Skip to content

Domainless SAML federation in Microsoft Entra External ID

  • Entra
  • 4 min read

If you’ve ever set up direct federation with a SAML Identity Provider in Microsoft Entra External ID, you’ll know the pain. You configure everything correctly, invite a guest user, and then they hit a cryptic error at sign-in: AADSTS5000819: SAML Assertion is invalid. Email address claim is missing or does not match domain from an external realm. The root cause? Traditional SAML federation in Entra requires the domain in the user’s email claim to match the domain you’ve associated with… 

Read More »Domainless SAML federation in Microsoft Entra External ID

Use Device Code Flow to register a passkey in Microsoft Authenticator App

The other day, I was doing some research in my lab, and had to register a new passkey a couple of times. At some point, I stumbled upon the device code flow in the Microsoft Authenticator app. I was aware of this flow, but I suddenly realized how easy it is to create a new passkey on a rogue/remote device, using social engineering. One more reason to block it! Here is the flow. I’ll add a new work or school… 

Read More »Use Device Code Flow to register a passkey in Microsoft Authenticator App

Entra ID Governance – View approver information for pending requests

  • Entra
  • 2 min read

A new feature in Entra ID Governance was introduced and enabled by default. When users request an access package and approval is needed, they can now see the name and email of the approver. This can be set on the tenant level and is enabled by default. If checked, all members (excluding guests) will see their approvers’ name and email address on their pending access package requests in My Access. This setting applies to all access packages but can be… 

Read More »Entra ID Governance – View approver information for pending requests

Configurable token lifetimes in Entra ID

Today, a quick post about setting up token lifetime policies in Entra ID. In some use cases, organizations require a short access token for highly privileged apps or resources. That said, this is probably NOT needed for the typical apps we all use day-to-day. With Entra token lifetime policies, you are able to manage the token lifetime of access tokens, SAML tokens, and ID tokens. It’s important to understand that it does not apply to refresh and session tokens. So, if… 

Read More »Configurable token lifetimes in Entra ID

Your service principals probably don’t need secrets

Application policies in Entra have been around for a while now to manage the use of secrets, but I don’t see many folks using them. It’s probably because secrets are still widely used, and an unlimited lifetime for secrets results in less yelling from developers. Everyone’s happy. Yet, attackers love secrets and use them all the time. In obvious places, like app registrations, but also on service principals, where you don’t expect them. You cannot see or add them in… 

Read More »Your service principals probably don’t need secrets

Block or limit multi-tenant and consumer applications in Entra ID

Two new policies have been added to the recently introduced Application Policies in Entra ID! Admins can now restrict or block multi-tenant applications, and applications that support consumer sign-in (personal Microsoft accounts) Looking closer, we now have two options added to the blade: Block multitenant applications – Policy that blocks new multitenant applications, and prevents existing applications from switching to multitenantBlock consumer account applications – Policy blocking applications from targeting personal Microsoft accounts unless exempted or created before the specified… 

Read More »Block or limit multi-tenant and consumer applications in Entra ID

KB – Entra Private Access Session persistence

This is a knowledge base item. I hope it will help you someday. When working with Entra Private Access, some applications are not happy with multiple private connectors and require session persistence. As recommended here, there are a few options to fix this: Option 1: Base the session persistence on a session cookie set by the load balancer. This option is recommended because it allows the load to be spread more evenly among the back-end servers. It requires a layer… 

Read More »KB – Entra Private Access Session persistence

Conditional Access Optimization Agent knowledge base

Y’all know this song by the Beatles, right? What would you think if I sang out of tune?Would you stand up and walk out on me?Lend me your ears, and I’ll sing you a songAnd I’ll try not to sing out of key Oh, I get by with a little help from my friendsMmm, I get high with a little help from my friendsOoh, I’m gonna try with a little help from my friends That song popped into my head… 

Read More »Conditional Access Optimization Agent knowledge base

How to get better with Graph API – Part one

  • Entra
  • 5 min read

As you might know, Graph API is an important part of Microsoft 365. Everything (or most) of the things you see in the Entra admin center or Microsoft Admin portal is pulled from the Graph API. Every button you click pulls data from or pushes data to the Graph API. An easy way to get to know the Graph API is to use your browser’s developer tools. Using the Network tab, you can spot any call to the Graph API.… 

Read More »How to get better with Graph API – Part one

What admins can learn from the new Entra ID Groups Insights blade

  • Entra
  • 3 min read

Microsoft released a new overview in Entra ID: Entra ID Groups Insights. Currently in preview, it has some limitations, but what caught my attention is the new Graph API endpoint that this report is using: beta/reports/identityAnalytics/groups There is a ton of valuable info in there, so apart from the UX report, you can build great custom reports using this data. Let me show you how I found these in the first place: In your browser’s DevTools, open the Network tab,… 

Read More »What admins can learn from the new Entra ID Groups Insights blade