r/entra

Hi everyone, so I recently noticed in some newer tenants that I can not sign in with Global Admin accounts that only have FIDO2 registered as a method. We are always using CA on most of our customers - but on some smaller customer tenants (5-10 accounts) we have just turned on security defaults instead. Now last week I noticed that my 4 GA-accounts - that only have FIDO2 registered - could not sign in - I was VERY lucky to have my backdoor through GDAP with privileged role admin... So I guess I'll have to revert to legacy/per user MFA on those tenants?

I think I completely locked myself out of my M365 tenant.

I enabled a Conditional Access policy requiring “Phishing-resistant MFA” for all admin accounts.

I DO have:

• a passkey created in Microsoft Authenticator
• Windows Hello for Business configured

But both are rejected during sign-in.

I only get a generic error:
“Something went wrong”
with no additional details at all.

I expected Authenticator passkeys and WHfB to satisfy the phishing-resistant MFA requirement, but apparently not in my setup.

Has anyone already hit this exact issue?
Is there a known limitation/bug with Authenticator passkeys + Authentication Strength policies?

Right now I have no active admin session left open.

""This might be due to a timeout, a canceded request or a private browsing windows""

EDIT : It’s working again.

I finally managed to access the tenant by signing into a PC with my admin account and configuring Windows Hello. The PIN failed, but fingerprint authentication finally worked and let me back in.

I disabled the CA immediately and created a proper break-glass account. I fully admit I was careless, but honestly Microsoft also shares some responsibility here because this whole flow is clearly not mature enough yet.

Hello everyone, I am having some trouble setting up PIM and one thing I am running into is SSPR issues I believe. My SSPR is set to all users and requires 2 methods. I assume this is what is enforcing everyone in my tenant to require to MFA methods. Right now I have a test account that has a Yubikey and MS App registered a MFA methods, yet when I login, it keeps prompting to register another method. It loops a few times and eventually lets me in.

I was hoping having both Yubikey and MS app as mfa would prevent from needing to add a third method.

I was hardening the tenant and now no one can share SharePoint files with our clients/customers. We have a specific site but none of the settings work. Instead of getting a one-time code, users must authenticate to our tenant. This appeared to work before I messed with things but I am also reading online that OTP is going away soon. I suspect I broke it as I reverted and complete lockout was reversed but not everything.

Below is what I put in for my support ticket. My last support ticket was closed after two months of no contact so I am looking for other help.

On 5/14/2026 at 3:51 PM UTC, setting AllowEmailVerifiedUsersToJoinOrganization to false via Graph PowerShell triggered a Set Company Information event that added RestrictEmailVerifiedUsers to our tenant DirectoryFeatures. External guests can no longer authenticate via Google federation or email OTP — only Microsoft 365 login is presented. Reversing the setting via PowerShell and UI did not remove the DirectoryFeature. Need RestrictEmailVerifiedUsers removed from tenant DirectoryFeatures.

I have been wanting to get more into Identity, particularly the security aspect and wanted to see if there was a structured way of learning. I'm much more of a hands on type of learner, so I'd like a lab of some sorts, where I can break and tinker with stuff. I tried getting a developer tenant, but this was not a success.

Are there any good resources allowing for free/cheap and at your own pace learning?

Hi All!!

As we officially announced over the weekend on Twitter/X, the one and only Merill Fernando is our first officially confirmed speaker for Workplace Ninjas US 2027 in Scottsdale.

Our dear friend Merill recently announced he's leaving Microsoft to do his own thing. He's someone who is very special to all of us and personifies our mantra of surrounding ourselves with good people who just contribute to that immaculate vibe aesthetic we showed throughout Dallas.

One of our core principles is to bring people YOU want to see to our events. Merill epitomizes that concept as one of the first events ever to bring Merill to the states. We saw how all of you responded through mentoring sessions, engagement, and just hanging out.

With Merill engaging on his new journey, you better believe we will be celebrating his time with Microsoft with a "Merill-bration" of sorts. Make sure you register now, and don't miss out at a bigger, better, and dare I say it MORE FUN year two in Scottsdale.

Join us and register now, as we still have a few early bird tickets remaining:

https://workplaceninjas.us/registration

As a user I have a list of roles available to me via PIM activation. Roles have permissions.

When I attempt to complete an action that requires a permission that I do not have active, how about instead of showing me access denied just show all the roles that are available to me for activation with least privileged first.

Instead of graying out an action button or link because I lack a required permission, put a shield or other indicator and when clicked on give a prompt, popup, or any other option to activate an available role.

Maybe stating the obvious and/or preaching to the choir, but is this not a simple workflow that will benefit all the admins and improve PIM experience?

Anyone really planning Entra ID failover to another tenant?

We are looking at Entra ID backup/recovery vendor now because of some gaps with Microsoft recovery for hard deleted objects. One vendor is pushing there ability to recovery to second tenant very heavily.

At first sound very good, but more we think about it, more it feels difficult in real life. Everything is tied to current tenant, mailbox, Teams, SharePoint, OneDrive, app registrations, integrations, company.onmicrosoft.com etc.

Do people actually keep second licensed tenant ready for this? In real incident, is it really faster to move to another tenant, or just recover the original tenant as fast as possible?

Curious if people are really testing this successfully or if this is more marketing from vendors?

I'm having a strange issue on some Entra joined PCs. Win 11 25h2. No matter which user was the last user to log on to a pc, my admin account is always showing as the last logged in user at the login screen. If I sign in as the local admin, it will do the same with that account too. I've tried Intune settings to disable showing the last logged in user but that hasn't changed anything. I'd rather not show my admin account name or local admin account name to our users. Has anyone else come across this?

Hey there. I am trying to set up entra as in the title into an existing m365. I got the sync software installed on my server but when i go to sync it up i keep getting this duplicate attributes error for all accounts. What should be my next step? I really dont want to lose any user data, which is why i came here. What should i do? Any suggestions?

Hey everyone,

We run into a bit of an administrative nightmare. Most of our clients are strictly geo-blocked to our home country via Conditional Access.

Lately, we have been getting a surge of "I'm going abroad for a week" tickets. Our current process is manually creating/editing Named Locations and CA policies for each user/trip. It’s becoming impossible to track, and we’re constantly finding "stale" policies for trips that ended months ago.
How are you scaling this?

Would love to hear how you guys keep your CA policies clean without spending 5 hours a week on travel tickets.

Been working through a hybrid setup lately where the on-prem AD isn't going anywhere soon. Kerberos dependencies, some older line-of-business apps that just assume domain membership, GPO-driven workflows. the usual. Application Proxy helps for publishing the web-based stuff, but it won't touch your classic Kerberos, or SMB dependencies, and anything that needs a domain controller in sight is still a problem. The thing I keep running into is that Entra DS gets floated as a fix, but it really isn't a drop-in for full AD DS. It'll give you managed LDAP, Kerberos, and NTLM support, which covers some ground, but the, moment you need forest trusts, schema extensions, or full domain admin control, you're out of luck. Forest and domain trusts aren't supported in Entra DS at all, so if that's part of your environment, you're keeping AD DS regardless. Worth flagging too that hybrid Entra join is an AD DS plus Entra ID, device state, not really an Entra DS story, so that framing can muddy the conversation. End result is you keep a minimal on-prem AD footprint for the legacy dependencies while moving users and devices to Entra and Intune. That's not really a failure of cloud-first strategy, it's just the realistic middle ground most orgs are sitting in right now. The other pressure I'm seeing is legacy auth deprecation. If any of those older apps are still leaning on Basic Auth or similar, that's becoming a harder conversation alongside the domain dependency problem. Curious how others are handling the apps that genuinely can't modernise yet. Wrapping them with a secure access layer, keeping AD DS alive indefinitely, looking at OAuth or API, patterns where the app can support it, or just accepting the hybrid reality for a few more years?

ey everyone,

I’m working on a relatively small hybrid environment (~300 users) with on-prem AD + Entra ID.

Recently, I managed to set up an API-Driven Provisioning flow for the on-prem AD, and I already validated user creation through MS Graph successfully provisioning all the way down to the local AD.

Now I’m looking to evolve this into a more automated setup by periodically querying the HR authoritative source, which currently exposes the data through a REST API.

My main question is really around architecture/best practices:
what would be the best way to handle this periodic integration between the HR API and Entra ID?

My first idea was to build something in Python that consumes the HR REST API and sends the data to Entra/API-Driven Provisioning, but that would require maintaining a scheduled job running on-premises (Windows Task Scheduler, container, service, etc.).

I’d like to understand how you usually implement this kind of scenario in hybrid environments.

The main goal is to keep the solution simple, reliable, and easy to maintain over time.

If anyone has implemented something similar, especially using API-Driven Provisioning, I’d really appreciate hearing your experience or recommendations.