Entra.News #32: This week in Microsoft Entra
Learn about migrating from SAP IDM to Entra ID, Conditional Access filter for apps going GA, audit log enhancements for conditional access, updates to the sign in page and more!
👋 Hi, Merill here with this week’s round up of the latest news on Microsoft Entra from around the globe 🌍.
Enjoy!
⚡️ Microsoft
🏆 Generally Available
Conditional Access: Filter for applications • Microsoft Learn
📺 Watch
Improve your identity governance posture (26 min) • Microsoft Security (Mark Wahl, Steve Conn)
🗣️ Message Center
These links will open in the Microsoft 365 Admin Center.
03 Feb - Microsoft Entra ID: New Microsoft teams-specific consent settings
26 Jan - Removal of MFA text message delivery via WhatsApp in India
From the community…
☀️ Learn
🧰 Workload ID
Azure DevOps with Workload Identity Federation • Markus Pitkäranta
💠 External ID
Using Blob storage from ASP.NET Core with Entra ID authentication • Damien Bowden
Creating groups and roles in Entra External ID for customers (CIAM) and returning them in the JWT • Rory Braybrook
A deeper dive into linking with Entra External ID for Customers (CIAM) • Rory Braybrook
Comparing federation with Azure AD B2C vs Entra External ID for Customers (CIAM) • Rory Braybrook
Client credential flow in Entra External ID for Customers (CIAM) • Rory Braybrook
⛑️ ID Protection
Migrate Identity Protection Risk Policies to Conditional Access • Daniel Bradley
👮♂️ ID Governance
🌐 Global Secure Access (SSE)
Entra ID – Global Secure Access Client – What it is about? • Michael Morten Sonne
🔑 Authentication
Cloud Kerberos Trust: The Windows Hello for Business Easy Button • Jon Towles
Entra ID – Authentication methods • Julian Rasmussen
👥 Group Management
“All Users” in Entra ID means ALL users and guests • Matthew Levy
🤖 Automation & DevOps
Finding Scopes for Microsoft Graph commands • Aaron Guilmette
Single PowerShell Script to Install Multiple M365 Modules • NTW
Compare Configurations of Microsoft 365 Tenants with Microsoft365DSC • Admin Droid
Connect to MS Graph API PowerShell SDK Using a Certificate • NTW
Batch pool with user assigned Managed Identity and Key Vault extension • Jerry Zhang
Avoid the complexity when utilizing Entra ID multi-tenants and School or Work/Microsoft Accounts • Daichi Isami
🚦 Conditional Access
Viewing changes to Conditional Access policies just became easier! • Jan Bakker
Service dependencies in Conditional Access policies • Lukas Beran
Why MFA, Conditional Access, and Sensitivity Labels can Combine to Give Outlook a Problem • Tony Redmond
View Changes to Conditional Access Policy with New Feature • Office 365 Reports
🔐 Credential Management
Playing with Microsoft Passport Key Storage Provider – protect user VPN certificates with Windows Hello for Business? • Dániel Kovács
🖥️ Devices
Cleaning up inactive Intune and Entra ID devices • Torbjorn Granheden
Entra ID Group for Intune Devices enrolled after a given date • Michael Meier
📈 Reporting and Insights
Export Microsoft 365 Users’ Self-Service Password Reset (SSPR) Status Reports • Office 365 Reports
Tracking Licensing Costs for Microsoft 365 Tenants • Tony Redmond
Logging Into the Future: Smart Strategies for Storing Microsoft Entra Logs in Azure • Nathan Hutchinson
🥷 Security
The Most Dangerous Entra Role You’ve (Probably) Never Heard Of • Andy Robbins
👉The post-AD Red Team Experience P1 • Eric Mannon
Updated: Adversary Simulation using Azure CLI and Microsoft Graph PowerShell • Edwin David (Root ♊)
Entra ID User Reconnaissance and how to Protect against Entra ID User Recon • Derk van der Woude
Checking Out Entra Identity Secure Score • Tony Redmond
New Teams Telephony Admin Role in Teams Admin Center • Daniel Bradley
Microsoft Azure’s hidden administrators • Rogier Dijkman
Ongoing Azure Compromises Target Senior Execs, Microsoft 365 Apps • Nate Nelson
♻️ Sync
How to disable Entra ID Connect Sync using MSGraph PowerShell • Matthew Levy
How to fix Microsoft Entra Connect Sync stopped-server-down error • Ali Tajran
How to Remove On-Premises Directory Synchronization Service Account • Ali Tajran
⚒️ Toolkit
Entra ID Security Config Analyzer - EIDSCA (V3) (New Release) • Thomas Naunheim, Markus Pitkäranta, Sami Lamppu
📺 Watch
Why Do You Need Microsoft Entra? Why Did You Need a Teacher at School? (1 min) • Jonathan Edwards
💳 Verified ID
Discover potential behind Verifiable Credentials and Microsoft Entra Verified ID (65 min) • Daniel Krzyczkowski
🖥️ Devices
How To Install AAD Tools & Enroll Ubuntu 23.10 With Entra ID (5 min) • Top Bird
🚦 Conditional Access
Using Custom Authentication Strengths in Entra Conditional Access Policies (1 min) • Peter Rising
How to Configure a Conditional Access Policy for AVD (13 min) • Travis Roberts
Advanced Conditional Access Policies for AVD (17 min) • Travis Roberts
🥷 Security
The Ultimate Guide to Securing Microsoft 365! (35 min) • Andy Malone
Lock Down Your Microsoft 365: Your Essential Security Policies (22 min) • Jonathan Edwards
How to Send Entra ID Logs to Log Analytics (9 min) • Travis Roberts
🤖 Automation & DevOps
Streamlining Entra ID Group Membership with Terraform: Count to For_Each (26 min) • Mark Tinderholt
Setting Entra ID Group Owners in Terraform: Merging Client Config and Input Variables (10 min) • Mark Tinderholt
Entra ID Group Magic Unleashed: Terraform Your Way from Email to Group Member in Minutes! 🧙♂️✨🚀 (7 min) • Mark Tinderholt
Deploy Graph X Ray Edge Browser Extension | How to install Edge Browser Add-ons using Intune (3 min) • Chander Mani Pandey
👨🏽💻 Merill’s corner
→ Microsoft Entra Workload ID
Did you know that Microsoft Entra Workload ID Premium has some neat recommendations to lifecycle manage your service principals and applications?
✅ Remove unused applications
✅ Remove unused credentials from applications
✅ Renew expiring application credentials
✅ Renew expiring service principal credentials
Learn more about Microsoft Entra recommendations
PS there are quite a few recommendations in the free tier too...
→ Changes to FIDO2 & Windows Hello for Business
Quick heads up folks! Windows Hello ➡️ Face, fingerprint, PIN or security key
'Sign in with Windows Hello or security key' is changing to 'Face, fingerprint, PIN or security key' and rolling out mid-Feb (now!)
Time to update your docs and let your help desk know about this change.
Read the message center post for more info
→ Remove all credentials from a Service Principal
Here's a script to bookmark and keep in your back pocket for use in case of emergency. Hopefully you never have an emergency that needs this script.
When Solorigate (SolarWinds) happened, admins had to scramble to bulk remove illicit credentials from the impacted service principals in a hurry 🙀
If the illicit credential was created in an app, you can do the same but call Update-MgApplication instead.
You can also be selective and remove just selected creds from the collection.
As always it's available at aka.ms/GraphSamples
🪃 Acknowledgement of Country
Entra.News is created on Wurundjeri land and acknowledges the traditional owners of country throughout Australia, recognising their continuing connection to land, water and community. I pay my respect to them and their cultures and to elders both past and present.