Brian Reid – Microsoft MVP and Microsoft Certified Master
-
Certificate Auth for Microsoft Graph
There are a few articles online about this, but I have written this one to link to my previous article on securing Graph access to limited mailboxes. That article has a simple test where we can login using a secret and access specifically allowed mailboxes using RBAC for Applications in Exchange Online. To keep that…
-
Who Is Still Using Text Messaging For Multi-Factor Authentication
Hopefully not you, but that is not the point of this blog post. The point of this one is to query the sign-in logs in Microsoft Entra ID and report on other users in your tenant, and guest users from outside your tenant, who are still using SMS (text messages). Note that the user might…
-
Removing Cloud Service Providers (CSP) In Entra/M365
The time comes to change or remove a CSP. So you go about your directory removing configuration that allows the CSP to have remote admin access to your tenant. You might do this anyway, even if the CSP is still a current partner, because there is the inherent risk that the CSP is a backdoor…
-
Migrating Entra Password Protection Proxy
Entra Password Protection service is a component of Entra Plan 1, and allows you to have a custom password block list in Entra and have that list and Microsoft’s “secret” list downloaded to your domain controllers and influence your on-premises password changes. It works by installing an agent on each domain controller and one (or…
-
Entra External ID and SAML Authentication
A new feature to the Entra External ID product is SAML authentication. External ID is used for authenticating your customers to your apps, rather than the “workforce” product for staff and guests. SAML has been in the workforce Entra ID (previously Azure AD) product for years. This blog will walk through the steps to set…
-
Windows Updates – Am I Missing Something?
In an enterprise, lots of machines to manage, it is a common question (probably not common enough) to ask if my devices are patched, up to date and therefore more secure than if I just leave them to their own devices. The good news is that reports that show the state of all your machines…
-
Reducing the Number of Sign-In Prompts in GitHub Managed Identity Logins
When you set up Managed Identities in GitHub, using the OIDC app in Entra ID you will see that you are prompted to re-authenticate every hour. This prompt gets in the way and is annoying, as well as training your developers that any sign-in prompt should be completed (and thus making your developers easier to…
-
Protecting Actions in Entra ID
Conditional Access is well known in its ability to control logins, indeed that is exactly what the name says it does – it puts conditions on access, but now it is also possible to put conditions on actions as well – for example when you want to add an extra layer or protection. This is…
-
Blocking Screenshots in iOS Work Applications
Note – the functionality described on this page will change from April 2025. When your Intune tenant is updated to version 2504 then you will get new settings in the App Protection Policy to control the below and various iOS AI tools (Genmoji and Writing Tools). For more, see the end of this article. A…
-
Simple Digital Signage for Teams Rooms
In a recent update for Teams Room, pro licence, you have the ability to display relevant messages in your meeting rooms when there is no meeting taking place. Options include a default message for any room that has “digital signage” enabled, and specific messages per room or group of rooms. Though there are third party…
-
Adding Apple Well-Known RemoteManagement JSON to IIS Web Servers
To do Account driven BYOD device enrolment in Intune for iOS devices you need to publish to the website on your domain a JSON file that contains your tenant ID. The URL for this file is https://c7solutions.com/.well-known/com.apple.remotemanagement where the domain (c7solutions.com in this case) is the same as the domain of the username on the…
-
Why Is My Microsoft 365 Data In Multiple Regions?
When your Microsoft 365 service is first used data is provisioned in the location best suited to your organization postal address and provided in the M365 Admin Center. If you start other services at later times, those services might be in different locations. Here is an example: The above is found in the Microsoft 365…
-
Testing Entra ID SaaS OIDC Apps With JWT.ms
JWT.ms is an app that will show you the contents of any JSON Web Token (JWT) issued by Entra ID that you have access to and can paste into the top field in the browser. But you can also use it to test apps in Entra ID – you can publish a web app that…
-
Secure Access To Some Mailboxes Via Graph
When creating App Registrations in Entra to grant Graph based applications permission to resources, it is very easy to over permission. The default behaviour when you grant a permission is that the permission is for all of that particular object, for example read/write over all users or all groups etc. When the resource that you…
-
OneDrive Over Quota And You Cannot Work Out Why
I came across this problem with my own tenants OneDrive (business not consumer) service when the Academic licence I use (and was given by Microsoft about 15 years ago) dropped from 5TB to 100GB in line with all Academic/Education free licences. This was a problem as it was my photo library – I could not…
-
Authentication Methods – What Happens If I Click That Button
There are various buttons in the Entra ID portal that can be used in the event of an incident with a user account, but each have different effects and can be used in different circumstances. This blog post outlines the impact of each button on the user. To do these tests I performed a standard…
-
Intune App Protection Policies and “All Apps” Do Not Automatically Stay Up To Date
When you create an App Protection Policy and select “All Apps”, Microsoft points out in Intune that they will keep the policy up to date for you and add new apps as they are released (so it is always “All Apps”) and not “All Apps on the date I made the policy and no changes…
-
B2B Collaboration and Easy Multifactor Authentication in Microsoft 365/Entra ID
A couple of conversations this week, including this prompt by Daniel Glenn – https://x.com/DanielGlenn/status/1812952597759992149 have led me to write up this quick guide to making your cross-tenant, resource account, guest, B2B Collaboration users (note, these are all the same thing) multi-factor authentication easy. If you don’t do this, then the user needs to set up…
-
International Cross-Tenant Sync, Or Fun With Entra Sync Expressions!
I have a client with a parent company in Asia and a subsidiary in the USA and Europe. To provide cross-tenant access to the Intranet and other resources we have used Entra ID Cross-Tenant Sync to populate users from the Asian tenant into the USA based tenant. The issue with this is that the Asian…
-
Enforced MFA on the Azure Portal and Emergency Access (breakglass) Accounts
An emergency access (or break-glass) account is a key design consideration of your M365/Entra tenant. This would be an account that would bypass MFA and you would store the very long and unique credentials offline somewhere. This would be used in the case of configuration breakages that would lock out all your other admins or…
-
Microsoft Information Protection Broken in Gmail
Just a short note to help you fix this error: This message is protected with Microsoft Information Protection. You can open it using Microsoft Outlook, available for iOS, Android, Windows, and Mac OS. Get Outlook for your device here: https://aka.ms/protectedmessage. With Microsoft Information Protection, you can prevent your email messages from being copied or forwarded without…