Category: Entra
-
Device Code Flow and Authentication Transfer in Conditional Access Rules – One or two rules required?
I cannot find the answer to this online. Microsoft allow Entra ID admins to block two authentication protocols that are misused by phishers, one more prevalent in the wild than the other – but do I need two rules to block the two authentication flows, or just one? The screenshot above shows a Conditional Access…
-
Tenant Switching From Bookmarks
When you are an Entra ID admin of more than one tenant you can use the “Switch Directory” link under your profile picture. But if you are doing this often, you might find that an entry in your browser favourites (or bookmarks) is better. To do this, craft a URL in the following format: https://entra.microsoft.com/auth/login/@tenantdomain.onmicrosoft.com…
-
Windows 365 and Enrolment Restrictions in Intune
Windows 365 is one of Microsoft’s cloud hosted virtual machine offerings and is generally very simple to set up, especially in a tenant that has not ever been customised! Take on these licences in a tenant that has been around a number of years, or has introduced some improved security or compliance settings and you…
-
Simple Security for Microsoft 365
There are many many security settings in Microsoft 365, including Entra ID, SharePoint, Exchange Online etc. But knowing where to look and what to change has been complex, even for people skilled in this range of products. Well this is about to change with Microsoft 365 Baseline Security Mode. This is reachable via the M365…
-
Understanding “IsCloudManaged” and “IsExchangeCloudManaged”
A recent addition to all licenced versions of Entra ID is the ability to manage synchronized users and groups from on-premises Active Directory fully in Entra ID. Before this feature was enabled, an Active Directory synced object was mostly modified in Active Directory and you waited for sync to complete for the changes to appear…
-
Broken Multi-Tenant Organization Sync Settings – How To Fix
I saw this issue in July 2025 for the first time and worked around it but did not document it here. By November I had the pleasure of staffing the Microsoft Entra stand at the massive Microsoft Ignite conference in San Francisco answering any and all questions pass my way (that is good fun, and…
-
Easy Sign-In to Entra ID Applications for Frontline Workers With QR Codes
I had the pleasure of staffing the Microsoft Entra stand at the 2025 Microsoft Ignite conference. 17,000 people and the ability for anyone to come and ask their Entra questions and we got lots. It was fun. One of the questions asked was by a gentleman who had users on a factory floor and who…
-
Switching SharePoint To Use Entra Guest Sharing With EnableAzureADB2BIntegration $true
Updated 4th March 2026. Microsoft announced today in MC1243549 that the old SharePoint feature is being turned off in July 2026 and from that time you will have to manually reshare items to users without guest accounts. Also that the EnableAzureADB2BIntegration setting will be turned off in May 2026. So the below, which lets you…
-
Onboarding New Users In an Entra ID Passkey World
This blog covers the scenario of onboarding new users (or users who have their MFA methods reset) when a passkey is the only required option for authenticating You might wonder why a passkey only world environment might be set up in Entra ID, and though at the time of writing most administrators and organizations will…
-
Deleting Custom Extensions in Entra External ID
In Entra External ID (the replacement product to Azure B2C) for authenticating external users into dedicated applications (that is, not your workforce tenant) you can create custom extensions to add external functionality to the authentication or sign-up or sign-in process. If you need to delete these extensions though you might get stuck. Here is an…
-
Certificate Auth for Microsoft Graph
There are a few articles online about this, but I have written this one to link to my previous article on securing Graph access to limited mailboxes. That article has a simple test where we can login using a secret and access specifically allowed mailboxes using RBAC for Applications in Exchange Online. To keep that…
-
Who Is Still Using Text Messaging For Multi-Factor Authentication
Hopefully not you, but that is not the point of this blog post. The point of this one is to query the sign-in logs in Microsoft Entra ID and report on other users in your tenant, and guest users from outside your tenant, who are still using SMS (text messages). Note that the user might…
-
Removing Cloud Service Providers (CSP) In Entra/M365
The time comes to change or remove a CSP. So you go about your directory removing configuration that allows the CSP to have remote admin access to your tenant. You might do this anyway, even if the CSP is still a current partner, because there is the inherent risk that the CSP is a backdoor…
-
Migrating Entra Password Protection Proxy
Entra Password Protection service is a component of Entra Plan 1, and allows you to have a custom password block list in Entra and have that list and Microsoft’s “secret” list downloaded to your domain controllers and influence your on-premises password changes. It works by installing an agent on each domain controller and one (or…
-
Entra External ID and SAML Authentication
A new feature to the Entra External ID product is SAML authentication. External ID is used for authenticating your customers to your apps, rather than the “workforce” product for staff and guests. SAML has been in the workforce Entra ID (previously Azure AD) product for years. This blog will walk through the steps to set…
-
Reducing the Number of Sign-In Prompts in GitHub Managed Identity Logins
When you set up Managed Identities in GitHub, using the OIDC app in Entra ID you will see that you are prompted to re-authenticate every hour. This prompt gets in the way and is annoying, as well as training your developers that any sign-in prompt should be completed (and thus making your developers easier to…
-
Protecting Actions in Entra ID
Conditional Access is well known in its ability to control logins, indeed that is exactly what the name says it does – it puts conditions on access, but now it is also possible to put conditions on actions as well – for example when you want to add an extra layer or protection. This is…
-
Testing Entra ID SaaS OIDC Apps With JWT.ms
JWT.ms is an app that will show you the contents of any JSON Web Token (JWT) issued by Entra ID that you have access to and can paste into the top field in the browser. But you can also use it to test apps in Entra ID – you can publish a web app that…
-
Authentication Methods – What Happens If I Click That Button
There are various buttons in the Entra ID portal that can be used in the event of an incident with a user account, but each have different effects and can be used in different circumstances. This blog post outlines the impact of each button on the user. To do these tests I performed a standard…
-
Intune App Protection Policies and “All Apps” Do Not Automatically Stay Up To Date
When you create an App Protection Policy and select “All Apps”, Microsoft points out in Intune that they will keep the policy up to date for you and add new apps as they are released (so it is always “All Apps”) and not “All Apps on the date I made the policy and no changes…
-
B2B Collaboration and Easy Multifactor Authentication in Microsoft 365/Entra ID
A couple of conversations this week, including this prompt by Daniel Glenn – https://x.com/DanielGlenn/status/1812952597759992149 have led me to write up this quick guide to making your cross-tenant, resource account, guest, B2B Collaboration users (note, these are all the same thing) multi-factor authentication easy. If you don’t do this, then the user needs to set up…