Have an issue here I'm beating my head against the wall about. I'm standing up a greenfield 365 tenant and the org's requirement is to enforce that all users are VPN'd or on-site in order to access 365 resources.

I set up a simple CA block policy that excludes the IP range of the offices while including/blocking everyone else and it works fine when in the office. However testing opening Outlook over VPN and it would seem Entra flags the connection as blocked because it sees two different IPs somehow. The IP address: <Office WAN IP> and then IP address from app: <IP of my local network gateway>. I have tried rebooting the test machine etc but it continues to somehow pickup my network gateway IP as the "IP address (seen by resource)" when looking at it in the Entra Sign-in logs which is why it blocks it. In the allowed browser traffic, it doesn't show this information at all. I understand Outlook uses a different type of authentication than browsers(i.e. Modern Auth).

To be clear, there's NO split tunneling going on here. It's 100% all traffic going over the VPN. I ran wireshark and triple verified no traffic was leaking out over my WAN while VPN'd and running through the entire process. So how the heck does it keep pulling this IP address for an attempted Outlook client(classic btw) auth for Conditional Access? How is this factored by Entra?

edit: This also gets blocked when signing into the account via Word for OneDrive access etc so it's clearly an office client issue.

Does anyone have any insight on what's happening here? I even tried revoking all sessions thinking maybe that would reset someting. No change. TIA if anyone has somesuggetions here!

For the past week, I have received risky sign-ins from a 24 block, 216.79.19.0/24. It's an ATT mobile subnet and it's linked to a different state than mine. It's been across multiple users. At first, I was terrified it was a bad actor but I confirmed two users were using Outlook via mobile. The logs for the IP address don't show anything useful. Just curious if anyone else has seen risks on this subnet

Hello Guys,

I need a small clue what's gone wrong because I have no idea. I have the following setup

Server 2022 DC Server 2022 RD Broker + AD Connect Server 2022 RDS

I have enabled Kerberos Cloud Trust.

All of my clients are native AADJ Devices and local Kerberos Authentication is working perfectly fine. If I access a local SMB Share for example the Kerberos ticket will be delivered by the DC and I can see the ticket using klist.

If I enable Remote Credential Guard for seamless RDP Login to the RDS Server the login to the server via Kerberos is perfectly fine. I can see the ticket issued by the Host on the RDS Server using klist.

Now the story changes. As soon as the RDS Server needs a new ticket, by the design the client has to do the heavy lifting but nothing happens all Authentication attempts fail. I cant see any new Kerberos Ticket except the very first one for the login.

If i do a klist purge on the RDS host a fallback to NTLM will happen and everything is working fine expect of services who relays on Kerberos.

If I try the same thing from an AD Joined Device the Kerberos relaying is working fine.

Thank you for every clue 🧩

Hey there!
I hope someone can help me with this. it might not matter, but I'm looking for some input here.

I've installed GSA at a customer, which is working well, and they are happy with the solution.

However, I can see in the logs, it is still activated while they are within the company's internal network.

I can really seem to find any options that stops this behavior. in Fortinet ZTNA, the client pings the domain controllers for example, or an internal IP address. and the ZTNA is de-activated. But I can't find anywhere that GSA would do this.

Edit: I'll try to clarify that we've already discussed with the client that they cannot and shouldn't just hide activity logs. But we could maybe restrict the users that have access to that information. That's more the key question here I think.

Hi,

We're having a requirement to hide the activity of the audit/compliance team. That means that they want to hide the eDiscovery logs and logs displaying their activity in purview, also hiding the logs showing the activity related to exports they might do related to mails from Outlook, chats from Teams, activity in SharePoint and OneDrive.

So far what we've thought is drastically reducing the amount of users with privileged roles (admins and readers) because they can read on eDiscovery and several of those admins could grant the permissions in Purview to see the logs of activity.

The requirement is a little bit absurd, but we're trying to find a solution or a workaround for it.

Hey everyone,

So we are in the middle of starting the testing of migrating from g workspace to M365. We also currently use Okta and are contractually obligated with them through the end of 2026. During testing, we are using one of our other registered domains. I have inputed my okta/gworkspace email as another email in my profile. I am trying to pass that value through to okta, but cant seem to get the right attribute nor find the right syntax to setup a custom attribute in okta mappngs to push through. Anyone have any advice on how to get this to pass through?

I'm starting down the road of enabling PIM in our environment and my first goal is to use this to trim Global Admins, but the above option has left me with some questions. On the GA role, this is on by default. If I currently have two GA's that were assigned the role via the check box in M365 Users and I uncheck the box for this role in PIM, will it impact their previous assignment?

Thanks!

Just installed GSA to test and I'm finding all internal traffic to FQDNs is being blocked by Windows Firewall but accessing the same resource via IP is OK.

For instance, can't RDP to a server if I use its name - eventvwr Security log shows:

Application Name: \device\harddiskvolume4\windows\system32\mstsc.exe
Network Information:
Direction: Outbound
Source Address: [10.22.56.21]
Source Port: 50782
Destination Address: [192.168.2.2]
Destination Port: 3389
Protocol: 6

Application Name: \device\harddiskvolume4\windows\system32\mstsc.exe
Network Information:
Direction: Outbound
Source Address: [10.22.66.21]
Source Port: 50782
Destination Address: [6.6.1.209]
Destination Port: 3389
Protocol: 6

I can *RDP* using IP

Same for accessing web-based consoles on internal servers and also accessing file shares. All accessible via IP, but Defender Firewall blocks if I use FQDN.

When I disable the GSA Client I can access resources OK via FQDN also.

Wondering if anyone else has experienced the same?

I'm sure this is possible but wanted to sanity check.

We have a default policy to exclude all logins from outside the US. We want to add exceptions on a county by country and user by user basis by do so using Group Membership.

As an example: We want it so if the user logs in from Canada then by default they are blocked but if they are in the group "CA Bypass - Canada" they are allowed. We have approximately 15 countries we'd like to apply this for so creating individual policies for each country while having a default "block" policy doesn't seem feasible.

Any suggestions?

So, can anyone detail, explicitly, what privileges are provided via the Global Administrator role to administrators in the Entra/Azure/M365 portals that other privileged roles do NOT provide?

Currently going through a tug of war with the IT departments in my organization on who needs what. And, I have not seen this documented clearly in the Microsoft KB's (at least, the ones I have been able to find).

We are trying to access the Devolutions Remote Desktop Manager server via Global Secure Access. We have defined port 1433 and configured it on the server. However, access with RDM or with SQL Management Studio does not work.

In the diagnosis/test function of GSA, the traffic is recognized as a rule

Has anyone had any experience with this?

Is it possible to block specific apps from accessing the enterprise network through conditional access without the use of intune? Using NinjaOne as an mdm so was hoping to be able to figure something out using NinjaOne and conditional access

I'm working on building an email client that will use the Outlook mail API and I'm a bit lost with the verification process. I've done the process for the Gmail API, and would like to understand exactly what to expect from Microsoft’s process before getting started.

If anyone has experience with this or can guide me on what to expect, potential cost, etc, I'd greatly appreciate your insights!

One of our Conditional access policies it to block access to our tenant when accessing from a non corporate device (entra joined) this is working as expected, users cant sign in to their m365 account from a personal pc etc. but we have just noticed this also applies when attempting to login from an incognito tab in edge.

Does anyone have any workarounds for this ? i want to continue to not allow this, but we do require using incognito tabs from time to time and signing in with our 365 accounts.

export of Policy:

https://preview.redd.it/2unevdbftmxd1.png?width=331&format=png&auto=webp&s=acebd601a2db1aad088d217f79963a6ad93d7d85

https://preview.redd.it/bht7pcehtmxd1.png?width=1394&format=png&auto=webp&s=78483a0aae7dcb9ce117ba89ae8eb5142f383c5e

https://preview.redd.it/ah7hnfeitmxd1.png?width=1394&format=png&auto=webp&s=7f7ae94bb1e6a98652d83af7f40bd13aa6ab143e

https://preview.redd.it/l2cqcg8jtmxd1.png?width=1436&format=png&auto=webp&s=54f41a17ceb169cc8bb89e4be0ee4d9443bbb30c

https://preview.redd.it/yzeckh8ktmxd1.png?width=298&format=png&auto=webp&s=9d5cfd61f0aaacba50dcb1bbc21572140daaab92

I have a user who has two devices (iphone and laptop). Both are registered in Entra but show NO UPN/blank. So if I look up his user account in Entra and select devices on left, nothing shows up.

That said, both are registered in Intune to him properly.

Any way I can fix the UPN on the device registrations?

Hello,

We have a bunch of external users (as in, adresses on an external domain, but invited as members to our Entra) and I wanted to give them access to an MS Forms thing that streamlines a process (sendind an answer triggers a Power Automate that modifies a non-critical entry into Business Central) but discovered that a Form is either completely public and accessible to anyone anonymously or limited to internal users on our domain only, nothing in between.

So, we thought about having the users use one of the many shared email adresses on our domain that are related to the business operation they are in but I'm not sure on how to handle the credentials. I can log their workstations (it's a shop situation, no one needs remote access from a laptop) to the address for them to access the form but what if one of them decides to change the password ? Can I prevent them from doing that ?

Are there other way I can go about this that makes more sense ?

Thank you.

I'm trying to figure out who can create m365 groups. I know everybody from IT can, but I can't seem to see how they are able too... When I go to Group Settings in Entra, I can see that Microsoft 365 group creation as well as security group creation is turned off. This was all setup by a colleague who has now left he company...

I have found that you can give certain groups the right to create M365 groups with powershell. I've ran a powershell script to find if there are any groups in our tenant who can create M365 groups, but the script returns no results.

Is there any other way to find out which users can create M365 groups?

Script I used to look for groups that are allowed to create M365 groups

# Import only the necessary Microsoft Graph module for groups
Import-Module Microsoft.Graph.Groups

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Group.Read.All"

# Query all groups and filter for those with EnableGroupCreation set to true
$groups = Get-MgGroup -Filter "groupTypes/any(c:c eq 'Unified') and securityEnabled eq false" -Property EnableGroupCreation,DisplayName

# Filter groups with EnableGroupCreation enabled (if that property exists for your tenant)
$enabledGroups = $groups | Where-Object { $_.EnableGroupCreation -eq $true }

# Display the groups
if ($enabledGroups) {
    Write-Output "Groups with EnableGroupCreation set to True:"
    foreach ($group in $enabledGroups) {
        Write-Output "Name: $($group.DisplayName)"
    }
} else {
    Write-Output "No groups with EnableGroupCreation set to True were found."
}

# Disconnect from Microsoft Graph
Disconnect-MgGraph

Hi r/entra!

I’ve just released a new blog post in my Conditional Access Series, this time diving into policies focusing on, insider risk, user & sign-in risk, as well as a few device based policies.

This post is the penultimate post in the series aiming to help navigate one of our strongest tools in the IAM toolkits, providing actionable, importable policies.

Highlights:

📋 Practical Conditional Access policies to enhance security

🌐 Real-world applications and examples

🔍 Insights into current cybersecurity threats and trends

I’d love to hear your feedback and any thoughts you might have.

Check it out here: The Conditional Access Games: Surviving the Risk-Based Policy Trials

I want to setup a fully cloud only Entra based environment for my home lab, mainly to get an understanding of what is required and what that this type of setup entails. I’m looking for any guides that might be useful, I want to build the “ideal” cloud only environment; fully ground up and I’ve got all the time I need, if there’s a one stop guide that’d be awesome. I’d also love to give the Zero Trust setup a try in this endeavor so if anyone has a guide that includes that, or any suggestions on where to add that step, that’s a plus.

If there are no one stop guides, then any help putting together a list of steps would be greatly appreciated even a checklist of everything that should be setup or looked at would be great. Heck if there’s anyone who does this for a living that has their own “ideal scenario” list I’d love to take a look at what you think would be the best way to build a tenant from the ground up with no timeline holding you back.

I’m gathering a list of Microsoft docs that involve all of this but as I mentioned above I want to try and do this in the most ideal way possible which to me would mean building this out in a way where I’m not building one thing only to realize I need something else working first.

Hope this all makes sense and any suggestions are much appreciated.

So i have a very weird issue right now with Entra ID connecting to my SAP - so the raw facts are - i have two domains - the first domain lets call it blob is AAD Connected and has Active sync with SSO - the second domain lets call it Rex is in the same domain forest and they have a trust. SAP is running on a server within the Rex domain - and up until now sap used the local ad accounts from Blob domain and accessing the fileshare where sap saved all the data worked fine. But after i switch to entra Id as authentication method sap is now not able to access the fileshare that is on the SAP server. im guessing it cannot authenticate because the server itself does not know the entra id user is actually the same as the ad user from blob domain. am i missing something and what options do i have from here - do i join the sap server from rex to entra? or is there any other way - Thanks!

On a lot of our company PCs, we have two identical Entra ID accounts which are causing a conflict and giving users lots of error messages related to "Verifying their account" or "Work or School Account Sign-In". Does anyone know how to remove just one of these without removing the other? Of course, doing it through the actual settings page would remove the Windows profile and require local sign-in. I'm looking for a more creative way like Powershell or Registry. Thanks!

Apologies for having to black out the emails for privacy concerns, you can trust me when I say they are all the same email address

https://preview.redd.it/gjz2k4vi3xwd1.png?width=1080&format=png&auto=webp&s=985ad6f68f1760db71239ce7b97338708790dd59

Recently I've come across a very weird issue within Intune and Entra ID. We use Enterprise Mobility + Security E3 for all users that will be enrolling devices to Intune. Our organizations devices setting within Entra is set to Allow all users to register devices, and have up to 50 devices per user.

During initial setup for their IOS profiles, I used a test account with Microsoft Business standard license and Enterprise Mobility + Security E3. I was able to enroll the iPhone to Intune, and register the device by logging into the company portal app with no issues.

However, now that testing is complete, I started working with some of the management team to get their devices setup. Our first test user has enrolled the phone successfully to Intune, but when they login to company portal, the device does not register to their Entra account. I have verified they have the Microsoft Business standard license and Enterprise Mobility + Security E3. I even had them test using a personal device, and this is not registering to their profile either.

I am at a complete loss. It is important we get device registration working as we are wishing to use Conditional access to restrict non-registered devices from accessing O365 applications. Any help or guidance is greatly appreciated.

Hi Guys,

I am having a play around with GSA/Entra Private Access as some recent Windows updates has started to randomly break Direct Access connectivity on a few of our laptops.

I have Entra setup, GSA installed on my laptop, appropriate permissions and licences etc and I don't seem to be able to reconnect my existing mapped drives when connected via GSA and a mobile hotspot. My drives get mapped via GP when connected to the Domain i.e. P: drive is mapped via \\server\data1 and M drive via \\server\data2. When connected via GSA I can manually browse to \\server.domain.local\data1 and \\server.domain.local\data2 fine (I can even map them as drives Y and Z and they reconnect fine on a reboot), but my existing mapped drives never reconnect, just give me the unable to be restored message when I click on them.

I followed/watched John Saville's Youtube Guide and Deep Dive, my config pretty much matches his, although I am unable to resolve internally via powershell when connected:. resolve-dnsname server returns an error but resolve-dnsname server.domain.local comes back with a 6.x.x.x IP adddress

Any tips are appreciated ;)

Hi,

I'm trying to work out how we can notify our support desk that Microsoft has detected a risky user and which user it is without assigning roles. Home -> Protection -> Risky Activities.

I've set up an email address so that they get the notification that there has been risky activity but if they click the link they are unable to view the page in Entra ID so have to rely on the Security team.

I did start looking at using Defender to capture the incidents but as the Support Desk don't have the necasary permission to risky users, they can't see the incidents.

We also use Crowdstrike so we want the team to investigate the incident initially using this.

Does anyone have any ideas how we can get round this?

Thanks for reading.

Rocket

Hello,

• I'd like to accomplish the following in my hybrid environment:
  • For PCs that are joined to my local AD (which is Entra AD syncing), I'd like to deploy a GPO that will auto-join them to Entra AD (hybrid style)
  • How I want it to look:
    • When a user logs into the PC which is only joined to the local AD, I want it to then auto-join the Entra AD (hybrid style) without the user being a local admin and also join the Intune MDM.
    • I want this to be the end result when opening Access Work or School:

https://preview.redd.it/cd4x5098frwd1.jpg?width=824&format=pjpg&auto=webp&s=c8fe20994dd93c59618e88ac17b4e4f206b65661

I need to move users who have more than 50gb of mailbox to business premium and will be assigning exchange online plan 2 for the mailbox space required, will they loose any data when I remove e3, assign business premium and exchange online?

Or what's the best way to approach this ?

If we wanted to leverage Conditional Access Policies to restrict logins from certain countries for instance, do all users need Business Premium or will one suffice? All users currently have Business Standard. Thank you!

Hi,

I'm syncing the AD security groups to EntraID for a while now.

The org I work now was managed by an MSP, and it changed names 3 times already.

I have in the system SG from every naming convention possible, and of course when I moved the file server to SP I recreated the permissions as cloud SG.

I wonder if there is a way to control the damage of deleting the old AD SG by running a PS script that would list for each AD SG where it's being used in the M365 tenant.

My Google skills were very poor today trying to get this info right, I'm sorry.

Thank you.

https://preview.redd.it/eamnhl443gwd1.png?width=576&format=png&auto=webp&s=7d2b9719dba1c41b5a965533cb4a1eb45e68438e

I've been wanting to experiment with a CA policy that limits users to sign in using a security key (yubikey in this case) only. I could swear that when I've previously configured Authentication strengths there was an option to select security keys as either passwordless or phishing resistant option (can't recall exactly what Entra classified it as at the time)

Has MS now fully replaced this option with their push for passkeys even though the support for it is currently still in preview, or have I failed to setup the necessary requirements to enable it?