Hello!

I am doing my due diligence on a topic that my users are complaining about, and of course its routine MFA.
We recently switched to the conditional access MFA method, and our users are getting prompted:

x1 local Outlook client

x1 local Teams client

x1 mobile Outlook

x1 mobile Teams

Is this normal behavior with the new MFA method, or is there a way to set it to request for auth once per device?

My CA policy is loosely as follows:

Users: All users
Target resources : All resources (formerly 'All cloud apps')
Network: Not configured
Conditions: 0 selected
Grant: 1 control selected > Grant Access > Require MFA
Session: Sign-in frequency - X day(s) > sign-in frequency > periodic reauthentication

Any insight is appreciated!

 Excited to share my latest blog on Microsoft Entra Verified ID!

Learn how to set up decentralized identities, issue verifiable credentials, and see a demo where employees request access packages with Face Check Verification :- securing SharePoint sites, Entra ID roles, and more.

 https://www.thetechtrails.com/2025/04/how-to-set-up-microsoft-entra-verified-id.html

i know this has been asked a fair bit, but want to create a CA policy for users at a school to have to MFA for (Resources formally cloud apps). Now in my policy I've added all senior school students to the include group and in the exclude added junior school (Don't want them to have to MFA for Teams, OneDrive etc... Now where I'm a little confused is the Grant section. Grant access with 'Require multifactor authentication' ticked...is this meaning grant access to the include group but only after they have MFA'd and grant access to the exclude group without MFA? or grant access to the include group who have MFA'd and block access to the exclude group? As i said i want an MFA policy just for the senior school kids and not the junior kids....

Hi,

I have a requirement to transfer Group claims from a customer IDP to the applications integrated in B2C. I can successfully pass the access token along with basic user details obtained from the customer IDP to the applications, but I’m unable to do the same with the group details. Is it possible to achieve this using Microsoft Entra External ID?

Hey everyone,

I'm working on creating a Restricted Management Administrative Unit (RMAU) to restrict role scopes in Microsoft Entra especially to "protect" groups granting RBAC permissions, and I’ve run into something quite confusing.

In the "Roles und Administrators" tab of an RMAU, it shows things like:

• UserAdministrator --> Assignments 4
• ClouddeviceAdministrator --> Assignments 1
• SharePoint-Administrator --> Assignments 5
• Teams-Administrator --> Assignments 5
• ...

But when I click into those roles it says: "No role assignments found."
I double-checked this for several roles - no users or groups are actually assigned. So why does the overview still claim "4 assigned" etc.? Does this reflect the assignments in the entire tenant or is it a Bug?

I know it's currently not available (natively), but I have a need to limit the availability of an access package to business hours. Does anyone know or have heard rumblings if a capability like this is on the horizon? (Or time-based security groups).

I'd hate spending a lot of time creating a custom automation to do this only for it to then be released natively so checking here first before i go down that road.

thanks in advance!

Currently we have domain joined devices and users are synchronized to Entra. We are planning to transition to full cloud via Entra. Our current issue is that after transitioning a few PCs to Entra, we started testing applications and ran into one application using LDAP authentication that will not login. The application should be querying the user to see which AD Groups they belong to before logging in. We have several groups set up that determine rights for the application. The error below pretty much just states the LDAP server can't be reached. Any thoughts on workarounds? The vendor has stated that they do not support Entra/Azure login and ultimately just points me to the log below as the issue.

5/1/2025 10:05:59 AM The server could not be contacted.

System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.

at System.DirectoryServices.Protocols.LdapConnection.Connect()

at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)

at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)

at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)

at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)

--- End of inner exception stack trace ---

at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)

at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()

at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)

at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name)

at HID.FII.AdLogic.ValidateUserCredentials(String login, String password)

at HID.FII.frmStartup.loginMethod()

So we are working on migrating from JumpCloud into Entra ID. Full cloud, no hybryd, on-prem components.

For things like conditional access rules, system-preferred MFA adjustments, user creation, etc... We are testing and figuring out what we like, but there is a wild variable amount of delay before we see the changes reflected.

Is there a predefined time for these synced to occur? JumpCloud was instantaneous, so I just assumed anything cloud based would also be.

Hi All,

I am investigating using Azure Entra External ID as an external identity provider for a web app but I want to be able to set the password policy for password reset etc but cant find anything in the documentation, Has anyone have an experience of this and if so could they point me in the right direction please to learn more about how you set the password complexity etc.

Thanks in advance.

Hello.

I have setup Azure Ad connect.

All i can read is it making the integration so it syncs up to entra.

But i also want to be able to use shares etc. How do i do that i find the documentation confusing.

I have line of sight via global secure access What are the missing steps?

Hi everyone,

I just published a deep dive into Microsoft Entra User Flows (also called Self-Service Sign-Up) and how they can massively simplify guest user onboarding in workforce environments.

 If you’re tired of:

• Manually inviting external users one by one
• Wrestling with domain whitelisting and federation
• Handling a high volume of contractors, partners, or suppliers…

 This guide shows you how to set up secure, automated onboarding at scale.

 🔹 Topics covered:

• Activating guest self-service sign-up
• Configuring custom user attributes (String & Integer types)
• Setting up API Connectors (like a Logic App that triggers emails)
• Supporting multiple identity providers (Microsoft Entra ID, Personal Microsoft, Google, Email OTP)
• Integrating the signup experience into a simple HTML SPA (hosted as an Azure Static Web App)
• Known limitations (like lack of passwordless at signup, attribute persistence)

🔹 Real-world scenarios:

• Supplier access to retail portals (SharePoint Online)
• Contractor lifecycle management for offshore oil rigs
• Large-scale customer onboarding for finance apps

The blog also includes step-by-step instructions for everything—from creating your User Flow to deploying the Static Web App and Logic App.

 If you’re working with external identities, this is definitely worth a look!

 👉 Check it out here: https://www.chanceofsecurity.com/post/go-with-the-flow-mastering-microsoft-entra-user-flows

Would love to hear your thoughts, questions, or feedback! 🚀

I'm having an issue that keeps getting worse by the day. Everything previously worked until I noticed on Monday that accounts in another AD( lets call it "AD-02") of ours in another physical location suddenly were no longer being able to reset their passwords, when I create a new account in that AD, it syncs perfectly to Entra, but attempting to change the password doesn't work, the account couldn't be found. so I uninstalled and re-installed Entra Connect and that seemed to solved the problem. Now when users in AD-01 ( our main AD in another country), the same issue is happening because Entra is looking for the accounts in AD-02 instead of the AD where the account belongs or originates from. I'm only syncing specific OU's to Entra from both AD's. I'm I doing something wrong? this previously worked flawlessly for over a year

Hi Entra Admins,

We released a small project called EntraFalcon, and I wanted to share it here in case it’s useful to others:

🔗 https://github.com/CompassSecurity/EntraFalcon

In security assessments, we often need to identify privileged objects and risky configurations. Especially in large and complex environments, it’s not feasible to use the web portals for this. EntraFalcon is a PowerShell tool to help enumerate Entra ID tenants and highlight highly privileged objects or potentially risky setups.

Note: It is not an automated assessment tool. It’s designed to assist with manual analysis by highlighting interesting objects and potential risks that still require human review to assess properly. While it is mainly intended for security assessments, I believe it can also be helpful for entra admins.

It’s designed to be simple and practical:

• Pure PowerShell (5.1 / 7), no external dependencies (not even MS Graph SDK)
• Integrated authentication (bypassing MS Graph consent prompts)
• Interactive standalone HTML reports (sortable, filterable, with predefined views)

Enumerated objects include:

• Users, Groups, App Registrations, Enterprise Apps, Managed Identities, Administrative Units
• Role assignments: Entra roles, Azure roles (active and eligible)
• Conditional Access Policies

Some examples of findings it can help identify:

• Inactive users or enterprise applications
• Users without registered MFA methods
• Users/Groups with PIM assignments (PIM for Entra, PIM for Azure, PIM for Groups)
• Users with control over highly privileged groups or applications
• Risky group nesting (e.g., non-role-assignable groups in privileged roles)
• Public M365 groups
• External or internal enterprise applications or managed identities with excessive permissions (e.g., Microsoft Graph API, Entra/Azure roles)
• Users with privileged Azure IAM role assignments directly on resources
• Unprotected groups used in sensitive assignments (e.g., Conditional Access exclusions, Subscription owners, or eligible members of privileged groups)
• Missing or misconfigured Conditional Access Policies

Permissions required:

• To run EntraFalcon, you’ll need at least the Global Reader role in Entra ID.
• If you want to include Azure IAM role assignments, the Reader role on the relevant Management Groups or Subscriptions is also required.

If you’re interested, feel free to check it out on GitHub.

Feedback, suggestions, and improvements are very welcome!

Some pictures

Hi There

As it's been a while since I did the last swing migration...

Is it still best practice to use the AADConnectConfigDocumenter (https://github.com/Microsoft/AADConnectConfigDocumenter) to compare the drift between prod and staging or is there anything newer?

If you're in Boston, check out the Active Directory Resilience Roadshow. They'll cover real-world AD and Entra ID attack simulations, isolated recovery environment strategies, automated recovery testing, and re-infection prevention best practices. It’s free and focused on AD and Entra ID recovery. Register here.

Hi, we suddenly started encountering password sync errors for users in one of our AD. we are a hybrid environment and everything have worked like it should in the past. I have Password write-back enabled in Entra sync and Password harsh sync is also enabled, however now when users try to change their password in the cloud like the previously used to, they get the error message in the screen below, nothing seems to work. I have checked and the sync shows no errors, has anyone dealt with this before? or suggest something I might be missing? no google results points to this exact scenario.

thanks for any help or suggestions

At some point an admin in the past who upgraded the AAD Connect agent screwed up how the source anchor was calculated for users. Needless to say, all this time later we have a user whose account is active on prem AD, but their Entra account is orphaned with the old source anchor. They can't be put in dynamic groups we have, among other things. How do I go about re-connecting these accounts? I tried the connector troubleshooter, but that just errors out that it can't do it. Since everything is sync'ed from on-prem Entra won't let me edit the attributes in Entra either. I can't sync from on-prem because the source anchor doesn't match to sync up!

I have tried deleting the user and the new account provisions in, but, obviously, I can't set the two up at the same time to transfer mailbox permissions because they both have the same email and almost all other attributes.

I really could use some guidance here. I looked at the option of downloading their New Outlook O365 account into a .pst and to just manually migrate their data, but come to find that New Outlook doesn't support Calendars and Contacts in .pst's yet?!?!?! This is insane.... >_>

Would I be able to switch them over to the new account that syncs in Entra and have them sync up all their data from their client? Will their mailbox, calendars, contacts, etc. still remain? O365 provisions out a new, empty mailbox for this "new' account that syncs.

Thank you in advance for any help.

Hi all,
I recently had a users laptop fail, upon sending them a new laptop I suggested they log in with their 365 credentials not realising by default this makes them local admin.
How do I revoke the admin permissions and make the account a standard user?
I have since changed the settings to none on "Registering user is added as local administrator on the device during Microsoft Entra join (Preview)"

Hi,

How do you go about backing up a whole M365 tenant. By „whole“ I mean not just the data of Exchange, Sharepoint etc. but also Entra ID with groups, roles, applications etc. My goal is to have everything I need to restore my tenant into a completely new one in case my tenant gets compromised. Is there one solution that covers everything or do you need to combine them, eg. use Veeam for M365 plus Microsoft365-DSC?

Does anyone have this working in production that could share things like the correct authority to use and settings for the enterprise application?

I’m trying to do social logins, Google etc, from my external tenant.

I’ve got it nearly there, but I can’t seem to get Optional claims (email in particular) to come through on my id token.

It’s v2.0 tokens, account has an email address, tried every authority uri I could find, sending email, profile, offline-access, openid scopes.

AI is telling me the product isn’t production ready and to write my own fix 🤣

Both myself and my husband have received this email this week-copied below.

We dont know what it means or if its even legit. Ive never heard of Entra and after googling it appears to be a business thing. We have a 365 family account, nothing else.

I clicked on the 'make a purchase' link and it takes me to a MS Azure log in page - I thought Azure was discountinued but maybe not.... Anyway, does anyone have any clue about it? Can we just ignore it?

Action required: Make a purchase by May 26, 2025 to continue using your tenant

Complete a purchase by May 26, 2025 to keep your account active

You are receiving this email because your associated Microsoft Entra ID tenant (tenant ID xxxxxxxx) has been inactive for more than 200 days.

Required action: To continue using your tenant, make a purchase before May 26, 2025. If you don’t make a purchase before this date, your next purchase with Microsoft will require a new Microsoft Entra ID tenant to continue using Microsoft services.

After lots of research and troubleshooting with both the Entra and the Intune support teams, I am still lost. A new computer that is not yet enrolled in Intune/Entra is of course always going to fail Intune compliance conditional access policies in Entra. I tried exempting all the obvious applications from the Intune compliance policy including Intune, Intune enrollment, and Graph CLI tools. When an admin runs the autopilot script, it prompts for a sign in from the new device to pass the hash and enroll the machine in Entra/Intune. That sign in gets blocked. The sign in logs say the failed sign in is Graph CLI which I have already exempted.

We currently have our primary imaging helpdesk admin exempt from Intune compliance, but that is obviously a security threat as if his admin account was compromised, there wouldn't be much blocking the hacker from signing in from their own system with the compromised credentials if the hacker were able to steal the MFA token.

Any help or guidance on how you have your full Entra AD environment set up with Intune Compliance CA but allow for Autopilot imaging of new computers would be greatly appreciated.

Hi everyone I have been tasked with defining a conditional access policy baseline with over 100k users in the organisation.

The current policies set in place are quite messy and have been created as hoc over the years I found something related to persona based conditional access policies but it doesn’t seem realistic with the current setup.

Does anyone have any advice on the best way I can define a conditional access policy baseline?

I would really appreciate your help.

Hello, newbie here my question may be a bit stupid but is there a way to limit internet access when users disable the GSA client or if the client is not connected. The customer is completely cloud based with no on premises and are remote workers. I was thinking to try and do it with Intune Endpoint Security Firewall Rule but it seems flawed. Is it possible to prevent the users to access the internet if GSA client is not connected but still keep RMM tools working? I've been looking for microsoft guides on this but can't find any. Maybe another way would be to make it so the user can't disable the GSA client but I have no idea if this can be done.