TENANT LOCKOUT - FAULTY CONDITIONAL ACCESS POLICY
We have been locked out of our tenant for almost 3 weeks now due to a faulty Conditional Access policy. Over this time period, there have been countless conversations with a number of Microsoft support agents & technicians, none of which seemed to…
Intune PIM roles needed to view Log Analytics in Entra ID
What role(s) do I need to have activated in order to view Log Analytics within Entra ID? When I looked into it, I saw that you need Security Admin and Global Reader activated. I have both of these roles, although when I go to Entra ID -> Log…
I want to close my old hotmail-account but I cannot as there is a tenant using that account
I want to close my old (not in use anymore) hotmail MS-account. But while attempting to close it, the system tells me there is a tenant (I do have the Tenant-ID) using that account. I do not remember why/when/how I ever setup such a tenant. But if I go…
sign out and sign in to another Azure directory
Hi, I was a freelancer for a client and needed to create an additional directory (with the same email address as my original one). Now I don't work for the client anymore, deleted the directory at myaccount.microsoft.com and still every time I want to…
NPS Extension for Azure MFA failing to generate MFA prompt
Hi I am trying to setup a new NPS server with the NPS Extension for Azure MFA to control access to an RDS server on-prem. Authentication works fine when not using the NPS Extension. With the NPS Extension enabled, the user does not receive an MFA…
How to Authenticate Scan to email mailbox
Our organization is trying to have all mailboxes set up with MFA. The issue is that we have scan-to-email function set up through a UserMailbox, so if we convert this to a SharedMailbox, users will no longer be able to use it for Scan to Email function.…
Joining a VM to Microsoft Entra ID Tenant
Hello everyone, I recently set up an Entra ID tenant, which currently uses the default .onmicrosoft.com primary domain. For the purpose of this discussion, let’s refer to it as XYZ.onmicrosoft.com. Now, I’d like to join a virtual machine (VM) to this…
How do we find the orphaned managed identities which are not assigned to any azure service
From a list of managed identities present in azure subscription for my account, how can I identify the managed identities which are created but does not have any roles or resources attached to it. I want to find the list of all the managed identities…
Cannot access Intune and Entra ID portals on iOS device using Edge
Hello, I'm a global admin of my tenant, but I can't seem to access Intune and Entra ID portals using the Edge browser on my iOS device. I haven't encountered any policy or conditional access that could prevent me from accessing these portals. I've…
Why is EAC and On-Prem AD showing different information?
Hi All, We have an issue whereby a users contact information, specifically their mobile number and job title isn't syncing properly between On-Prem AD as well as Exchange Admin Centre. We have removed the users personal mobile number from AD and…
Correct way to convert 365 tenant from AAD Connect Sync to cloud-only
Hi, about a year ago, one of my customers has enabled AAD Connect Sync to synchronize all users, security groups from their existing on-premise Active Directory to a freshly setup Microsoft 365 tenant. This past year all applications and services have…
if you split security into tiers as per RBAC and the same human person needs multiple accounts does each account consume an azure licence
Microsoft recommends splitting on prem and hybrid assets into tiered access T0 T1 and T2 to facilitate RBAC (role based access control). The principle being that t0 logons are never mixed with t1 logons to minimise any breach. If, therefore, an admin…
I have asp.net mvc 5 integrated with Azure Single SignOn but I'm facing an error reply url AADSTS500112 error
{"error":"invalid_client","error_description":"AADSTS500112: The reply address 'http://test.edunet.bh/account/testredirect' does not match the reply address 'https://test.edunet.bh/account/testredirect' provided when…
My Sign-Ins: Can't remove old (or compromised) MFA method
So, being new to the Azure world, I tinkered around a bit with MFA, and it struck me that it seems that I can't delete a previously added authenticator-app (there are now two registered). https://mysignins.microsoft.com/security-info What if, for…
Azure and Entra ID
Erorr Entra ID { "sessionId": "cbb209cb23dc4317b80b952cea59fa49", "errors": [ { "errorMessage": "interaction_required: AADSTS16000: User account '{EUII Hidden}' from identity…
Using Cloud sync with and Exchange Hybrid environment, changes after writeback are not visible.
According to the article about Exchange Writeback using cloud sync: "This scenario is now supported in cloud sync. Cloud sync detects the Exchange on-premises schema attributes and then "writes back" the exchange on-line attributes to…
WHfB "I forgot my PIN" logon option not functional
Hey guys, Just deployed WHfB and have it working well. One thing I noticed is when a user clicks the I forgot my PIN link, nothing happens. Nothing happens after logon as well. Any idea what's going on with this? If it's presented to the end-user, I'd…
Azure Provisioning Log: Understanding "TargetObjectActionDisabled"
Hi there, I'm trying to find out what following SkipReason means. TargetObjectActionDisabled The log entry is as follows: Result: Skipped Description: User 'xxx' will be skipped. Skip Reason: The Add operation was not performed because the Add…
How do you use a conditional access policy to block end users access to Admin Portals while allowing end users to download office from portal.office.com?
Hi wonderful people With portal.office.com now classed as an Admin Portal: From support How do you use a conditional access policy to block end users access to Admin Portals while allowing end users to download office from portal.office.com? …
Azure B2C - custom policy ROPC - Set grant_type, scope and client_id as default
I could made a ROPC call to get access token with username, password, grant_type, scope and client_id as parameters. Is it possible to configure default parameters for grant_type, scope, and client_id in XML when making an ROPC call to obtain an access…