Microsoft Azure AD

Author: b | 2025-04-25

Azure AD reporting and monitoring Azure Active Directory reporting and monitoring: Microsoft Entra reporting and monitoring: Azure AD role Azure Active Directory role: Microsoft Entra role: Azure AD schema Azure Active Directory schema: Microsoft Entra schema: Azure AD Seamless single sign-on (SSO)

Microsoft Office 365 / Azure AD

Can find a comparison of Azure AD editions on Microsoft’s website here.But you should note that the free edition of Azure AD doesn’t include all the features of Azure AD Join. To get the features listed below, you’ll need Azure AD P1 or P2 licenses:Mobile Device Management (MDM) autoenrollmentLocal admin policy customizationSelf-service BitLocker recoveryEnterprise state roaming (ESR)The account I was using to join Windows 10 to Azure AD was assigned a Microsoft 365 Business Standard license. That means there is no Microsoft Intune license included with the Microsoft 365 subscription. To get Intune, which is Microsoft’s MDM service, I would need to either license Intune separately or upgrade to a Microsoft 365 Business Premium license. Nevertheless, I should be able to perform an Azure AD join using a Microsoft 365 Business Standard account.Disable MDM autoenrollmentAfter some digging around on the Internet, I found that the issue is likely connected to MDM autoenrollment. As the Microsoft 365 Business Standard account isn’t licensed for Intune, Azure AD join fails because the account is enabled for MDM autoenrollment.The solution is to disable MDM autoenrollment for the account, or all accounts, in the Azure AD tenant. But hold up. Without an Azure AD P1 or P2 license, there is no access to modify MDM autoenrollment settings.This led me to call Microsoft support. I was advised to assign a trial Azure AD Premium license to an account and turn off MDM autoenrollment. So, that’s what I did. And hey presto, I was able to join the Windows 10 device to Azure AD with no errors. To be clear, the work or school account used to join Windows 10 to Azure AD does not need an Azure AD Premium license. The license is only required to modify the MDM enrollment settings.To disable MDM autoenrollment, follow these Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Article08/17/2024 In this article -->This article provides answers to frequently asked questions about migrating from Azure Active Directory (Azure AD) Graph to Microsoft Graph.Azure AD Graph offers access to only Microsoft Entra ID (formerly Azure AD) services. Microsoft Graph offers a single unified endpoint to access Microsoft Entra identity and network access family of services and other Microsoft services such as Microsoft Teams, Microsoft Exchange, Microsoft Intune, and much more.Microsoft Graph is also more secure and resilient than Azure AD Graph. For this reason, Azure AD Graph is currently in a phased retirement cycle as we move all investments to Microsoft Graph. Migrate to Microsoft Graph to avoid loss of existing functionality and to access new features and capabilities.Follow these steps to identify apps with a dependency on Azure AD Graph:Option 1: Check the Microsoft Entra recommendationsSign in to an API client such as Graph Explorer with the required permissions and roles to view Microsoft Entra ID recommendations. Run the List recommendations Microsoft Graph API to retrieve the list of apps and service principals that use Azure AD Graph.Option 2: Use the appId of the app to identify its API permissionsStep 1: Scan the application source codeIf you own an application's source code, search for the URI in the code. This value is the Azure AD Graph endpoint and apps that call this endpoint

Adding Microsoft Azure Cloud Monitoring

Use Azure AD Graph. Record the value of the affected app's appId.Step 2: Call the "Get application" API to read the app's API permissionsSign in to an API client such as Graph Explorer with at least the Application Developer Microsoft Entra role and granted the Application.Read.All delegated permission.Call the Get application API using the appId you retrieved in Step 1 and read the requiredResourceAccess property. The following properties show the permission details:The requiredResourceAccess > resourceAppId property has the ID 00000002-0000-0000-c000-000000000000 for Azure AD Graph.The requiredResourceAccess > resourceAccess property lists the ID and type of Azure AD Graph permissions the app uses. Use the Permissions differences between Azure AD Graph and Microsoft Graph mapping guide to know the Azure AD Graph permission names.Use the following four methods to identify apps in your tenant with a dependency on Azure AD Graph. Method 1 and 2 identify your apps that use Azure AD Graph based on the actual app activities while method 3 and 4 use static app configuration and consent status. You can combine these methods to find apps that have a dependency on Azure AD Graph.Method 1: Through network proxy logsCheck your network server traffic logs through a filter proxy for any apps calling the endpoint. These apps use Azure AD Graph.Method 2: Check the Microsoft Entra recommendationsSign in to the Microsoft Entra admin center with privileges to view Microsoft Entra ID recommendations. The following least privileged roles are supported for this operation: Reports Reader, and Security Reader, and Global Reader.Expand. Azure AD reporting and monitoring Azure Active Directory reporting and monitoring: Microsoft Entra reporting and monitoring: Azure AD role Azure Active Directory role: Microsoft Entra role: Azure AD schema Azure Active Directory schema: Microsoft Entra schema: Azure AD Seamless single sign-on (SSO) Symantec VIP Integration Guide for Microsoft Azure Integrating Microsoft Azure AD with Symantec VIP Integrating Microsoft Azure AD with Symantec VIP requires two steps: Adding

Azure AD limitations - Microsoft Q A

During Microsoft Ignite in November 2021, Azure Sentinel is now called Microsoft Sentinel.In this article, we will share with you how to monitor Microsoft Entra ID (formerly Azure AD) emergency accounts, also known as break glass accounts with Microsoft Sentinel.IntroductionMicrosoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.The cloud environment needs emergency accounts, also known as break glass accounts, to build a resilient environment. These accounts should only be used when a regular admin cannot sign in – break glass accounts must be guarded heavily.In this article, we will walk you through how to create an analytic rule in Microsoft Sentinel that will trigger an alert when an emergency (break glass) account is used and automatically run a security playbook to inform the organization’s Security Operation Center (SOC) team.PrerequisitesTo follow this article, you need to have the following:1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.3) Microsoft Sentinel – To enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days, follow the instructions here.4) Connect data from Azure Active Directory (Azure AD) to Azure Sentinel. Please note that to export sign-in data, you need to have an Azure AD P1 or P2 license. If you don’t have a P1 or P2, you can sign in for a Free Trial here. As a side note, the Microsoft documentation says here that any Azure AD license (Free/O365/P1/P2) is sufficient to ingest sign-in logs into Azure Sentinel. This is not correct, you cannot ingest sign-in logs with Azure AD Free or Office 365, and you need to have P1 or P2.5) Emergency account created in Azure AD. Microsoft recommends having at least two emergency accounts. In this example, we have only one account. Please check the Microsoft documentation regarding setting up emergency accounts in your environment. Once the emergency account is created, you need to copy the Object ID as shown in the figure below. We need to use the Object ID in the next step.Please note that if you just upgraded the Azure AD tenant license from Free to P1 or P2 premium license, you need to wait a couple of days until the Sign-in Logs table is created in the Log Analytics workspace. This latency has been confirmed by the Azure Active Directory team.Create an analytic ruleAssuming you have all the Windows 10 devices can be registered or joined (connected) to Azure Active Directory (recently renamed Microsoft Entra ID) domains. But not for the first time, I’ve come across a problem when trying to connect a device to Azure AD. In this article, I’ll show you how to solve the Invalid_Client error when joining Windows 10 to Azure AD.There are two ways that you can join Windows 10 to Azure AD. The first is during the OOBE phase of Windows 10 setup. If you are installing Windows 10 Enterprise, by default you are prompted to enter a Microsoft work or school account with which you join the device to Azure AD. Secondly, a device can be joined to Azure AD in the Access work or school section of Accounts in the Windows 10 Settings app.Both methods were throwing the same error: ‘Something went wrong.’ Looks like we can’t connect to the URL for your organization’s MDM terms of use. Try again, or contact your system administrator with the problem information from this page. Error: invalid_client Description: failed%20to%20authenticate%20user.Image #1 Expand How to Solve Invalid_Client Error When Joining Windows 10 to Azure AD (Image Credit: Russell Smith)There are a few items you need to check when dealing with these kind of errors. The first is that the user account has the necessary rights to join Windows 10 to Azure AD. There’s a setting in Azure AD which controls whether users can join devices to Azure AD and how many devices they can join. For more information on that setting, check out Join Windows 10 to Azure Active Directory During OOBE on Petri.Azure Active Directory LicensingNext on the list is licensing. Microsoft 365 and Office 365 subscriptions include the free edition of Azure AD, which supports Azure AD Join and many other features. You

Microsoft Azure AD Assessment - GitHub

Splashtop supports logging into my.splashtop.com and Splashtop Business app using the same credentials as your SAML 2.0 identity provider. Please follow the below instructions to get the app from Microsoft Entra ID/Azure AD console.Get the app on Microsoft Entra ID/Azure AD console1. Log in Azure AD console. Select Enterprise applications2. Click "+ New application".3. Search Splashtop from the gallery then add.5. After adding the app, select Set up single sign on, then select SAML.6. Edit Basic SAML configuration.Identifier (Entity ID): URL (Assertion Consumer Service URL): on URL: (There are patterns under each three field which you can copy then paste to the corresponding fields.)Leave others without changes.7. Edit User Attributes & Claims.Unique User Identifier: Keep the default value "user.userprincipalname", or modify it to the attribute you use to match the user's email address to their Splashtop account, such as "user.mail". Ensure the selected attribute corresponds to the email address associated with the user's Splashtop account.( The value has to be the email address associated with the Splashtop account).8. Done!***For JIT provisioning, please add a group claim:1. In the set up SSO app on Microsoft Entra ID/Azure AD, go to Single sign-on page.2. On the Attributes Claims block, click Edit.3. On the Edit page, click Add a group claim.4. On the Group Claims setup, select Security Groups.5. Click Save.6. Done!Add user/group to the created appClick Add user/group to add users to the created enterprise application so the user can use SSO feature.Apply for an SSO method from my.splashtop.comNow you have the Login URL, Microsoft Entra ID/Azure AD Identifier, and Download Certificate (Base64). Please follow below instruction to insert the info on our web portal (my.splashtop.com) to apply for enabling the SSO with Microsoft Entra ID/Azure AD. downloading Certificate (Base64), please edit the cert file with a text editor, then copy the contents to insert on my.splashtop.com.Additional Resources:Microsoft Tutorial: Microsoft Entra single sign-on (SSO) integration with SplashtopIf interested you can provision with SCIM for Microsoft Entra ID/Azure AD.See this article: Provisioning setup - Microsoft Entra ID/Azure AD (SCIM)

Microsoft Azure AD Connect will not install

The deprecation.To migrate your apps from Azure AD Graph to Microsoft Graph, follow the App migration planning checklist.First, confirm the full list of apps owned by your tenant or third-party applications integrated in your tenant.Sign in to the Microsoft Entra admin center as at least a cloud application administrator.Expand the Identity menu > select ApplicationsIf the apps are registered in your tenant, select App registrations. If the apps are multitenant apps that you consented to in your tenant but are homed in another tenant, select Enterprise applications.Select the All Applications tab.Select the app to reveal its menu.From the left pane of the window, under the Manage group, select the Owners menu.My organization runs Azure Stack Hub. What actions should I take?If your organization runs Azure Stack Hub, the most important action is to follow the Azure Stack Hub servicing policy.To migrate, customers are notified through the Azure Stack Hub admin portal to update their home and guest tenant directories. The migration to Microsoft Graph is managed through the integrated system update experience.First, we recommend that you follow the App migration planning checklist to help you transition your apps to the Microsoft Graph API.If you've identified a gap where Microsoft Graph doesn't support a feature available in Azure AD Graph, let us know through Microsoft Q&A by using the tag azure-ad-graph-deprecation.If you still need to configure Azure AD Graph permissions for your applications, use one of the following workarounds.Use the Microsoft Entra admin center to find the APIs your organization uses.Update. Azure AD reporting and monitoring Azure Active Directory reporting and monitoring: Microsoft Entra reporting and monitoring: Azure AD role Azure Active Directory role: Microsoft Entra role: Azure AD schema Azure Active Directory schema: Microsoft Entra schema: Azure AD Seamless single sign-on (SSO)

Azure AD Attributes - Microsoft Q A

Authentication for your Microsoft 365 connection, which is the best approach, and click Next.Setting Microsoft 365 Connection Settings4. Now, choose the Register a new Azure AD application automatically option to let Veeam create the Azure AD Applications.Letting Veeam Create the Azure AD Applications5. Name the Azure AD application as you like, and click on Install to select a certificate for the application. For this tutorial, the application’s name is App-Veeam.Remember that the name will not show up in your Azure AD tenant.Naming the Azure AD Application6. Next, choose the Generate a new self-signed certificate option, and click Next. This option tells Veeam to create an appropriate self-signed certificate.Selecting Certificate Type7. Name the certificate after the Azure AD Application associated with it, and click on Finish.Veeam will install the certificate in your local machine store and register the public key with the Azure AD Application for you.Naming the Certificate8. After adding a certificate, click Next to start authenticating with Azure AD.Confirming Added Certificate9. Click on the Copy code, and click on the device login hyperlink, as shown below. A login page opens on your web browser where you’ll be asked for authentication (step nine).Initializing Authorizing Veeam’s Connection Request10. Click Continue on the access login page, like the one below, to authorize Veeam’s connection request with the Azure CLI.Authorizing Veeam’s Connection Request11. Once authorized, click on Next after seeing the authentication success message, as shown below.Confirming Authentication12. Lastly, click on Finish once Veeam completes performing multiple checks on your tenant, configure the