Does Entra support delta certification for reviewing changes in access rights and entitlements since the last certification?

I'm trying to set up access reviews in Entra. The goal is to have managers regularly review a list of their employees and weed out those that are no longer with the company but still remain in the system.

I'm trying to achieve this by creating dynamic security groups in Entra, with the dynamic membership rule Direct reports for "object ID".

For some reason, this rule will include the manager themself.

Setting up an access review for that dynamic group, and setting 'Reviewers' to 'Managers of users', will result in the manager's manager receiving an email notification for the Access Review.

Unfortunately, the direct reports rule cannot be combined with any other membership rules – source.

I can get around the issue by simply setting 'Reviewers' to the specific manager instead of using 'Managers of users', so it's not a big issue at all.

I'm just curious about what the reason may be for this behavior. Why does the dynamic rule Dynamic Reports for "Amanda Manager"return all users who report to Amanda Manager and Amanda Manager herself?

Hello, we are doing a global push to get everyone on the Authenticator app. Some users are using the Outlook Authenticator Lite for MFA and we're trying to create a report with those users.

I'm having a heck of a time trying to filter the sign in logs in Entra to find this information. Per this link, https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-authenticator-lite#monitoring-authenticator-lite-usage, I'm seeing that authentication method should be "Microsoft Authenticator (in Outlook)" but not seeing where to filter this out.

Thanks in advance.

Hi there,

We have multiple tenants, and different individuals are administering them from various locations. Does anyone know of a way to generate a daily audit report? For example, a report that details who creates or deletes users and groups, who changes policies, etc.

Thank you!

Identity-based threats are becoming more sophisticated, while insecure passwords still account for a significant part of sign-ins. Add in MFA fatigue for users and admins alike, and you’ve got a dangerous cocktail. So, how do we handle this?

The answer lies in passkeys—phishing-resistant, seamless, and secure authentication methods. My latest blog post explores how Microsoft is leveraging FIDO-based passkeys in Entra to simplify passwordless authentication for organizations.

Read the full guide here: https://chanceofsecurity.com/post/passkeys-101-in-microsoft-authenticator

Highlights:

• Why we need passkeys, including statistical threat data

• How passkeys work and their phishing-resistant benefits

• Step-by-step configurations for Microsoft ecosystems

• The streamlined end-user experience and business benefits

Dive into the blog to learn how passkeys are transforming authentication. If you find it helpful, please share it with your network, leave a comment with your thoughts, or give it a like. Your engagement helps more people discover this content and join the conversation!

It's hard to supervise the mails with 2fa on is there a way to access mails without 2fa?

Hello ebveryone. So we already leverage PIM in our environment to temporarily activate the various admin roles we are eligible for. My boss is curious to dig more into Entitlement Management to assign azure ad roles to account more securely and also utlize attestation and access reviews. How to really address this and how different is this from PIM? Is this something we can adopt along with PIM and can benefit? I will really appreacite your input on this. Thanks

Hello Hope every one is doing well, Not sure if my google skills are not good or if it is not possible, I want to leverage Graph API or existing power-shell modules to see what the Guest User Settings are configured

https://preview.redd.it/8nfmnwmvfa4e1.png?width=1605&format=png&auto=webp&s=2ba0dba0523460831084e34c4de3698e581814a5

As well as the External Collaboration Settings

https://preview.redd.it/z1xnxgyzfa4e1.png?width=1594&format=png&auto=webp&s=05dc3ed0d71ecd6834a9f9d05e9d9acd32887c59

The closest Graph Endpoint that I was able to find was the AuthoriationPolicy Endpoint but that doesn't quite show how the Guests and Collaboration Settings are configured and per Stack Overflow it is mentioned that it leverages internal APIs https://stackoverflow.com/questions/55625413/how-to-script-external-collaboration-settings-in-azure

So posting here if any one know a way to get these or it is not possible

Thank you

Hey all,

We are in a closed beta for our product. This is the message I receive when I try to log in to entra & microsoft partner centre - microsoft says: Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.

We cannot log on to our entra account to reset the subscription method, it just says "This username may be incorrect. Make sure that you typed it correctly. Otherwise, contact your admin."

We need urgent help to fix this. I also was never sent an email stating payment issues or entra account deletion. Please help us!

In Entra ID (ex. Azure AD), as far as I know, there isn't a direct equivalent to the "Logon Hours" feature found in on-premises Active Directory (AD). However, we can achieve similar functionality by using Conditional Access policies.

Logon hours in Active Directory

Conditional Access policies in Entra allow you to define conditions under which users can or cannot access cloud apps. While these policies do not natively support time-based access restrictions, you can use them in combination with other controls to limit access based on various factors, including user risk level, device compliance, and location.

Organizations with an Entra Premium P2 license can also use Privileged Identity Management (PIM) to manage, control, and monitor access within Entra, Azure, and other Microsoft Online Services.

Are there any individuals or organizations that have implemented creative approaches or best practices for time-based access restrictions in Entra ID that they would recommend?"

Hi,

We're in the process of implementing passwordless.

I have a custom Authentication Strength setup that uses has TAP, Phone Sign-in and WHFB. The TAP and Phone Sign-in work fine. However, getting a bit stuck with trying to test WHFB as an authentication method when logging into Edge for example.

I have a test user that has WHFB setup on a device but no authenticator and TAP. I'm trying to login to edge browser with the test user but make it so it asks for WHFB for sign in, however, it only asks for password.

Any suggestions if you think I'm missing something or set something up incorrectly that would be amazing.

Thanks!

When setting up SSO in Entra ID it’s possible to add extra claims to the jwt in the attribute mapping like country, city, phone number etc. however, for timezone this doesn’t seem to be possible. Am I missing something or is it really not possible to setup timezone in the attribute mapping?

Hello everyone,

We have been using Microsoft GSA Private Access for several months. Initially, everything worked perfectly until one day the connection dropped. In the Advanced Diagnostics, all points are green except for Tunneling Succeeded Private Access. Restarting the clients does not solve the issue. If the GSA Agent is uninstalled and reinstalled, everything works as expected until the next reboot.

Has anyone experienced this problem and possibly found a solution? Nothing has been changed on our systems. We have the latest versions installed, and licenses for Entra Private Access are also available and activated.

Thanks a lot for helping!

Tim

Hi All,

It's been a number of years since I've federated a domain with Entra, i'm flipping this back in a home environment to complete some testing. Would appreciate some troubleshooting thoughts.

What from memory was a quick task, I've spent waaaaay to long on this today. I've rebuilt the environment a number of times with the same outcome.

1. Install ADFS (Enabled the sign-in page).
2. Install WAP.
3. Generate Let's Encrypt certificate and provide to the servers.
4. Port Forward 443 to the WAP server.
5. Use Entra Connect to Federate the domain (AD FS Config looks good and generated as Microsoft Office 365 Identity Platform)
6. WAP is configured via AAD Connect (Blank but seems alright talking back to ADFS)

I can hit https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx and authenticate with UPN internally/externally.
I can hit https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml internally/externally.

I also setup IAMShowcase to test (SAML 2.0 Test Service Provider) and published the app via the WAP, worked fine for SP and IDP initiated flows.

Interestingly enough, I am chucked the following error from the ADFS redirection with M365 authentication:
Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.

This raises an error on the ADFS server ID#364, I've rebuilt a few times and havent been able to find much in troubleshooting. Would love to hear if someone else has seen something similar,.

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:

Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.

at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)

at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Get-MgFederatedDomainFederationConfiguration -Identity Domain.com
ActiveSignInUri : https://adfs.domain/adfs/services/trust/2005/usernamemixed

IssuerUri : http://domain/adfs/services/trust/

MetadataExchangeUri : https://adfs.domain/adfs/services/trust/mex

PassiveSignInUri : https://adfs.domain/adfs/ls/

PreferredAuthenticationProtocol : wsFed

SignOutUri : https://adfs.domain/adfs/ls/

Greetings.. I come in peace. I was just wondering if it is possible to transform multivalued attributes concatenated into a single value with e.g. comma as delimiter? Any kind soul to enlighten me on how to approach this?

Current SAML response:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
  <AttributeValue>Group1</AttributeValue>
  <AttributeValue>Group2</AttributeValue>
  <AttributeValue>Group3</AttributeValue>
</Attribute>

Desired SAML response:

<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
  <AttributeValue>Group1,Group2,Group3</AttributeValue>
</Attribute>

Do I need to create a custom claim? Purpose is to provide my application a list of strings for user's group membership. Thanks in advance!

I have been tasked with setting up AWS Workspaces in non-persistent mode with EntraID. I know how to make workspace join to an on-prem ad, but I'm a little lost on getting it to join (and clean up) from entraid.

Any white papers you can point me to?

Hi Team, I am investigating if blocking overseas logons will be a severe impact on our users. I have created a conditional access policy in report only mode that blocks all overseas logons. I can view the report through the Insights and reporting tab.

I was wondering, is there a way to have a report of the number of failed logons due to this rule emailed through every 24 hours?

Thanks

I have my on premise AD DS, where I have all of my users. I had also created Office 365 accounts for each of them, meaning when I go to the Microsoft Entra admin panel, I see my available users there too.

In order to explore whether we could move to one drive and work there instead of this classic server client model, I needed conditional access for security reasons, so I was about to sync my users from my on premise AD to my Azure AD which is now Microsoft Entra. I downloaded the agent, installed in it my server computer, then proceeded to make necessary configuration in my Entra admin page.

First I tried to test it on a dummy user, and then I found out that a duplicate account of that dummy user was created in Entra(ultimately Office 365), instead of being synced to his already existing account in Entra(ultimately Office 365). So, it seems that if I proceed with all user, I would be making duplicate accounts for all users in Entra(ultimately Office 365). I don't want that.

Is there not a way to sync my on premise users with my already existing users in Entra(ultimately Office 365)??

How to resolve this issue?

Hi,

How do you use remote management tools on entra id joined devices? Do you even still use them or have other tools to manage these?

With our hybrid joined devices we used a lot of remote mmc.exe to check registry, computer management, event viewer and other stuff like admin share (\computername\c$). We used them so that the user can work Without interruption from the IT. I know i could use remote desktop or our tools to see the screen of the user but then the user will notice and would be interrupted.

I could not find a solution to use Microsoft entra authentication for amdin share or mmc.exe.

What ways are you guys using?

Hi Entra Admins/Engineers/Researches...,

I’ve just released a side project—a PowerShell module called EntraTokenAid. While it’s primarily designed with pentesters in mind, I think it could also be useful for Entra admins and researchers working with Azure/ Entra.

https://github.com/zh54321/EntraTokenAid

What does it do?

• Pure PowerShell single module file which is easy to run on any system (no dependencies).
• Authenticate with OAuth via Auth Code or Device Code flows.
• Obtain access and refresh tokens for various APIs, including MS Graph / ARM, using different client IDs.
• Parse and analyze JWT claims for additional details (like scopes, tenants, IPs, etc.).
• By disabling the user selection and setting, configure reporting and http timeout even large scale automated tests can be runned using OAuth auth code flow.
• Handle Continuous Access Evaluation (CAE) tokens for longer session validity.
• Refresh to any API using any client id (usable for FOCI tokens)
• Seems to work on Linux (not extensively tested)

Why I built it:

While there are tools like AzureCLI, they aren’t always feasible to install on customer systems or specific environments. EntraTokenAid is lightweight, pure PowerShell, and portable.

Feel free to use, give feedback or ignore :-)

Impressions:

Performing an authentication and showing the gathered tokens and other useful information:

Using the obtained tokens to get tokens for another API (e.g. ARM)

Tokens and useful JWT claims are directly displayed in the OAuth callback request on the local server:

TLDR:

PowerShell tool to get access and refresh tokens of MS APIs like MS Graph / ARM.

Hi,

I am tasked to migrate Legacy MFA Trusted IPs to Conditional Access Location (Network) conditional policies.
Basically, I would like to know about a (temporarily) coexistence when Trusted IPs and CA Network policies are both active.

Q: Can I 'just' copy the Legacy MFA Trusted IPs in a CA Network policy and delete the Legacy MFA Trusted IPs?

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips
- 'The trusted IPs feature requires Microsoft Entra ID P1 edition.'
Never knew this required P1 :)

- 'Note: If both per-user MFA and Conditional Access policies are configured in the tenant, you need to add trusted IPs to the Conditional Access policy and update the MFA service settings.'
Confused about this note, does this say to include the Trusted IPs as IP-Adresses or like the below (list of locations) in the CA policy and what to update in the MFA service settings?

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network#multifactor-authentication-trusted-ips
'If you have these trusted IPs configured, they show up as MFA Trusted IPs in the list of locations for the location condition.'

We have a user in active directory that is configured with a ".com" UPN. When this user is synced with 365 through Entra Connect, 365 is seeing ".onmicrosoft.com." We noticed in the Entra admin center that the user has on-premises sync disabled, but don't know how to enable it. Any help is very much appreciated!

Hello,

A customer recently went through a merger and there are 3 different tenants. I configured using multitenant collaboration in admin > Settings > Org settings.

The issue I am having is that users are needing to switch tenants to see messages and meetings from other tenants.

I believe there are different flavors of the collaboration, am I just using the wrong one?

Are you ready to level up your organization's access management while staying compliant with Zero Trust principles? 🌟

In today's rapidly evolving threat landscape, managing access permissions isn't just a task—it's a necessity. My latest blog post dives deep into the transformative capabilities of Microsoft Entra Access Reviews. This feature ensures users and roles have the exact access they need—no more, no less. Whether you're dealing with external collaborators, privileged roles, or dynamic access groups, Access Reviews provide an automated, data-driven solution.

From reducing risks and aligning with compliance requirements to helping implement "least privilege" access, Access Reviews are a must-know feature for any organization embracing modern identity governance.

🔗 Check out the blog post here: Microsoft Entra Identity Governance Feature Showcase: Access Reviews

Highlights from the blog post:
✨ Why use Access Reviews?

• Remove unused permissions effortlessly.
• Validate privileged roles.
• Align access with Zero Trust principles.

✨ Step-by-step configurations for:

• External users.
• Multi-stage access reviews.
• Access packages and more!

✨ Features to love:

• Automated results application.
• AI-driven helpers like inactivity and affiliation insights.
• Multi-stage reviews for precise decision-making.

💡 Discover how Microsoft Entra Access Reviews can transform access management and reduce risks. If you find this helpful, give it a like and share your thoughts or questions below! 🔐

So I have a requirement for our external users invited to our Entra ID tenant to use only OTP for authentication to our enterprise application.

I have disabled all federation including Entra ID, leaving only email OTP as the only redemption option under Fallback domain. This is done on the Default Inbound Settings configuration page under Cross Tenant.

It works mostly except I noticed there are some external users who are on Entra ID failed to login to our application with the AADSTS50020 error. The users who are not using Entra ID have no issues logging into our application.

There's a workaround by requesting them to use Incognito/Private mode on their browser and they will get the OTP prompt page instead of using their existing login cookie to login to our application.

So I'm wondering now how to avoid this issue for our external users who are on their own Entra ID tenant aside from using Incognito/Private mode on their browser.

We're using Single Tenant application in our entra id and inviting these users as Guests.

Does anyone here have any ideas that can be done in this situation?

So after weeks of troubleshooting a problem whereby when I logged into my office computer (w11 domain joined Desktop), whenever I was required to provide MFA it would ask for a USB device.

After considerable troubleshooting, I opened a case with MS support.

They did some testing and told me that in order to use Passkeys stored in my MS Authenticator app, the desktop requires Bluetooth. They can't tell me why.

I also can't understand why, when I login from my desktop at home, to my desktop at the office, via RDP, Passkey MFA works fine to my mobile phone, but logged in locally I am requested for a USB device.

Is there someone here who can explain to me the role of Bluetooth in passkey via MS Authenticator, when number matching doesn't require it? Is there a specific 'type' of bluetooth device that is required? Do I need to ensure the device is 'paired' to the desktop via Bluetooth first? How is this even a requirement and how do enterprises make this work? Surely they aren't all using notebooks now or adding Bluetooth to their desktops?

I am struggling to understand the role of Bluetooth in the transaction.

So, to resolve a different issue I ended up opening a case with MS.

48 hours ago we had per user MFA set to enforced for all our 'real' accounts and security defaults on.

We turned off security defaults, which installed 4 default Conditional Access Policies.

During that call, they migrated our authentication policies to the new version as it's required to be done at some point anyway.

After all of that, we had a user needed to reset their MFA. They were asked to enroll a Mobile number and an App Password. We have never been asked for an App Password when setting up MFA before, in fact, I don't even understand how MFA could be an App password.

I reopened the case to query the new thing we had never seen before, but I was unable to get the tech to explain to me why the app password was required.

He has told me that after migrating to the new policies, if per user MFA is set to 'enforced' (which it was), app password is requried.

App passwords have never been one of our authentication methods, how/why did it become one, and given it's legacy, how can it still be an option ?

I am not sure the best way to learn this stuff. I ended up in some trouble because of this unintended consequence. I am not sure how I am supposed to know this could happen?

TIA

Can anyone offer any suggestions on how I can get some additional information as to why I am receiving this error when attempting to configure an Enterprise Application to use on-premises Entra Application proxy?

I was initially having issues getting App Proxy to work at all, and I eventually found a link to an App proxy FAQ that stated you need to use your original .onmicrosoft.com domain with App Proxy. It just so happens that I was was using a different .onmicrosoft.com as my fallback from the one I initially setup with the tenant. So I changed it back to the original, but now I get this error whenever I try to create an App Proxy URL in an Enterprise app. And actually I get the error now regardless of the .onmicrosoft.com domain I'm using as my fallback.

I was just curious if there were some additional methods of debugging this. I'm not seeing anything obvious in the Event logs on the machines hosting the connecters, and there isn't anything revealing (to me) in the Entra audit logs.

https://preview.redd.it/rk3i10l9mx2e1.png?width=275&format=png&auto=webp&s=e156fdb7e7c660bc0683be138d6322acf48f57ec

I had enabled email archiving for a lot of users, One of the user came back with the issue, not being able to see his emails, also why does his mailbox size is less now, is their a way to disable archiving for a particular user and restore all the emails back to how it was ? I know we can access emails from the archive but user is adamant on reverting changes. Any help is greatly appreciated

Hello everyone,

Been working through an enterprise app confi, everything in general is fine.

The app (KnowBe4) I am using the Provisioning for it.

Since yesterday, it seems a 50/50 chance that when I go to review the Provisioning config, it shows the config, vs just showing like nothing was ever configured.

Anyone else experiencing this issue currently?

I put a ticket into MS, but will probably take a week for them to get back to me and then spend another week re-explaining things I already have, and then another week for them to deflect and claim there is nothing wrong.

I can logout, back in, fresh 100 times, try on another system / browser, same results, so tells me it is either an MS back end issue of some sort, or could be the KnowBe4 Enterprise App?

When it doesn't load:

https://preview.redd.it/zc46hxg5ph2e1.png?width=1138&format=png&auto=webp&s=6a3b8a2f5cd0bc2572af86d02d3fcf6b26a737a4

When it does load -

https://preview.redd.it/crdnkc43ph2e1.png?width=1134&format=png&auto=webp&s=b0b4917e69eae968fc41c51b5f925c49bb51c67d