r/entra

▲ 4 r/entra+3 crossposts

M365 small business account. Sole Global Admin, replaced phone, can't complete MFA.

Hello, fellow Redditors.

Wondering if anyone has been in a similar situation and able solve it.

I am a sole global admin one-person one-business and have the M365 account. I recently changed my phone, but didn't back-up authenticator App. Now stuck in a loop trying to access my account.

Has anyone been able to have successfully reset MFA for a sole Global Admin, after replacing a phone? If yes, could you please share your experience?

Didn't realise that replacing a phone would cause so much issue with the Authenticator App.

Note, I initiated a ticket with Microsoft, and they've been responsive, but getting to the proper team is an issue.

Would appreciate any suggestions, thanks in advance!

reddit.com
u/jul_enpassant — 8 hours ago
▲ 2 r/entra

Cross Tenant Synchronizaton / Enterprise APp Provisioning issues?

I added some users to a group assigned to a Cross Tenant Synchronization config this morning and 3 hours later they are still saying not in scope for provisioning.

I even manually assigned them to the app, turned provisioning off and back on, still no dice. Anyone else seeing this?

reddit.com
u/screampuff — 8 hours ago
▲ 1 r/entra

Microsoft Authenticator MFA missing?

I have configured Yubikey as a MFA method however now it always asks for the yubi which is expected as it is strongest MFA method. However I am not able to choose other authentication methods? Only Passkey or use password.

reddit.com
u/Failnaughtp — 10 hours ago
▲ 3 r/entra+1 crossposts

Global Secure Access not working on Self-Deploying-Autopilot Device

Hi,

we have been Global Secure Access for quite a while now and so far, so good. I'm now confronted with one device, that does not want to login to the app: no error message, you get a sign-in windows, that works with SSO and all the usual, and then it just doesn't login.
The only thing that is different with this device, is that it has a self-deploying Autopilot profile. All other devices have a user-driven Autopilot profile.
Any ideas on why this won't work? Are there specific prerequisits that are not met on a self-deploying device?

reddit.com
u/doofesohr — 14 hours ago
▲ 6 r/entra

What's the largest number of users you had to configure CA for?

I turned on two policies for 40 users a few days ago. First time for production. Will be doing much more soon.

Is it normal to feel a bit anxious but also excited to see it work?

reddit.com
u/AhYesTheSoldier — 3 days ago
▲ 37 r/entra+2 crossposts

Breakglass account in Entra ID

Hello folks

I want to setup breakglass account for my entra tenant

Breakglass account should not have MFA configured but MS in 2024 made it mandatory for all accounts to have MFA

what should be done to by pass MFA or any other way to setup breakglass account?

Any document if you have is appreciated

reddit.com
u/StatisticianFunny170 — 5 days ago
▲ 0 r/entra

SMS authentication not working

I'm trying to enable SMS authentication just for a few staff who don't want the authenticator. My test account shows this when I try to set it up in mysignins.microsoft.com

I'm the global admin. I've even tried this with my account and get the same results. No matter what phone # I use.

Can't seem to figure this one out

thanks, all

https://preview.redd.it/2gbfhm8xosah1.png?width=436&format=png&auto=webp&s=481980df7ffe8971c7d2fbdbd5cbc3befd3aaa21

reddit.com
u/Ejcrist — 5 days ago
▲ 5 r/entra

System-preffered multifactor Authentication Method

Hi

We've enabled Passkeys for Admin accounts and have the system-preffered settings set to enabled instead Microsof managed.

What we notice is that, when trying to log on, the passkey becomes the preferred second factor which makes sense if we follow the docs. The annoying thing is that we don't have the option to select another second factor ( TOTP ,...).

How do you guys handle this ? Settings the system-preferred authentication to disabled ?

Just some side info, we have a CA policy in place to enforce passkey for admins but one account is shared and does not allow to save the passkey in a shared vault. Hence the reason we need to be able to fall back on TOTP.

Also curious how you guys handle this one.

reddit.com
u/Technical-Deer3844 — 4 days ago
▲ 7 r/entra

Is there no way to get Passkeys to Work on Windows 11?

I would love to require passkeys for my users, but Windows 11 doesn't seem to support it. Users are presented with an option to insert a USB only. Has anyone found a workaround?

Update - workstations do not have bluetooth.

reddit.com
u/No_Loss_3996 — 7 days ago
▲ 3 r/entra

Multiple consecutive MFA prompt issue

Hello !

I am currently facing an issue when I am onboarding users using a TAP and redirecting them to https://aka.ms/mysecurityinfo to register their passkey.

The issue is, once they enter their upn + TAP, they are facing two identical consecutive MFA prompt to register Authenticator (or phone) and a third MFA prompt to register an SSPR method.

I checked my Entra settings related to MFA and identified :

- Registration campaign : set to MS managed, but the users are excluded

- ID Protection MFA policy : enabled

- CAP : The users are targeted by a CAP with a custom authentication strength with TAP among other things

- SSPR is enabled for all

In that situation, my understanding is :

- User input TAP
- 1rst MFA prompt (only Authenticator or phone) = ID Protection MFA Policy -> user ignore
- 2nd MFA prompt (only Authenticator or phone) = ? -> user ignore
- 3rd MFA prompt = SSPR (as they can chose email here)

Do you have any idea why there is the second MFA prompt ? Thanks

reddit.com
u/Sorry-Employment899 — 6 days ago
▲ 14 r/entra

For those of you using Passkeys, have you disabled other forms of MFA?

I am considering implementing Windows Business Hello so my end users can use passkeys to log into Microsoft Online services. I realize passkeys are more secure. However, I am not sure, in my environment, I could completely disable other forms of MFA. Without being able to disable all other forms of MFA, I am trying to determine if it is worth the lift to implement Windows Business Hello. For those of you using passkeys, have you disabled other forms of MFA?

To note: Bluetooth passkeys workflow will not work in my environment. We also do not have InTune. The other option in our environment for passkeys to work will be Windows Business Hello.

Thank you.

reddit.com
u/ComplaintNo6631 — 7 days ago
▲ 5 r/entra+1 crossposts

Entra sign-in methods clean up?

If a user has multiple duplicate sign in methods such as multiple passkeys or multiple Windows Hello registrations, how do you delete the old ones (replaced phones, replaced PC etc.)?

When I look the Security Info sign in methods as the user or Authentication Methods as the admin, they are just shown as a list of duplicates without any date stamps or device names.

How do you tell them apart so you can delete the correct ones?

reddit.com
u/Fabulous_Cow_4714 — 7 days ago
▲ 4 r/entra

Anyone using biometric authentication for Windows MFA?

Thinking about moving away from OTPs for Windows logins. Anyone using fingerprint or face recognition as part of Windows MFA? Hows it been so far?

reddit.com
u/Bob_Saldanha — 7 days ago
▲ 90 r/entra

I horde aka.ms shortcuts

M365 / Entra / Defender / Intune aka.ms Shortcut List

I have a problem and I needed to share it with others. I cleaned up my Microsoft 365 admin bookmarks and grouped the useful aka.ms shortcuts by admin area. Some links may require the right Microsoft 365 role, license, tenant access, or admin permissions. Some links may go dark after time. Anyone else horde them too?


Core Microsoft 365 Admin

Shortcut URL
Microsoft 365 Admin Center https://aka.ms/admin
Microsoft 365 Admin Center alternate https://aka.ms/mac365
Microsoft 365 Admin Center duplicate shortcut https://aka.ms/admin
Legacy per-user MFA https://aka.ms/ad/legacymfa
Microsoft commands shortcut https://aka.ms/commands
Microsoft Partner Benefits https://aka.ms/solutionspartner.benefits
Microsoft Nonprofit Portal https://aka.ms/nonprofitportal

Copilot

Shortcut URL
Copilot Studio Dashboard https://aka.ms/copilotdashboard
Security Copilot Purview Plugin https://aka.ms/SecurityCopilotPurviewPlugin
Copilot OneNote Notebooks https://aka.ms/copilotnotebooks

Azure / Azure Admin / AVD / Windows 365

Shortcut URL
Azure Admin https://aka.ms/azad
Azure Portal https://aka.ms/portal
Azure Admin duplicate shortcut https://aka.ms/azad
Azure AVD Insights https://aka.ms/avdi
Azure AVD Portal, old https://aka.ms/wvdarmweb
Azure AVD Portal, old duplicate shortcut https://aka.ms/wvdarmweb
Windows App / Windows 365 login https://aka.ms/w365login
Windows App devices https://aka.ms/w365login
Azure Conditional Access What If https://aka.ms/ad/cawhatif
Azure Identity Protection P2 https://aka.ms/identityprotection
Azure Files permissions https://aka.ms/portal/fileperms
Azure Universal Print Admin https://aka.ms/UPPortal
Azure risky users https://aka.ms/riskyusers
Azure Identity Protection dashboard https://aka.ms/identityprotection
Azure Service Health https://aka.ms/azureservicehealth

Defender / Security

Shortcut URL
Defender Admin https://aka.ms/de
Defender Admin duplicate shortcut https://aka.ms/de
Defender MDO real-time detections https://aka.ms/de/explorer
Defender MDO attack simulator https://aka.ms/AttackSim
Defender Action Center https://aka.ms/de/actions
Defender Advanced Hunting https://aka.ms/de/hunting
Defender Incidents https://aka.ms/de/incidents
Defender Secure Score from Azure portal https://aka.ms/idsecurescorefromazureportal
Defender Secure Score https://aka.ms/SecureScore

Entra ID / Identity

Shortcut URL
Entra Admin Center https://aka.ms/MSEntraPortal
Entra ID Admin https://aka.ms/MSEntraPortal
Entra devices https://aka.ms/ad/devices
Entra groups https://aka.ms/ad/groups
Entra groups inventory https://aka.ms/ad/groups
Entra users https://aka.ms/ad/users
Entra users inventory https://aka.ms/ad/users
Entra users sign-in logs https://aka.ms/ad/logs
Entra roles https://aka.ms/ad/roles
Entra roles duplicate shortcut https://aka.ms/ad/roles
Entra app registrations https://aka.ms/ad/appreg
Entra enterprise applications https://aka.ms/ad/apps
Entra authentication methods policies https://aka.ms/ad/auth
Entra Connect Health logs https://aka.ms/ad/synclog
Entra consent user settings https://aka.ms/ad/consent
Entra tenant license / products https://aka.ms/ad/license

Conditional Access

Shortcut URL
Conditional Access overview https://aka.ms/ca_overview
Conditional Access policies https://aka.ms/ad/ca
Conditional Access What If https://aka.ms/ad/cawhatif
Conditional Access duplicate shortcut https://aka.ms/ad/ca

Entra External ID / Governance / PIM

Shortcut URL
Cross-tenant access settings https://aka.ms/ad/xtap
External collaboration settings https://aka.ms/ad/guests
Entra ID Governance Access Reviews https://aka.ms/ad/reviews
PIM my roles, Azure https://aka.ms/pim
PIM my roles, Entra https://aka.ms/ad/pim
PIM token refresh tool https://aka.ms/pim/tokenrefresh

Intune / Endpoint

Shortcut URL
Intune Admin https://aka.ms/in
Intune Admin duplicate shortcut https://aka.ms/in
Intune Endpoint Analytics reports https://aka.ms/endpointanalytics
Intune tenant status https://aka.ms/intuneshd

Power Platform / Power BI / Fabric

Shortcut URL
Power Platform Admin Center https://aka.ms/ppac
Power Admin https://aka.ms/ppac
Power Automate Make https://aka.ms/flow
Power BI Apps https://aka.ms/PBI
Power BI Playground https://aka.ms/pbieplayground
Fabric Support https://aka.ms/fabricsupport

Microsoft 365 Diagnostics / Health / Connectivity

Shortcut URL
M365 SMTP relay diagnostic https://aka.ms/smtprelay
M365 SharePoint Online performance diagnostic https://aka.ms/PillarSiteandPagePerf
M365 SharePoint Online tenant storage diagnostic https://aka.ms/PillarTenantStorage
M365 Teams Auto Attendant diagnostic https://aka.ms/TeamsAADiag
M365 Teams Direct Routing diagnostic https://aka.ms/TeamsDirectRoutingDiag
M365 Teams Federation Trust diagnostic https://aka.ms/TeamsFederationDiag
M365 Teams Guest Access diagnostic https://aka.ms/TeamsGuestAccessDiagDMC
Microsoft 365 network check test tool https://aka.ms/AAhrv8k
Microsoft 365 network connectivity test https://aka.ms/netonboard
Microsoft Remote Connectivity Analyzer https://aka.ms/rca

Teams / SharePoint / Outlook / Places

Shortcut URL
Teams Admin Center https://aka.ms/teamsadmincenter
Teams Call Quality Dashboard https://aka.ms/cqd
Teams VM settings https://aka.ms/vmsettings
SharePoint file migration portal https://aka.ms/odsp-mm-fs
Outlook manage web add-ins / sideloading https://aka.ms/olksideload
Microsoft Places https://aka.ms/places

End-user Microsoft / Entra Portals

Shortcut URL
Device sign-in https://aka.ms/devicelogin
Security info https://aka.ms/mysecurity
User sign-in https://aka.ms/login
My Access https://aka.ms/my-access
My Account https://aka.ms/my-account
My Apps https://aka.ms/myapps
My Staff https://aka.ms/mystaff
SSPR portal https://aka.ms/sspr
SSPR setup https://aka.ms/ssprsetup

Microsoft Account / Consumer Account

Shortcut URL
Microsoft account security proofs https://aka.ms/manageproofs
BitLocker recovery keys https://aka.ms/myrecoverykey
Microsoft account recent activity https://aka.ms/alca

Support / Remote Assistance

Shortcut URL
Quick Assist Web https://aka.ms/quickassistweb

reddit.com
u/valar12 — 9 days ago
▲ 11 r/entra+2 crossposts

Workplace Ninjas US 2027 Announces First Set of Speakers

We're getting ready for Workplace Ninjas US 2027 in Scottsdale, AZ from January 11-13, 2027. With that in mind, it's our pleasure to introduce the first set of speakers for Workplace Ninjas US, who already join announced speakers Ewelina Paczkowska, Simon Skotheimsvik Rudy Ooms and Ugur Koc

🛠️ Jonah Andersson | Azure MVP is an amazing technologist from Sweden where she is a full stack #DotNet Developer and Lead #Cloud #DevOps #Engineer holding numerous #Microsoft certifications who will be delivering some amazing sessions.

🤖 Edine Olijve-Watkinson | M365 MVP from the Netherlands who works for InSpark | Innovate to Accelerate as an AI consultant along with being part of Dutch Women in Tech. She is an amazing technologist focused on #Microsoft #Copilot and #Loop helping to drive several initiatives in #Security #AI and much more

🚀 Ru Campbell | Security MVP from the UK works for Threatscape as their Practice Lead for #MSSecurity, while being a multi-book author, #DefenderXDR expert, and brilliant speaker.

❄️ Nathan McNulty | Security #MVP comes to us from Alaska working for Patriot Consulting as a returning speaker from last year who needs no introduction as an expert in Security and Identity with some of the best sessions from Dallas.

🩺 Simon Binder | #MSIntune MVP also joins us from Sweden as one of the most respected speakers around the world making a big name for himself while working for Advania Sweden as a top-rated speaker at #JNUC and more!

💻 Michael Niehaus rounds out this group known as the grandfather of #Autopilot, who was instrumental in numerous areas like #SCCM, hashtag#MDT, and may more. He is now instrumental in the new amazing 2Pint Software product #DeployR, a new modern cloud-based #imaging product

Join us in welcoming these amazing speakers by registering now! Our early bird is still going on so register now!

Why Attend Workplace Ninjas US 2027 | Scottsdale, AZ

u/Electronic-Bite-8884 — 7 days ago
▲ 4 r/entra+1 crossposts

PLZ HELP No Log in UI after Enrolling / Applying Intune policies

Hey Intune Wizards! Any insight would be absolutely life saving.

Any insight would be greatly appreciated :

TLDR:
I rebooted, and after the reboot when on the lock screen, I click to go through the screen saver and get to Log in UI and there's just nothing. The computer isn't frozen or something. There is just no UI. But if you wait ~10 minutes, the login UI will show up, but it will only let you use your password, no PIN / Face ID (Windows Hello). Then when you go to Settings > Accounts > Sign In Options > it takes a while to load, almost like whatever info it's pulling was messed up or not started up already. It does this with every reboot.

My guess is that something is conflicting between the new Intune enrollment and the original Entra join and causing something to hang or be messed up. If anyone's seen something similar to this please let me know

I have tried disabling EVERY MDM policy. My compliance policies don't even do anything they are just for flagging. Conditional Access isn't hitting the user as he's not flagged for risk.

Background for context:

Little background to start, I've been setting up Entra ID Conditional Access and Intune MDM for ~20 user office I had to pick up where a previous guy left off as he dropped the ball as far as the time line goes, so now its a rushed project. So the order things went in weren't my decision but heres all the work that has been done up to this point :

~20 workstations migrated from on-prem Active Directory to Entra ID, then I setup Conditonal Access and tested, it went well, now I'm setting up Intune MDM.

Today I build out my Intune policies, made my groupings to assign policies to and added my test user to my MDM auto enroll user group, and then added my test device to my MDM Policy Device Group.

Then I went to my device, and since they were Entra ID joined before Intune was setup, I had to trigger MDM enrollment manually so I googled and found this command to do so : "Start-Process "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/c /AutoEnrollMDM" -Verb RunAs" I ran that command, it worked like a charm and triggered MDM enrollment, the device showed up in Intune like normal, so then I began syncing to pull down all my policies.

Once I finished successfully syncing, I signed out and signed back in to make the device take the new policies, and bam, everything seemed to work like a charm. All my policies worked as intended first try.

I then rebooted, and after the reboot when on the lock screen, I click to go through the screen saver and get to Log in UI and there's just nothing. The computer isn't frozen or something. There is just no UI. Check out the screen shots. But if you wait ~10 minutes, the login UI will show up, but it will only let you use your password, no PIN / Face ID (Windows Hello). Then when you go to Settings > Accounts > Sign In Options > it takes a while to load, almost like whatever info it's pulling was messed up or not started up already. It does this with every reboot.

My guess is that something is conflicting between the new Intune enrollment and the original Entra join and causing something to hang or be messed up. If anyone's seen something similar to this please let me know

I have tried disabling EVERY MDM policy. My compliance policies don't even do anything they are just for flagging. Conditional Access isn't hitting the user as he's not flagged for risk.

reddit.com
u/Glittering_Coyote486 — 10 days ago
▲ 15 r/entra

Email to user when a TAP has been activated?

We recently set up TAP to make device setup easier for end users, with less reliance on passwords.

Unfortunately some of the support staff have decided this is a great way to fix devices or set up devices for the end users without them knowing they have accessed the accounts.

As much as I've tried to explain that it shouldn't be used as a way to gain unauthorised access, the use of it has continued.

I don't want to backwards and force back to passwords, but I was thinking that if users had emails sent to them after a TAP activation it would dissuade them from continuing the practice.

reddit.com
u/UnleashedArchers — 12 days ago
▲ 12 r/entra

Thoughts on MFA for Windows logons, RDP, and offline access?

ManageEngine ADSelfService Plus recently added support for Microsoft Entra ID, including MFA for Windows logins, RDP sessions, workstation unlocks, and offline authentication scenarios.

One thing that caught my attention is the growing demand for MFA beyond cloud applications. Many organizations seem to be focusing on securing Windows logons, privileged actions, and remote access workflows in addition to Entra sign-ins.

For those managing Entra ID or hybrid environments:

  • Are you enforcing MFA at the endpoint level today?
  • How are you handling offline authentication scenarios?
  • Do you prefer native Microsoft controls, third-party MFA, or a mix of both?

Curious to hear how others are approaching this and whether endpoint MFA has become a requirement in your environment.

reddit.com
u/Sea_Possible_7280 — 12 days ago
▲ 5 r/entra

Updated Registration Campaigns Breaking CA

Just wanted to flag this so more people are aware Microsoft seems to be rolling out a new registration campaign system even on tenants that are not using security defaults. This seems insanely irresponsible and infringing on lots of our clients current setups. Usually during the deployment of MFA we handle that ourselves with CA policies targeting specific groups and custom authentication strengths using only the methods we want to control so users don’t go rouge. These new Microsoft managed campaigns are creating sign-in loops and access errors. Found under Authentication Methods - Registration Campagins.

reddit.com
u/Disastrous-Basis-782 — 10 days ago