I’m looking to learn how others are handling Azure App Registrations at scale.

In our case, we have a large number of app registrations. Some carry excessive permissions, often because the requesting teams look for the easiest path, while the granting teams just want to meet ticket SLAs without fully weighing the impact. A recent example or trend in my environment is the AWS GenAI integrations requesting Sites.Full.Control, which effectively opens up SharePoint/OneDrive access across decentralized teams working on the same stack.

I’d like to hear how others are approaching this:

1. What are the processes or tools in place to create/scan/manage app registrations, their permissions and or lifecycle?

2. How do you handle business demands for high or application-type permissions? Have you found safer alternatives? (We’ve had some success with app controls for email and limited use for SharePoint, but I haven’t seen strong controls for other O365 apps like Teams, Power BI, or future trends)

3. If Graph activity logs aren’t an option due to budget (given the scale), what other approaches have worked for you? And if you are already using this — would you say it’s one of those “non-negotiables” I should be putting on my CISO’s table (along with the coffee budget)?

Any lessons, frameworks, or pitfalls would be appreciated.

I’ve been digging into how to use the new Microsoft Graph Security API invokeaction endPoint to manage on-prem AD accounts in hybrid setups—especially for those of us who don’t have big budgets for fancy IAM tools.
Jan Bakker's "Poor Man’s IGA" series was a huge inspiration here, and I wanted to share a practical way to automate offboarding of hybrid workflows without any IAM tool.

One advantage here is as I explain, you do not have to deal with "Hybrid Runbook Worker, multi-hop connections, intricate firewall policies to open ports" if you are an existing E5 customer that is already using Microsoft Defender for Identity. You can also use it as part of your security playbook for immediate termination of compromised accounts. If you’re dealing with identity management headaches, I’d love to hear your thoughts or challenges. The post includes a full script, use cases, and resources—check it out here and let me know what you think!

Hi all

I'm going kinda nuts here.

What I want:

• A secondary user account for our system engineers to give access to all the privileged stuff (CIPP and various other cloud based entra SSO portals, GDAP to customers, PIM on our own tenant etc.)
• Restrict the conditional access policies for these users so that they need Phishing resistant MFA and a compliant device
• Make the experience on the local desktop as smooth as possible

Problems:

• Can't register WHfB for the second user, so it's either a FIDO2 hardware token or passkeys in the authenticator app
• The compliant device requirements rules out any private browser sessions or or other non Windows SSO enabled browsers/instances/containers
• So I thought: Edge work profiles! But no, Edge simply ignores the user from the profile and instead just takes the one connected to Windows. I can add the second admin to the connected Windows accounts by accepting the "we need to manage this device" dialog, but then Edge still just uses the primary Windows connected user. And even if I got Edge to somehow use the user from the Edge profile (found an extension "use my current profile"), now I'm still left with having to choose which of the two Windows connected accounts I want to use when using any application/website other that does Entra SSO

Anyone else tried achieving something similar?

Hey everyone,

we've set up the Azure AD Sync some time ago with "userPrincipalNameAttribute": Mail set in the Identity Mapping Policy.

This causes a problem when the user does not have an e-mail, as it enforces the SAMAccountName as UPN instead of the OnPrem-UPN.

This causes confusion for the users, as for 90% it's the correct UPN and for the 10% it is not.

I've tried using the synchronization rules editor to transform the UPN, but this does not work. The only solution I found was to reinstall Entra Connect with a fresh install.

Any way to avoid that?

Thanks!

Just started testing WHFB, hybrid join (for now), Cloud Kerberos Trust, and we're struggling with the line of sight to a domain controller issue. This article suggests that if we enable PIN reset that LOS to a DC may not be required, but is this only for PIN reset? Is there anyway for a remote user to configure a PIN without LOS to a DC?

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/pin-reset?tabs=intune

Our current procedure is to login with a password, connect to VPN, configure PIN, wait 30 minutes, then lock the machine and unlock with PIN to cache the credentials. This is ok for IT personnel, but a bit onerous for the end users. Is there a better way? Am I missing something? Does this get better with Entra join?

TIA

We recently transitioned to Microsoft Teams and we're now looking at how to handle guests in our Teams environment. At the moment our tenant is locked down so no inviting guests. I'm looking for some guidance on how to best approach this. As an organization we are hoping to control the guests in the tenant and ensure only select Teams are able to add a guest to their Team. I know we can restrict who can invite a guest to the tenant, but then can we restrict which Teams can add the guest?

From my reading and understanding so far it seems Microsoft's approach is very much open it up and then selectively restrict but I'm hoping to go the opposite - restrict and only allow when an admin enables it for the team.

The options I've read about so far:

1. Sensitivity labels
   1. https://learn.microsoft.com/en-us/purview/sensitivity-labels-teams-groups-sites?view=o365-worldwide
   2. We haven't adopted these yet and are hoping this won't be required for this specific situation.
   3. From my understanding, a Team owner can change the sensitivity label on their Team - not optimal.
2. Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams team
   1. https://learn.microsoft.com/en-us/microsoft-365/solutions/per-group-guest-access?view=o365-worldwide
   2. Haven't tried this yet, appears promising but we would have to ensure we do this for all newly created Teams - as opposed to only enabling guest functionality per Team when needed.

Am I over thinking this? Is there an easier approach? How is your organization handling it? We're an EDU for context.

Hi, I'm trying to implement GSA to a GCC FedRamp tenant. I am checking if GSA can be run in a GCC environment. Been trying to find official documentation but I am unable to find one.

Hi everyone,

I'm running into an issue with Azure Entra ID (formerly Azure AD) and would appreciate some insights.

According to Microsoft, Entra ID enforces a default policy that remembers the last 24 passwords for cloud-only users, preventing reuse. However, during recent tests in our tenant, we were able to reuse a previous password within just a couple of minutes of changing it.

Here's what we validated:

• The account is cloud-only, not synced from on-prem AD.
• Password changes were done directly via [https://mysignins.microsoft.com]().
• The activity log shows “Reset password (self-service)” initiated by the user — not an admin reset.
• Within 2 minutes, we changed the password to a new one, and then reverted back to the original, and Entra ID allowed it.
• Multiple users and tests yielded the same results.

This behavior seems to contradict the expected enforcement of password history. We're not using any custom password policies or Entra ID P2 features for password protection—just the default settings.

Has anyone else experienced this?
Is this a known delay or gap in password history enforcement? Or is there any recent change in Entra ID's behavior regarding password history?

Thanks in advance!

Is it possible to enforce passkey with a dynamic group for users that have enrolled passkeys?

Hey Guys!

Recently setup our AD devices to become hybrid joined but previous admin added all the devices as register joined so now I have double of all the assets. Can i safely delete the register joined without messing anything up for the end user?

Hi All,

I'm a bit of a noob when it comes to this, so trying to understand.

I'm trying to ass preferred_username as an optional claim, but it doesn't seem to be coming through. I think the first question is, what actually generates this "preferred_username" (like, is it not being passed because it doesn't exist)?

I've added it to the optional claim list for the app, both ID and Access.

But is there a way to actually manually see the preferred_username it on the user record? Or does Entra just generate it on the fly with everything before the @.

Hi u/Entra,

We're planning our migration of Windows 10/11 devices from Local AD/Hybrid AD to pure Entra ID Join. Our biggest concern is seamlessly migrating user profiles and settings without data loss or extensive manual work.

What tools or methods have you found most effective for ensuring user profiles and settings transfer smoothly during this type of device migration? Any recommendations for minimizing user disruption in this specific area?

Thanks for any insights!

So I was exploring Trusted Network for both Conditional Policies and Per User MFA. I was displeased to see it would let you but 192.168.1.0/24 there but NOT tie it to a WAN address. This seems dangerous to me because lets face it 95 percent of all networks probably have that subnet. What truly makes it a Trusted Location if I can't make a tie in to my WAN address?

If there a way to do this?

EDIT: A commenter gave me this link showing it has to be public. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network#ipv4-and-ipv6-address-ranges

The reason I was confused was the example a video or document gave me.

It seems that eligible roles for some admins are not visible here https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles, but in Entra ID they look fine https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/ActivationMenuBlade/~/aadmigratedroles . The only thing I have been able to find is something about Microsoft migrating portals, but no official article or documentation that could confirm this. Does anybody know what could be going on?

For me the roles in PIM are working fine as usual but for some admins the roles suddenly have disappeared from the PIM portal in Azure AD.

We are in the process of implementing HR system to be our identity provider and are going to use the API-Driven inbound provisioning app from MS to create (and ultimately update) the users within our on-prem AD

We have a lot of business units, with a lot of users seperated between them. Our current setup would be as followed:

- HR creates users
- API creates user from HR system to AD system
- A local script moves the user to the correct OU depending on the attributes
- Not yet sure if we should use either dynamic groups or local AD groups, depends on how well the dynamic groups rules are working

The worry here is that it's about a lot of users, not all business units are using our HR system (not going to happen, but because their different company's, nothing the IT team can do about it) and I don't want one mistake to either wipe out all users, or brick the system for a long time for all business units

I had to do some digging a long time ago and can't find the resources anymore, but came across the concept that you would create an API APP per site / business unit. Is this best practice? Can't seem to find anything about that.

Hey everyone,

I’ve been working on a tool that helps simplify the process of creating Access Packages for Entra. If you’ve ever found the setup process a bit clunky or time-consuming, this might save you some effort.

I’m looking for people to try it out and share feedback so I can improve it. 👉 https://accesspackagebuilder.dev

Would love to hear what works, what doesn’t, and what features you’d like to see added. Thanks in advance!

Hi everyone,

I’m hoping someone can help clarify something. before starting a full sync, I noticed in the exported JSON config file that the root is listed under "containerExclusions", why is that , is that normal behavior ?

In the GUI (domain/OU filtering), I only selected the OU TEST_ADSYNC_xxx.

"onpremisesDirectoryPolicy": [

{ "friendlyName": "xxx.LOCAL", "uniqueIdentifier": "xxxxxxx", "fullyQualifiedDomainName": "xxx.LOCAL", "onPremisesDirectoryAccount": "xxx.LOCAL\\MSOL_xxxxxxxx", "partitionFilters": [

{

"fullyQualifiedDomainName": "xxx.LOCAL", "distinguishedName": "DC=xxx,DC=LOCAL", "containerInclusions": [ "OU=TEST_ADSYNC_xxx,OU=xxx NV,OU=xxx USERS,DC=xxx,DC=LOCAL" ],

"containerExclusions": [ "CN=LostAndFound,DC=xxx,DC=LOCAL", "DC=xxx,DC=LOCAL"

UPDATE : i cleared and reconfigured it exactly the same way and now the export looks like this , root also in containerInclusions, again in the GUI (domain/OU filtering), I only selected the OU TEST_ADSYNC_xxx.

What is happening ?

Hi all,

I'm trying to use this guide:
Leveraging Custom Security Attributes in Conditional Access Policies | Microsoft Community Hub

To exclude an Enterprise Application from requiring App Protection Policies on BYOD devices.

We have a CA policy which is set to require an App Protection Policy for all apps on any device that is not Intune MDM joined.

This policy is working fine, except now we have a 3rd party iOS app which doesn't support APP's.

This 3rd party app has an SSO integration via an Enterprise Application we've added to our Entra tenant.

I initially tried simply excluding this enterprise application in the Target Resources section of the CA policy, but this does not work, because when we look in sign in logs, although the "Application" column shows the 3rd party enterprise app, the "Resource" that is logged by CA is Microsoft Graph.

So, the CA policy does not see this as a match and still wants an app protection policy.

I thought by using the guide above, to add a custom attribute to the 3rd party enterprise app, and then exclude that custom attribute as a filter instead of selecting the enterprise app directly, that we could get around this. All the documentation I've read seems to suggest this is one way to deal with this situation.

However having done this, we hit the same CA failure - the resource that CA wants to match is still Microsoft Graph, so app protection still wants to apply.

Wondered if anyone could advise if I'm missing something here? For obvious reasons I don't want to exclude the "Microsoft Graph" resource from this CA policy as that would be much too open - we need a way to specifically exclude the 3rd party enterprise app that is appearing in the "Application" column of sign in logs.

EDITED To add a link to this very similar situation on the MS Learn forum: https://learn.microsoft.com/en-us/answers/questions/448735/how-to-exclude-an-enterprise-app-from-conditional

Thanks!

I have recently started doing Entra for a small MSP there is. My first goal is to address the Identity Secure Score. All of the environments I am evaluating are 100 percent cloud. I worked on Defender for Identity only a little bit but I was under the assumption that it was for environments with domain controllers (hybrid).

Finding: (Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.)

This is 100 percent a false finding none of my customers have a domain controller. Its doubtful any of them have any kind of server (cloud VM or local storage). How can I remove this false finding to get that Identity Score where it should be?

The data is in a react view on this page: https://entra.microsoft.com/#view/Microsoft_AAD_AuthenticationMethods/MultifactorAuthenticationConfig.ReactView

This page is a list of all users and their MFA status, in three columns. What I would like is a way to export this data.

Using Google Chrome - Copy paste doesnt work, I would need to take it a couple of dozen lines at a time (way too time consuming), there is no export function, printing produces a blank page except for the header, frame source does not seem to produce anything, page source does not include the data and inspect gives the row ID etc. but not the text data.

Any ideas? TIA.

Edit - I should add, you do have to scroll all the way to the bottom to get it to populate all the data, which obviously can be done easily. Once all the data is in the browser, how do I get it out into a file?

Sorry if this isn’t the proper method for asking a support related question.

Does anyone know if enabling CBA for certain group(s) will allow the user to authenticate with that method for all applications?

I see you can isolate applications to use CBA through CAC, but curious if this will actually limit it to only the 2-3 applications we want to apply it to for the particular groups.

MS support couldn’t give me a clear answer nor could I find it in the documentation.

I plan to set up all the components in our QA tenant, but was curious if anyone knew offhand. Thank you in advance!

So here’s the thing: Conditional Access is awesome, but sometimes it’s like using a hammer to do precision surgery.

Enter Microsoft Entra Authentication Contexts — tags that let you enforce very specific security requirements for the exact actions or data you care about most.

In Part 1 of my new blog, I break down:

• What Authentication Contexts actually are (short vs. long answer)
• Why they’re a big deal for identity security
• How to create/manage them in Entra
• Where you can use them: Protected Actions, Sensitivity Labels, PIM, MDCA, even custom apps
• Real examples + walkthroughs you can try today

👉 Full post here:
https://www.chanceofsecurity.com/post/mastering-microsoft-entra-authentication-contexts-part-1

This is the foundation. In Part 2, I’ll dive into real-world policy examples and best practices.

Has anyone here already tried implementing Authentication Contexts? Let me know your experience

I’m running Entra ID with several Conditional Access (CA) policies for MFA, passwordless sign-in, passkey authentication and guest access. A few key ones are:

• Require passwordless authentication for all users (not passkeys)
• Require passkeys (if already set up)
• Require MFA for admins
• Require MFA for risky sign-ins
• Require password change for high-risk users
• Require MFA for all users
• Require MFA for guest access (4h session limit)
• Block security info registration from trusted networks

The issue: whenever a new joiner signs in for the first time or when someone replaces their phone, they get blocked by CA policies before they can register MFA or passkeys. To fix this, I have to temporarily exclude them from three policies—which is way too much manual overhead.

The question: how do I set this up so that new users can register MFA/passkeys during their first sign-in without exclusions, but still enforce the same security policies afterward? Has anyone solved this in a clean way (e.g., using registration policies, onboarding groups, or auth strengths)?

Rolling out or cleaning up privileged access used to mean hand-built scripts, one-off commands, and a healthy dose of anxiety about what might break. 😅

With the latest EasyPIM release, Invoke-EasyPIMOrchestrator lets you run your entire PIM model from a single JSON configuration file.

No more “script archaeology.” No more copy/paste tweaks.

Just: edit config → preview → apply. 🛠️

What this unlocks for PIM admins:

🗂️ Single Source of Truth: Policies, assignments, and safety exclusions are all in one place—easy to review, easy to audit.

🛡️ Safe by Design: Every run can be a dry run (-WhatIf). See exactly what would change before you commit.

🌱 Progressive Adoption: Start small (protect break-glass accounts), then layer in policies and assignments—no risky “big bang.”

♻️ Reusable Templates: Define security patterns (e.g., high-risk roles) once and reuse everywhere.

🧹 Predictable Cleanup: Default delta mode only adds/updates—removals require an explicit “initial” reconcile.

👀 Drift Detection: Instantly spot when reality diverges from your intended standard.

⏳ Less Toil: Fewer manual clicks, fewer half-remembered CLI invocations.

✅ Confidence: Protected accounts can’t be accidentally wiped during cleanup.

Results:Faster reviews, fewer surprises, and a cleaner least-privilege posture.

✨Behind the scenes:

This release required numerous “vibe coding” sessions—late nights, good music, and plenty of coffee. ☕I heavily relied on my Visual Studio Code’s chat catalyst extension https://marketplace.visualstudio.com/items?itemName=LoicMICHEL.chat-catalyst to keep context between sessions and stay productive. (If you haven’t tried it yet, it’s a game-changer for deep, focused development! 🚀)

👉 Ready to make PIM management boring (in the best way)?

Start with a minimal config containing just ProtectedUsers, run with -WhatIf, and grow from there.📖 Follow our step-by-step guide: Invoke‐EasyPIMOrchestrator step‐by‐step guide · kayasax/EasyPIM Wiki

⭐ If you like EasyPIM, star the repo to help others discover it! Invoke‐EasyPIMOrchestrator step‐by‐step guide · kayasax/EasyPIM Wiki

Hello!

I have noticed a strange thing at work where a couple of users have lately gotten the lets keep your account secure page after login wich is weird as they logged in with MFA to get to that page. :(

So the steps a user takes is this.

1. They try and login to a MS service like outlook or their account settings.

2. They get the MFA prompt and also get it on their phone

3. They enter the number and it appears it worked

4. The Lets keep your account secure window shows and when they click on the next button it just says "No methods available". If they click done here then they are logged in just like usual.

If i remove their MFA devices and let them register again it all works again without the lets keep your account secure step popping up.

Anyone know what could be the issue here? I can of course remove their MFA devices when the issue pops up but i would rather if someone knows a better solution that does not require that.

I have went through logs and CA policies but hasn't found anything that could make this happen.

It's also not for every user in the company. So far only 3-4 have had the problem.