Access Package Approval automation with our Servicedesk ticketing tool
Hi Team, I am trying to automate all the access package approvals to be logged in our Service desk ticketing tool. Example: When a user requests access, once an approval request triggers from Microsoft it should also log a ticket in our ticketing tool. If the request got approved, the ticket should log this information & automatically gets closed. Our ticketing tool dev team is working on it however, they are stuck in the middle & looking to extract the necessary webhook information required for triggering actions from the Azure solution. Any input or guidance regarding webhook information supported by the Azure solution would be greatly appreciated and would assist us in progressing with the discussed requirements accordingly. Looking forward for your help to achieve this. Thanks, Garima"sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?
How to Recover a Global admin account without MFA
Hi Community I have created a Global admin account in a tenant, unfortunately I had to reset my mobile device, and the MFA codes / setup are gone. I know the password for the account though, without being able to access MFA, I'm not able to login anymore. I have no other admin accounts / Privileged accounts setup. Is there any way to recover from this situation?
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.
Access Review on multiple Management Groups and Subscriptions
Hi everyone, We are facing the challenge of managing numerous Subscriptions and Management Groups in Azure. Our goal is to make Access Reviews more efficient by conducting them at a higher level, such as the Tenant Root or a central Management Group. Additionally, it would be ideal if roles like "Global Administrator" or "Owner" could be centrally configured for such structures (Tenant Root => All Management Groups => Subscriptions) to reduce administrative effort. Does anyone have experience or tips on how to optimize Access Reviews and role configurations for large and complex Azure environments? Thanks in advance for your help!Can I configure authentication to be application specific?
Hi Community, I've been searching but could not get an answer. Here's my scenario which I hope someone can point me in the right direction or documentation. The organisation's Microsoft Office 365 uses an external IdP (let's say Okta) for federated login. Now I have a separate application registered via Entra admin centre using App registration and the requirement is to have it use Microsoft passwordless authentication method for login. After I done all the necessary OIDC config for this new app, testing the application login led me to the external IdP for authentication. I guess that's because the Microsoft tenant is configured to use the external IdP as default. Is there any way I can configure application specific authentication? e.g. O365 uses external IdP for authentication while my custom app uses Microsoft passwordless login, and other apps may use some other login mechanisms. Users for all apps are company's employees. Any guidance is much appreciated. Thank you.
Conditional policies to access to SharePoint and Files (not Apps)
Hi Team!! I'm looking for a way to restrict SharePoint access from outside of my office network (typically using the static public IP address). My understanding is that to do so, I require configuring conditional access policies in Azure (which in turn requires Entra ID P1 license for each user). Is my understanding correct? If so, do I have to licenses each and every user to do so? And the other clarifications I'm looking for is; Does conditional access policy apply universally to all users when enabled? or only to those with Entra ID P1 license? Reason for this clarification is that I tried applying this using a trial license by setting up a policy to block SharePoint access outside our office network but it ended up applying to all users instead of the ones with trial license assigned. Further I noticed that, when setting this policy blocks the entire Microsoft Teams app as well, where as my objective is to limit access to the files in Teams as they are part of the SharePoint. Is there a way to control access to SharePoint files in Teams without blocking the whole Teams app? Do let me know if I'm doing something wrong here?Business User to manage an Application's users in Entra External ID
Hi all, In my company we are using Microsoft Entra External ID as CIAM for one of our applications. Users are external to the company (i.e. 'consumers'). Users are initially created by IT, as the app is not open for the general public. Everything works fine so far and, in addition to the authentication, we are using Entra External ID for authorization as well. For that, we are using regular Entra groups that travel to the app using OIDC claims, so once the user has successfully authenticated, the apps gets the group/s membership as well. Here comes the question: We now want to have a non-IT, Business user to manage authorizations, (i.e group memberships). The options we manage are: 1) Provide the business user access to the Entra External ID console, with a heavily restricted role that will only allow him to manage users of a certain app (in general, a limited collection of apps). 2) Create a (web) application that handles user authorization management. It would basically show the list of users and group membership for each, and allow making modification to them. For option 2) we would like to keep it "CIAM agnostic", meaning we don't want to have it solved via something like MS Graph API , for instance. Instead, we would like (if possible) a solution based on standards such as OIDC. We are open to use any other different standard protocol such as SAML. We don't know if any of the options are actually feasible, or if there is a better approach that should be considered. Ideas about how we can handle this? Thank you all in advance for you help.
employeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, B
