Entra Private Access - Private DNS
Hello Everyone We are using the trial period of Entra Private access and Entra Internet Access using Global Secure Access client. We recently got the Private DNS feature within Quick Access under Global Secure Access. The moment, we added our on-premise domain suffix to create a line of sight to the DC's, access to other private apps, some of which are actually cloud web apps stopped working. The cloud app web portals won't open, RDP to servers were not working. Intermittently, we could open the portal or RDP to the server, but everything had just died down. After leaving it for more than 8 hours, the issues were still not going away, so we removed the quick access app and disabled private DNS, issue was resolved after that. Any ideas why ? Also, is there a way we could allow our on-premise user accounts to change their passwords when it expires or get those password expired notifications as we did when we used Cisco VPN. We have Azure hybrid-joined machines with GSA running in them, but users don't get password expiry notifications, nor can they change the password on the local Laptop as it can't talk to the DC's. We created an app with Kerberos port 88, LDAP 389 and 464, still password change doesn't work. Users are logging in to the Laptops with cached passwords.
Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?Anomalies with Conditional Access Policy "Terms of Use" Failures
Hello Microsoft Community, I'm reaching out with a bit of a puzzle regarding our "Terms of Use" Conditional Access policy, and I'm eager to tap into the collective wisdom here for some insights. In our Entra ID User Sign-In logs, we've identified intermittent "failure" entries associated with the "Terms of Use" Conditional Access policy. Interestingly, even for users who had previously accepted the "Terms of Use". There appears to be no discernible impact, and they continue their tasks without interruption. This observation became apparent during the troubleshooting of unrelated Surface Hub and Edge Sync issues at some client sites. What adds to the complexity of the situation is that for the same users, both before and after these "failure" entries, the Conditional Access policy is marked as "success". Hence, it doesn't seem to be a straightforward case of the policy erroneously detecting non-acceptance of the "Terms of Use". The mystery lies in understanding why these intermittent "failure" entries occur for users who have already accepted the terms, especially when the policy consistently reports "success" for the same users. Furthermore, the Insights for the "Terms of Use" Conditional Access policy show around 1.48k successes and 1.43k failures in the last 90 days, yet there's no discernible impact on user functionality. Observations: "Failure" entries in Sign-In logs don't seem to disrupt users' day-to-day activities. The ratio of successes to failures is balanced, yet users experience no noticeable problems. The issue complicates troubleshooting efforts but doesn't significantly affect the user experience. I'm turning to the community for guidance on interpreting and resolving this discrepancy between "failure" entries in the Conditional Access policy logs and the seemingly unaffected user experience. Any insights into why these failures occur without user impact would be greatly appreciated. For additional context, I've attached screenshots of a user's Sign-In log entry and the insight chart from the Conditional Access policy. Sign-In log of a user (failure): Sign-In log of same user (success): Current Conditional Access insights: Thank you in advance for your time and assistance. I look forward to any guidance or solutions you can provide. Best regards, Leon TüpkerSecure Score - Enable conditional access policies to block legacy authentication.
Hi all, it reports me to block legacy authentications for all users, however I have already done so by configuring conditional access; does anyone else have the same report despite the fact that we have already implemented blocking?
Cloud Kerberos - Failed to read secrets from the domain
Hi all, Apologies if this is the wrong place to post this! I am looking at understanding Cloud Kerberos and the uses behind it, primarily for WHfB for now. Following the guide on the Microsoft page, I get an error when running on the DC Passwordless security key sign-in to on-premises resources - Microsoft Entra ID | Microsoft Learn Set-AzureADKerberosServer : Failed to read secrets from the domain DOMAIN.LOCAL. The lab environment has 2 DCs at different sites but replicate between each other without issue. The process creates an entry in AD but when I run the command below (GA details is an address, just changed for the forum post) Get-AzureADKerberosServer -Domain $domain -UserPrincipalName "GA details" -DomainCredential $domainCred I get the output below... Id : 16451 UserAccount : CN=krbtgt_AzureAD,CN=Users,DC=DOMAIN,DC=LOCAL ComputerAccount : CN=AzureADKerberos,OU=Domain Controllers,DC=DOMAIN,DC=LOCAL DisplayName : krbtgt_16451 DomainDnsName : DOMAIN.LOCAL KeyVersion : 1598799 KeyUpdatedOn : 27/07/2024 06:41:15 KeyUpdatedFrom : PDC.DOMAIN.LOCAL CloudDisplayName : CloudDomainDnsName : CloudId : CloudKeyVersion : CloudKeyUpdatedOn : CloudTrustDisplay : Can you advise why the secrets aren't being found and the cloud information not populated? This is a lab enviroment so if needed, we can get a bit rough with it. Any help would be welcomed. Kind regards Tom
Moving Microsoft 365 authentication to Entra ID Cloud Auth from On-Prem ADFS
Hi Identity Brain Trust, Assuming this would be the right place for my question as I couldn't find any other hub more relevant for this one. We have several applications configured to be authenticated via ADFS. We are looking to move these gradually to Entra ID Cloud auth and decommission ADFS, eventually. I would like to test out how Microsoft 365 can be moved to Cloud Auth from ADFS for a certain group of people. I have tried to use ADFS migration wizard in Entra but 365 app is not showing in the ADFS Application Migration section of Entra ID. I've read this official guide but still couldn't find how this can be manually done when App Migration section won't have the app appearing there. - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-ad-fs-application-overview Appreciate any of your inputs on this one! Kev
New Blog | Explore the key benefits of Microsoft Entra Private Access
By Ashish Jain The traditional network security models are becoming increasingly ineffective in a world where remote work and cloud services are the norm. Conventional technologies like VPNs, while popular, offer limited protection in a boundary-less landscape, typically granting users excessive network access and posing significant risks. If compromised, these can lead to unauthorized access and potentially lateral movement within corporate networks, exposing sensitive data and resources. Microsoft Entra Private Access is at the forefront of addressing these challenges by effectively integrating identity and network access controls. Read the full post here: Explore the key benefits of Microsoft Entra Private Access
Allow use of One Time Password
Hello, We have setup Passwordless authentication using Conditional Access Policies, which is working great. The question I have is how can I setup the option to allow the use of the one time password (6 digit code in the authenticator) to be used when the mobile device is offline and cannot receive the number matching. For example, the user is in a plane and has purchased the use of WiFi for the laptop, but the phone is offline and want to use the 6 digit code from the authenticator.
Whenever login into the office applications different OTP needs to be applied Outlook and teams
When signing into Office applications, a different OTP is required for both Outlook and Teams. To address this issue, there is any resolution this issue supports or a supporting document as proof to confirm that this is a standard procedure.
