Git Product home page Git Product logo

entra-docs's Introduction

entra-docs's People

Contributors

barclayn avatar billmath avatar court72 avatar curtand avatar eross-msft avatar githubber17 avatar huypub avatar iainfoulds avatar ja-dunn avatar justinha avatar kenwith avatar ktoliver avatar mahesh-unnikrishnan avatar microsoftguyjflo avatar msmimart avatar nitinme avatar owinfreyatl avatar pmeds28 avatar prmerger-automator[bot] avatar rmca14 avatar rolyon avatar rwike77 avatar shannonleavitt avatar taojunshen avatar ttorble avatar tynevi avatar v-alje avatar v-anpasi avatar v-nagta avatar v-viinde avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

entra-docs's Issues

When -IncludeAdminSdHolders parameter is set, it does not apply correct permissions to admin users

For business that is syncing the Domain Admins to Entra AD (i know this is not recommended) the scripts (and the Entra Ad Connect Tool Trouble-shooter) do not apply the correct permissions to the adminsdholder object.

it seems to just be applying the same permissions as the root directory (where all the normal user objects reside with inheritance) however the domain admin/protected accounts are using adminsdholder for its permission template. this is of course by design however when the permissions get applied to this object (and ultimately copied to the admins ACLS) it is putting the applies to as Descendant User Objects.

It appears though the admin accounts are NOT descendant objects of the AdminSDHolder Object so when the ACL is copied across to the admin user objects it copies it exactly as what adminsdholder has and the permissions do not allow for write access as the ACL isnt applying to this object but rather to descendant objects.

when setting AdminSDHolder to read and write for this object only (for read and write attributes) and apply to the accounts (by manually running sdprop via LDP, the correct permisssions apply and i am able to sync.

hope this makes sense for your team.

Thanks,
Seth


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

when is '12/8/2023'?

Docs say

https://learn.microsoft.com/en-us/entra/fundamentals/whats-new#public-preview---lastsuccessfulsignin-property-in-signinactivity-api

The data won't be backfilled for this property, so you should expect to be returned only successful signIn data starting on 12/8/2023.

is that 12 August 2023?
is that 8 December 2023?

The target is an international audience; different territories use different formats.

This ambiguous date format is unhelpful.

May I suggest 'long date' or ISO 8601 format (YYYY-MM-DD)


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Sync time and explanation too vague or missing important information

I am not seeing the promised 2minute sync time from AD to Entra ID.
In fact the audit and provision logs show about 10 minutes between each update.
And in tenants with around 20k objects in scope for sync, a full sync can take two hours, and the size of the agent machine does not seem to impact this in any way.
I NEED a deep dive article explaining how this service does it's magic.

Secondly, it seems odd that a "delta sync" can only be kicked off from powershell or via Graph API, when there is a button for full sync in the portal. Both options would help. And a CLEAR indication that a sync is currently running would also be nice on the front page of any given configuration.

A specifically odd thing I have noticed, is that you can update attributes like the users primary SMTP address in the on-prem for an entire OU, but it can take over an hour for those changes to get synced, even thought it might only have been 100 users, and they will come into Entra ID and the provisioning loss in a slow drip, and then all of a sudden like a ketchup bottle, they all appear.
Sure there is a logical explanation. but having to provision them on demand, and beating the speed of the normal sync, just makes no sense to me at all.
Please add an on-demand OU sync feature instead so we can do an effective update during our M&A projects, where domain cutover etc. demands a quick attribute sync.

Please feel free to reach out for examples etc. I have many agents running in disjoint domains for M&A scenarios.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Clarification on FIDO2 support status

The page at https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compatibility details FIDO2 combability with iOS and Android, however this page seems to have an outdated statement:

As of February 2021, FIDO2 is not currently supported for native iOS or Android apps, but it is in development.

Is there any newer guidance?


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Wrong Listed Permission

From what I have seen and heard from support you need to be a Privileged Role Administrator or Global admin not Cloud Device Administrator to manage Device administrators
[Enter feedback here]


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Missing error code

When a user reports fraud during an azure sign in for example to portal.azure.com, an error code shows up on their page which looks like this
Error Code: 500121
Request Id: 07hf610f-249-46sd-a1d7-3ccbdc5d6b00
Correlation Id: fde7a069-5cdf-4439-83a4-0899695ea5d2
Timestamp: 2023-12-01T01:01:11Z

This error code 500121 is not listed on this page.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

poor wording

i think the sentence "Global Administrator and Global Reader can see all access reviews." should read "Global Administrator and Global Reader can see history reports for all access reviews."


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Spell check

The word "verify" in heading of the section at the anchor linked below is misspelled.

https://learn.microsoft.com/en-us/entra/identity/hybrid/verify-sync-tool-version#verfiy-connect-sync


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Step 7.

Why do you have the user copy App Federation Metadata Url? The document never says to paste the App Federation Metadata Url?
7. On the Set up single sign-on with SAML page, In the SAML Signing Certificate section, click copy button to copy App Federation Metadata Url and save it on your computer.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Several issues

Hi team,

Shot in the dark maybe, but trying to reach help.

Outdated docs

Here: https://learn.microsoft.com/en-us/entra/external-id/microsoft-account you guys show outdated documentation

It shows B2C images, while you advertise with External ID:
image

Invite external federated Microsoft account with MS Entra Extranal Id

When I try to invite a federated Microsoft account (private [email protected] account) I can accept the invitation (got an email), awesome.
When I finish the user flow (accept permissions and filled in personal stuff), I land at : https://account.activedirectory.windowsazure.com/ ??

image

How to solve this, how to configure?
But In the users section of entra id, the user has been marked as "Accepted" invitation.

Then I try to login to our own application with the invited user email address.
But I can NOT login afterwards with the same email address.
Screenshot 2023-12-14 at 16 03 28


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Verify howto-vm-sign-in-azure-ad-windows.md

References to Azure Windows VM Sign-In appear to be outdated. Cloud App with appid of 372140e0-b3b7-4226-8ef9-d57986796201 now shows as Microsoft Azure Windows Virtual Machine Sign-In.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

caballerodondinero

[Enter feedback here]


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Tasks

No tasks being tracked yet.

Add supporting text

The 'Enable with Conditional Access policy' section could use some additional wording given recent changes around sign in frequency. Previously the conditions were 'Grant, Require MFA' we have now added sign in frequency as a session control recommendation with no context as to why.

This page has some additional useful wording to explain why which could be re-used; https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime#require-reauthentication-every-time

This line in particular would be good to highlight the consequences of selecting 'every time';
"When administrators select Every time, it will require full reauthentication when the session is evaluated."


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Multiple Domains with different Entra ID Tenants in the same Forest

Hi

After looking through the documentation it doesn't appear as if the following scenario is documented:

  • Active Directory is a single Forest with 2 child domains
  • Each child domain currently has a dedicated AD Connect server pointing to a dedicated Entra ID tenant

If we wish to deploy Password Protection for 1 child domain only this seems simple enough and the current documentation is sufficient. What appears to be missing is what happens if we wish to enable the second child domain into its dedicated tenant.

We are unsure if this is a supported scenario, mainly due to the documentation highlighting that a lot of the configuration appears to be forest-wide when we would need 2 different configurations at the forest level.

If this is an unsupported scenario it would be useful to have this highlighted, possibly in the FAQ page? If it is supported it would be useful to point this out at the relevant steps to ensure that we are following accurate guidance and not overwriting the first configuration in the forest.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Ambiguous question regarding use of MIs

Question states "Which operations can I perform using managed identities?"

The answers in the subsequent paragraph deals with operations that can be performed "ON" the managed identity itself, not what operations that can be performed "USING" the managed identity against other services.

Given the content of the answer, I would suggest the question be updated to the following:
"Which operations can I perform on managed identities?"


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Where can I ask questions about the contents of documentation?

My question isn't so much about the documentation, more about the contents - is there somewhere Microsoft recommends we ask those?


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Please update the page to indicate that the Windows VPN client doesn't support TOTP

We've been trying to implement MFA on our VPN (currently using RRAS and the integrated Windows VPN client). Using the registry key to disable TOTP and force out-of-band MFA (Approve/Deny via MS Authenticator push notification, or phone call for those without MS Authenticator) works fine, but Microsoft's own documentation indicates that TOTP is more secure, and we wanted the flexibility of using being able to use TOTP codes and SMS auth, so we set up authentication via PAP to allow for TOTP.

This article gives detailed instructions on setting up NPS/MFA with an RRAS VPN server and Windows client, but doesn't seem to have been updated to reflect the fact that the NPS/MFA combination now supports TOTP when using PAP authentication... but the Windows VPN client doesn't.

Given that the page specifically discusses setting up RRAS to use NPS and Entra ID MFA, and how to configure the Windows 10 VPN client with it, can Microsoft please add something on this page to simply indicate that their own VPN client doesn't support the TOTP feature?

My ticket with Azure (the only way to get this actual answer) pointed me towards using OpenVPN, because apparently an open-source product can get updated to support Microsoft's RADIUS-based TOTP MFA implementation, but Microsoft makes it almost impossible to know that their own Windows VPN client does not support it.

It's OK to not support something, I suppose, but this one really should be mentioned explicitly by Microsoft, as one would expect their products to be at least a bit intercompatible.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Reference REST API for MS Identity Platform

[Enter feedback here]
I need a reference documentation for the REST API of MS Identity Platform. I could not fin exact specification about the details (request/response parameters, error codes). Thanks!


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Missing Workload Identities Premium

Workload Identities Premium must be on the Microsoft online service products list.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

What is CBA with federation?

It would be hugely beneficial to explain what CBA with federation is, how it differs from native CBA and what the authentication flow looks like. This article is raising a lot of confusion, because federation here can mean a lot of things:

  • Federated auth where password is validated in AD FS
  • certificate auth in AD FS
  • federation with any other IdPs

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

test issue

Test issue. Please assign to author.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Questions on Microsoft-managed Conditional Access Policies

Hi there, I would like to know a couple of things that are not documented about Microsoft-managed policies. Perhaps a FAQ page would be useful.

  1. If I as an admin set a Microsoft-managed policy to "Off" in the 90 day review period, will it be left off indefinately or will Microsoft "nudge" me to enable it again sometime in the future?
  2. Will Microsoft run the analysis on my tenant for the same risk going forward? So if I duplicate the Microsoft-managed policy to mitigate the risk and then in say 18 months time, I delete that policy or another admin accidentally deletes the policy, will the Microsoft-managed policy return as a recommendation to the tenant?
  3. I guess this is somewhat related to 1 and 2 above. Will the Microsoft-managed policy, once in my tenant in whatever state it finds itself to be in after the 90 days remain tagged as "Microsoft Managed" even after I have either edited it or duplicated it?

Thanks for helping with some questions I think customers are going to be asking.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Provide more information about verified_primary_email and verified_secondary_email

Looking for more information around these optional claims and how consumers should relying on them.

https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference?source=docs#v10-and-v20-optional-claims-set


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Error on step 4 ps command

At Enable sensitivity label support in PowerShell section, when run powershell command on step 4, it returns an error:

PS Command:
$params = @{
Values = @(
@{
Name = "EnableMIPLabels"
Value = "True"
}
)
}

Update-MgBetaDirectorySetting -DirectorySettingId $grpUnifiedSetting.Id -BodyParameter $params

Error:

Update-MgBetaDirectorySetting: Cannot process argument transformation on parameter 'DirectorySettingId'. Cannot convert value to type System.String.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Cloud Sync Group Writeback with Devices Support

We are currently using Entra Connect Sync and would like to write back Entra ID groups that include Entra Joined Devices to AD as security groups using Group Writeback V2. The documentation stated at one time that this group writeback functionality was going to be removed from Connect Sync after public preview and built into Cloud Sync. The document still suggests using Cloud Sync for Group Writeback V2, but I don't see anything stating that Cloud Sync supports device writeback.

"The security group writeback functionality has been replaced by Microsoft Entra Cloud Sync. Going forward, you should use Microsoft Entra Cloud Sync for this functionality."

Reading further into the document it states that device writeback needs to be enabled:

"Devices that are members of writeback-enabled groups in Microsoft Entra ID will be written back as members of Active Directory. Microsoft Entra registered and Microsoft Entra joined devices require device writeback to be enabled for group membership to be written back."

So, in order to writeback groups of devices, will Cloud Sync support device writeback in the future? Or will Group Writeback V2 still be supported with Connect Sync?

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

I need your advice

Hello,

I've read a number of articles, including this, but not yet found the answer to my question. There is an IIS-based application that is run as some Windows services. It can use an Azure SQL database but currently as a computer account (DOMAIN_NAME\HOSTNAME$). We'd like it to be able to run as an Entra ID account and connect to the Azure SQL database as such. Is it possible to create a managed service account or managed identity in Microsoft Entra ID a Windows service can run as on a computer that is member to a Windows AD domain that is linked to Microsoft Entra ID? I know, it can run as a managed service account (domain\username$), no problem here, but what about running it as a Microsoft Entra ID account, is it possible?

Regards,

Attila


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Ask for clarification

Hello,

Thank you for this information.

Cameroon is an opt-in country and our organization has users there. Our head office is located in Switzerland where we do not require opt-in.

Could you please clarify and give us answers to the following questions:

  1. Is it riskier to call a user in Cameroon than a user in Switzerland?
  2. If the answer to 1 is yes, explain why.
  3. If the answer to 1 is yes, explain the risk?
  4. If one of the risks is financial, confirm that it is an unexpected/high phone bill.
  5. If the answer to 4 is yes, who will receive the unexpected/high phone bill? Microsoft or our organisation?

Thank you


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Path for combining existing AAD B2C features and new features using Entra External ID

Can you in https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam#about-azure-ad-b2c include scenario when we have existing AAD B2C Sign-in/sign up custom policies solution, but consider to add new features(such as social signin)?
If we will decide to wait until Entra External ID will be GA, can functionality co-exist, e.g. one application will use AAD B2C and another Entra External ID with common existing B2C tenant?
Will existing AAD B2C tenant be compatible with new Entra External ID requirements https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam#create-a-dedicated-tenant-for-your-customer-scenarios?
Are you planning to have a document describing using in parallel AAD B2C and Entra External ID solutions and also migration from AAD B2C to Entra External ID solution?

“Entra External ID “ documentation uses “user flow” term, how it is similar to B2C “user flow” vs “custom policy” concepts?


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Doesn't work. Try it.

[Enter feedback here]


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Typo in "Microsoft Entra Privilegd Identity Management"

"Privilegd" should of course be "Privileged". There are three instances of this typo, I'm sure you'll have no trouble ctrl+f-ing the offenders.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

WDAC Integration - Tenant Restrictions V2

Hi

Is there further documentation around using WDAC with tenant restrictions? For example there is no documentation to state what the app tag should be.. Just "Before enabling firewall protection, ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Windows - see the following link for more information.
For details about setting up WDAC with tenant restrictions, see https://go.microsoft.com/fwlink/?linkid=2155230"

That URL goes to a generic page about WDAC and not within context to using it with Tenant Restrictions.

Thank you


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Can't find app Microsoft Azure Management

[Enter feedback here]
Hi
Last time Microsoft change how we can find appliaction when creating CAP policy. In the past the name was DisplayName - now is Name.
So for Microsoft Azure Management app to add to CAP Policy we have to use the name "Windows Azure Service Management API". Can you change your articles ?


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Provisioning multi-valued attribute with API Driven Inbound Provisioning Bulk Upload fails

I have setup an API Driven Inbound Provisioning app and a Client app. I added a custom attribute of type string with multi-valued ON.

The value for this multi-valued attribute is sent in Bulk Upload as below
"urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
"HireDate": "2022-07-01",
"SecondarySubjects": [
{
"subject":"Maths",
"startDate": "2023-01-01",
"endDate": "2024-12-31"
},
{
"subject":"History",
"startDate": "2023-01-01",
"endDate": "2024-12-31"
}
]

The provisioning logs report the following error in Troubleshoot & Recommendations tab.

Export of the object with id = and joining property = to the Microsoft Online Directory Service failed. Reason: Content-Type: multipart/mixed; boundary=changesetresponse_b049bae6-8d90-4eca-b0d8-f582286addc3 --changesetresponse_b049bae6-8d90-4eca-b0d8-f582286addc3 Content-Type: application/http Content-Transfer-Encoding: binary HTTP/1.1 400 Bad Request Content-ID: 2 DataServiceVersion: 3.0; Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8 {"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"A value without a type name was found and no expected type is available. When the model is specified, each value in the payload must have a type which can be either specified in the payload, explicitly by the caller or implicitly inferred from the parent value."}}} --changesetresponse_b049bae6-8d90-4eca-b0d8-f582286addc3-- . This operation was retried 0 times. It will be retried again after this date: 2023-12-14T07:53:02.8100328Z UTC

Changing the payload to continues to throw the same error

    "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
      "HireDate": "2022-07-01",
      "SecondarySubjects": [
              "Maths","History"
      ]

The custom attributes are mapped correctly in Source and Target list.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Better Feedback on onboarding and offboarding license requirements

We have had a large discussion around what is the actual requirement for a company of 100 users that expect a turnover of 350 employees. It is not clear if I need 351 or 701 licenses to cover a turnover of an employee.

If someone leaves, we need to replace that person. Is that 1 license or 2?


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Please add Support for group writeback on the chart

We recently added support for group writeback with the cloud sync agent :

https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory

This is not reflected in the chart on this page and needs to be added :

image


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Add additional context for the "More information required" / "Is this info up to date" prompt.

Some users may already be registered, however still receive prompts such as

"is this info up to date

Trying to understand the causes for this screen continued to lead me to this registration campaign article, however I think its not directly related, as the Authentication Context in the Entra ID logs state:

User authentication was blocked because they need to provide password reset information. Their next interactive sign in will ask them for this, which the app should trigger next.

Can you please describe this parallel feature in a note or link to the relevant documentation at the bottom of the article? If you decide to describe it here, please also explain how frequently these prompts are expected to happen. I have users who have already registered their Authenticator App, and continue to see this screen a few times a year.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

[Issue] AADSSHLoginForLinux VM extension not supported on Debian [9/10/11]

Description

The VM Extention AADSSHLoginForLinux seems not to be working on Azure Debian Images.
Not exactly sure if it is an issue with the feature or with the documentation itself on the supported versions.

Current Behavior:

  • Using Azure Portal:
    • The Azure AD (Entra) Login is not supported on Debian images: The documentation indicates to check this box.

image

  • using azure-cli:
    • Usage of the following command on a Debian 11 already created machine never succeeds:
 az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLoginForLinux --resource-group <RGName> --vm-name <MachineName>
  • Command stuck with message ( / Running .. )
  • This shows up on Azure portal during the perpetual creation phase:

image

Expected Behavior:

VM Extension should be added to the machine and operate normally.

Environment:

  • Region: Azure Global (westeurope)
  • azure-cli: 2.53.0
  • Python (Linux): 3.10.10
  • Image VM: Debian 11 gen. 1/2 (x64)

Anything else:

The same config with Ubuntu 22.04 works normally
Too bad. This feature looks promising.
Let me know if you need any further information.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

If a risk/detetion is deprecated, provide more information on replacement or guidance on changes

https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated

Specifically at this link. It would be handy to understand if another or newer detection (like Malicious IP address for example) is replacing this detection.
Saying a detection is deprecated is fine, and that no more alerts will trigger is fine, but not providing more information to help identify if there will need to be some configuration change to make up for the deprecation makes this tricky.

Looking at the page, an educated guess would lead me to think Malicious IP address is taking over the detection capability of Malware Linked IP address as they seem to offer similar detections based on name alone.

Can this please be clarified? thanks


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Change Application Name

Customer is trying to implement the conditional access suggested in the article but cannot find the application "Microsoft Azure management".

The application mentioned above changed to "Windows Azure Service Management API" (appId: 797f4846-ba00-4fd7-ba43-dac1f8f63013).

Can you please update it so customers don't get confused.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Guest Inviter have undocumented limitations on GDAP.

Hello

About https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#guest-inviter
We had to open a support request as this Role have some explicit deny or undocumented documentations.

As discussed elsewhere https://techcommunity.microsoft.com/t5/partner-led-tech-topics/getting-403-quot-insufficient-privileges-to-complete-the/m-p/4005729

If you assign the Guest Inviter on a user who already have User Administrator, it break the User Administrator role.
You cannot access the user profil or edit the user profile data in EntraID until you remove the Guest Inviter role.

Can you also write the restriction this role have in addition to its explicit rights in the documentation?

It's mainly for GDAP, not tester from within the tenant itself.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Requesting more troubleshooting guidance for empty drop-down menu.

This note:

Note

If your AD domain is not visible in the Active Directory Domain dropdown list, reload the provisioning app in the browser. Click on View on-premises agents for your domain to ensure that your agent status is healthy.

seems aimed at people who's AD domain is not visible in the drop-down list. However the troubleshooting advice in the second sentence is not helpful, since that "view on-premises agents" doesn't exist[0], if the domain isn't visible.

Furthermore, I have registered a server and I cannot get the domain to appear. Refreshing the page doesn't help. Additional troubleshooting tips, such as checking the event logs[1], or other areas would be helpful, as the current suggestion is confusing and inadequate.
[0]
Screenshot 2023-12-07 144418

[1]
Screenshot 2023-12-07 121215


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Is this feature available in Azure Gov?

Is Dynamic memberships available in Azure Gov/GCCH?

Is there any known limitations in Azure Gov/ GCCH?

[Enter feedback here]


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Spelling

Under "Back up your Microsoft Entra Connect configuration" it should be "rollback" not "role-back"


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Typo in Mapping expression

Missing required extra comma on mapping expression.

correct: FormatDateTime([StatusHireDate], ,"yyyy-MM-ddzzz", "yyyyMMddHHmmss.fZ" )

incorrect: FormatDateTime([StatusHireDate], "yyyy-MM-ddzzz", "yyyyMMddHHmmss.fZ" )


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Sample code for "Register the connector using a token created offline" does not work

The sample code for Register the connector using a token created offline does not work.

I've created a .NET 6 console app using the code from the documentation, and instead of obtaining a token we get an error to say the redirect_uri is invalid:

Sign in
Sorry, but we’re having trouble with signing you in.

AADSTS50011: The redirect URI 'http://localhost:60108' specified in the request does not match the redirect URIs configured for the application '55747057-9b5d-4bd4-b387-abf52a8bd489'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Troubleshooting details
If you contact your administrator, send this info to them.

Request Id: 64bee792-97ae-4a5a-a407-abf567545000
Correlation Id: 03dfcf9c-cbe8-43d4-9380-5d308a8173e1
Timestamp: 2023-12-06T13:09:06Z
Message: AADSTS50011: The redirect URI 'http://localhost:60108' specified in the request does not match the redirect URIs configured for the application '55747057-9b5d-4bd4-b387-abf52a8bd489'. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.
Flag sign-in errors for review: [Enable flagging](https://login.microsoftonline.com/common/debugmode)
If you plan on getting help for this problem, enable flagging and try to reproduce the error within 20 minutes. Flagged events make diagnostics available and are raised to admin attention.

This is the same as 85855, where someone responded saying the redirect needs to be "https://login.microsoftonline.com/common/oauth2/nativeclient", if I update the code to force this url as the redirect url, we get a runtime exception saying the redirect url must be using the loop back address.

Microsoft.Identity.Client.MsalClientException: 'Only loopback redirect uri is supported, but https://login.microsoftonline.com/common/oauth2/nativeclient was found. Configure http://localhost or http://localhost:port both during app registration and when you create the PublicClientApplication object. 

This is using the lates version of Microsoft.Identity.Client, and I've also tried using v4.7.1 as specified in the documentation.


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

how to remove external guest account when its not listed in org tab

https://learn.microsoft.com/en-us/entra/external-id/leave-the-organization#why-cant-i-leave-an-organization
This section does not contain how to leave the external organization if its not listed ?
https://techcommunity.microsoft.com/t5/microsoft-teams/wish-to-remove-guest-account-from-ms-teams-desktop-app/m-p/862133


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Microsoft Entra ID for customers vs Microsoft Entra External ID

Please clarify what is the difference between “Microsoft Entra ID for customers” vs “Microsoft Entra External ID”
Are you using them interchangeably? Is one of them temporary name and another official name? Which one is the recommended to use?


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Clarification Request - Refresh Token Expiry for non-spa clients

I have read the 'Token Lifetime' section of this article and am wondering if the following is true:

If a client is not a single-page application (SPA), and a refresh of a refresh token is requested, the expiry date of the new refresh token will not be carried over from the previous refresh token. So it must be that the refresh token can be renewed indefinitely without requiring user interaction, unless timeouts or revocations occur (as mentioned in the 'Token Expiration' section of the same article).


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Feedback - On PowerShell examples

When you are providing PowerShell examples in the MS Docs, please explain each parameter and values in the example.

"Add a resource to a catalog with PowerShell"

In the above documentation, I was unable to figure out the values in RED. If you provide comprehensive explanation, it would be easy to understand.

Regards,
Mukesh


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Reminder/Notification

Please provide some information about How we can get a reminder sent to notify us when a secret is going to expire


Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.