications (all but one, and they need to be compliant to do so), but is there a way to not allow the personal profile of any BYOD device that is compliant, from accessing or logging into this specific URL in any browser from the personal profile web browser?
