Protecting your user identities
Explore Microsoft identity security features. From password attacks to token replay, we will guide you through the technologies we have in place to help defenders like yourselves mitigate, investigate and use up to date best practice to protect your users and business. This session is part of the Microsoft Secure Tech Accelerator. RSVP for event reminders, add it to your calendar, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.
How to add Passkey for Entra ID / M365 Identity to Windows Hello or third-party password manager?
I manage many M365 tenants and can't add all of them to Windows as an account. Because of this I would like to add passkeys for those accounts to either a third-party password manager or (preferred) Windows Hello. So far I haven't found a way to do this. The passkey dialog at https://mysignins.microsoft.com/security-info only allows me to add a passkey to a physical key. So: So how can I add M365 passkeys to Windows Hello?Add EXTERNAL Teams account details to a contact in the GAL
We collaborate a lot with another company who have their own tenant. When we want to message an “external” user in Teams we have not messaged before, we must first search and type in the full email address, then select "(External)" to message them. We also have these same users as contacts in our GAL for email. The problem we have is that when you start searching for the user, the GAL contact comes up first, and users think that this is the correct Teams user account so they select this instead of typing further to bring up the real external account. If they do make it as far as to type out the full email address, then two users show up, one from the GAL and one with "(external)" in it. This is not a great user experience. We'd like to know if there is a way in which we can import the external user to our GAL, or if we can populate the GAL contact with the Teams attributes of the external user. The end goal is to have a GAL contact which the user can click to message in Teams. Has anyone come across this before and has a solution?Add EXTERNAL Teams user to GAL
We collaborate a lot with another company who have their own tenant. When we want to message an “external” user in Teams we have not messaged before, we must first search and type in the full email address, then select "(External)" to message them. We also have these same users as contacts in our GAL for email. The problem we have is that when you start searching for the user, the GAL contact comes up first, and users think that this is the correct Teams user account so they select this instead of typing further to bring up the real external account. If they do make it as far as to type out the full email address, then two users show up, one from the GAL and one with "(external)" in it. This is not a great user experience. We'd like to know if there is a way in which we can import the external user to our GAL, or if we can populate the GAL contact with the Teams attributes of the external user. The end goal is to have a GAL contact which the user can click to message in Teams. Has anyone come across this before and has a solution?Moving Exchange Account Source Account
I have a very complex environment I'm hoping someone might jump start my search. We have two domains syncing to Entra ID. One domain is a resource forest where our Exchange environment sits. That domain contains disabled stub accounts synced to our primary domain where the actual user accounts sit. The source for all EXO mailboxes are the stubs in the resource forest. Those accounts are kept in sync using FIM 2008. We're wanting to decom that entire resource environment and move all of the attributes to the primary domain. The resource domain schema is the last version of Ex 2016. The primary domain schema is Ex 2010 SP1. I know my first step is to update the primary schema, however, has anyone encountered a situation like this? Any help would be greatly appreciated.
Update App Registration Client Secret Using Microsoft Graph REST API v1.0
Hello, I have a customer who wants to set the App registration Client Secret to 1 year. Here are the customer's requirements: For existing application registrations under ‘Certificates & Secrets’ pane, any new secrets added by owners should have the duration limited to one year. If the owner tries to set the duration greater than one year and clicks ‘Add’ button, the action should not be allowed with proper error displayed. The same behavior should also be applicable to new application registration specific secrets. It should not impact any existing secret that is present (greater or less than one year) for current application registrations. We need a way to enable and disable the global policy in case we want to disable it if something doesn’t work as expected. We don’t want to impact anything else wrt application registrations or anything in service principles. Based on the article you shared; Microsoft Entra application management policy API overview - Microsoft Graph v1.0 | Microsoft Learn Below is the script we are trying to use to add the global policy and set as default policy with isEnabled = true. As we cannot test in a different tenant, can you please confirm the snippet below will work for the above requirements? MgPolicyAppManagementPolicy|select* $policy=@{ "displayName"="Enforce Max Lifetime for Secrets" "description"="Policy to enforce a maximum lifetime of 1 year for any new secrets." "applicationRestrictions"=@{ "passwordCredentials"=@{ "maxLifetime"="P365D"# ISO 8601 duration format for 1 year } } } New-MgPolicyAppManagementPolicy-BodyParameter$policy Update-MgPolicyDefaultAppManagementPolicy -id <ABOVE_POLICY_ID -IsEnabled $true I tried to test it in my own tenant, but I ran to a permission issue. Can someone please confirm if this snippet works against the customer's requirements? Thanks.User with hundreds of Interactive Sign-In log entries that are "Interrupted"
I have one user in our organization that has hundreds of Interactive Sign-in logs in EntraID that are marked as "Interrupted". I don't even know where to start with the user. Does anyone have a recommendation for isolating the cause of these logs? Recent entries are 95% related to Office Online Core SSO application.
