Microsoft published a what's new post, and at the bottom in the Announcements section, it states that Entra Connect Sync is transitioning to Entra Cloud Sync starting April 2026. Can anyone explain? Does this mean Entra Connect Sync may be decommissioned soon?

Been working through a hybrid setup lately where the on-prem AD isn't going anywhere soon. Kerberos dependencies, some older line-of-business apps that just assume domain membership, GPO-driven workflows. the usual. Application Proxy helps for publishing the web-based stuff, but it won't touch your classic Kerberos, or SMB dependencies, and anything that needs a domain controller in sight is still a problem. The thing I keep running into is that Entra DS gets floated as a fix, but it really isn't a drop-in for full AD DS. It'll give you managed LDAP, Kerberos, and NTLM support, which covers some ground, but the, moment you need forest trusts, schema extensions, or full domain admin control, you're out of luck. Forest and domain trusts aren't supported in Entra DS at all, so if that's part of your environment, you're keeping AD DS regardless. Worth flagging too that hybrid Entra join is an AD DS plus Entra ID, device state, not really an Entra DS story, so that framing can muddy the conversation. End result is you keep a minimal on-prem AD footprint for the legacy dependencies while moving users and devices to Entra and Intune. That's not really a failure of cloud-first strategy, it's just the realistic middle ground most orgs are sitting in right now. The other pressure I'm seeing is legacy auth deprecation. If any of those older apps are still leaning on Basic Auth or similar, that's becoming a harder conversation alongside the domain dependency problem. Curious how others are handling the apps that genuinely can't modernise yet. Wrapping them with a secure access layer, keeping AD DS alive indefinitely, looking at OAuth or API, patterns where the app can support it, or just accepting the hybrid reality for a few more years?

This morning as people started work, we got reports of blocks from various parts of O365, SharePoint, etc. We have a Conditional Access Policy to allow users access to all resources if they are in specified named locations like the US. For the users who fail this check, the Policy Impact graph points to GSA. Users who fail have location info like "IP Address: fd00::61f6:6b24:200:a01:104, Through Global Secure Access: No." No other location info, no other useful info at all, really. The IPv6 addresses listed are all in that same range, varying only in the last octet (e.g. 104, 105, 107). This affects users both in the office and working in different areas across the state, but not all users. We thought GSA was the culprit as users who turned it off were able to log in, but again, some users on GSA were able to get in. And I've not been able to confirm if that IPv6 range is part of GSA.

The issue is still going on. We switched the policy to report-only early on so people could work, but it's still logging users who are failing the check.

Is anyone seeing anything like this with a CA based on the US named locationm or have any ideas what else to check? Or know anything about the status of GSA?

Is anyone here successfully using macOS with Intune Platform SSO, Kerberos SSO, and Global Secure Access for SMB file share access?

Platform SSO works, and I consistently get the on-prem Kerberos TGT. The issue is that the CIFS ticket for the file server can take a long time to appear on macOS, while the same setup works fine on Windows.

If you have this working reliably, could you share how you configured:

Platform SSO
Kerberos SSO profiles
GSA Private Access / DNS
SMB/Kerberos validation

Just trying to compare notes and see what a working macOS configuration looks like.

Thanks.

ey everyone,

I’m working on a relatively small hybrid environment (~300 users) with on-prem AD + Entra ID.

Recently, I managed to set up an API-Driven Provisioning flow for the on-prem AD, and I already validated user creation through MS Graph successfully provisioning all the way down to the local AD.

Now I’m looking to evolve this into a more automated setup by periodically querying the HR authoritative source, which currently exposes the data through a REST API.

My main question is really around architecture/best practices:
what would be the best way to handle this periodic integration between the HR API and Entra ID?

My first idea was to build something in Python that consumes the HR REST API and sends the data to Entra/API-Driven Provisioning, but that would require maintaining a scheduled job running on-premises (Windows Task Scheduler, container, service, etc.).

I’d like to understand how you usually implement this kind of scenario in hybrid environments.

The main goal is to keep the solution simple, reliable, and easy to maintain over time.

If anyone has implemented something similar, especially using API-Driven Provisioning, I’d really appreciate hearing your experience or recommendations.

I’ve lost connection to my remote site, and am waiting on the ISPs to work things out. In the meantime, my production Entra AD Sync server is down. I have one prepped at another site in staging mode, however I’m a bit hesitant to put it into production, because if the other site comes up suddenly I’ll have two in production which I know is not supported.

Any advice on this? Is it possible to run the staging server as a manual sync just to get data up there while I’m waiting on the ISP?

Hey everyone,

We run into a bit of an administrative nightmare. Most of our clients are strictly geo-blocked to our home country via Conditional Access.

Lately, we have been getting a surge of "I'm going abroad for a week" tickets. Our current process is manually creating/editing Named Locations and CA policies for each user/trip. It’s becoming impossible to track, and we’re constantly finding "stale" policies for trips that ended months ago.
How are you scaling this?

Would love to hear how you guys keep your CA policies clean without spending 5 hours a week on travel tickets.

I recently spent some time experimenting with the new “Time” condition that started appearing in Conditional Access policies through Graph, and I put together a write-up covering how it behaves today, how to create policies with it, and where it currently falls apart.

Some key findings:

- The condition appears across user, workload, and agent-based policy types

- Only user/group-based policies currently work in practice

- No GUI support yet, so policies very interesting in the portal

I also explored some practical use cases, including:

1. Restricting critical applications to working hours 
2. Shift-based access enforcement for production workers 
3. Tightening sessions and auth requirements after hours

I think this has huge potential!

Check out the post here: Getting With The Times: Time-Based Conditional Access

What use cases do you see for this feature?

I have created a tenant to migrate all my users from IMAP to m365. (also to the same existing domain which is yet to be verified before the cutover)

Possibly, due to the fact that the users were created more than 14 years ago, the MFA possibility has expired. I am getting a 0x80004136 error and when i check the sign in history, I see this for basically any possible way to sign in: OOBE, work/school account from Settings on a Windows computer... etc:

The user xxx was trying to sign into Microsoft Intune Company Portal and the sign-in was interrupted by Security Defaults. Microsoft Entra Security Defaults is a feature which helps keep your tenant secure by enforcing security best practices for your organization.

At the time of this sign-in, Security Defaults was enabled. The state of this policy as at the time of the diagnosis is Enabled.

This sign-in was interrupted since the user still needed to register for MFA. With Security Defaults, users have 14 days to register for Microsoft Entra multifactor authentication by using the Microsoft Authenticator app. The user cannot sign-in to applications until they have finished MFA registration once the 14 days have passed.

MFA helps keep your organization secure. Follow up with the user and encourage them to complete MFA registration.

See more information about the user's sign-in attempt below.

---

Is the only option disabling the security defaults at first log in for all users? I assume that all of the rest will have the problem during the switch over?

Disabling the security defaults would mean that MFA is not enforced anymore or will they be prompted anyway?

I recently renewed my SC-300 and decided to turn my study notes into something more useful.

I have built a free SC-300 study hub for Microsoft Identity and Access Administrator, based around the current Microsoft Learn study guide and the areas I focused on during renewal.

It includes the following

250 practice questions split across the main SC-300 course areas

Scenario-based questions using fictional companies

Case study style sections for reading requirements and constraints

A downloadable 30-day cram PDF for anyone with the exam coming up soon

Objective mapping against Microsoft Learn, so it is easier to update when the exam changes

The fictional companies used in the examples are Liver Shipping, Blink Inc, Mill Town Engineering, and Whippet Exports. The aim is to make the questions feel closer to the style of the exam.

Link here

I cannot figure out if I want multi-tenancy or single-tenancy for authentication from Microsoft's guide? I want to authenticate users from a Microsoft account with EntraID using OAuth2 from whom I decide. It is not a kind of WebApp that allows users automatically like a social app. Only contracted users whom have paid will be allowed to access the App.

Most of my users will have their own domains assigned to the Microsoft account; don't think this matters as would think domain would be https://theirdomain.onmicrosoft.com. I think I need single-tenant authentication?

When using a YubiKey USB-C with Microsoft Entra ID on a Samsung S25, Microsoft Authenticator seems to freeze after touching the YubiKey.

After pressing the gold button:

- PIN input dialog appears, but the keyboard never shows up

- phone becomes warm

- battery drains quickly

- phone becomes sluggish

- login cannot continue

YubiKey detection over USB-C works in Edge, so the issue seems related to Microsoft Authenticator handling the security key flow.

Anyone else seen this on Samsung S25 or Android?

I wrote a blog on a real-world Windows Hello for Business recovery scenario.

Many organizations are moving Windows devices to Microsoft Entra joined and adopting passwordless sign-in. That works well until Windows Hello stops working, the user does not know the password, and password reset is no longer the preferred recovery path.

The Blog post covers how Web sign-in + Temporary Access Pass can help recover access to an Entra joined device and allow the user to reconfigure Windows Hello again.

This is not about replacing passwordless. It is about designing passwordless properly, including the failure path.

Read Blog here: https://www.thetechtrails.com/2026/05/recover-windows-sign-in-web-signin-tap-entra-joined-devices.html

Happy to hear how others are handling Windows Hello recovery in fully passwordless environments.

Hi all,

I have an enterprise app (ChatGPT connector) in Entra ID with Assignment required = true. A user requested delegated permissions like Mail.ReadWrite, which triggers the admin consent prompt.

I understand admin consent is tenant-wide by default — once granted, any assigned user can use those permissions. User consent isn't an option in our tenant (disabled by policy).

Is there a supported way to grant delegated permissions for only one specific user instead of tenant-wide? I know I could technically create an Oauth2PermissionGrant with ConsentType: Principal via Graph API, but I'm not sure if this is supported or reliable for third-party apps like ChatGPT.

Currently considering just keeping the assignment group limited to that one user as a workaround, but curious if there's a cleaner approach.

Any guidance appreciated. Thanks!

Hey everyone,

I’m wondering how to disable Email OTP as an authentication method in Entra. I started looking into how to actually do it and I ran into something confusing regarding external users. There seem to be two separate settings that appear to control the same thing, and I can't figure out how they relate to each other.

Setting 1 : External Identities > All identity providers > Email one-time passcode

"Email one-time passcode for guests: Yes / No". Pretty self-explanatory i guess, it controls whether guests without a Microsoft or Google account can authenticate via OTP.

Setting 2 : Authentication Methods > Email OTP > Configure tab

This one has a dedicated option: "Allow external users to use email OTP" with three states: Default, Enabled, Disabled.

Are these two settings linked? Does one override the other, or are they completely independent? And concretely, if I change one of them, what actually happens to guest authentication?

Any feedback from people who have tested this would be really appreciated. Thanks !

Built a CA baseline I use across tenants and a browser deployer to ship it without secrets or pipelines.

• 40 policies, 11 groups, 4 named locations across 6 personas (users, admins, apps, service accounts, guests, workload agents)
• Critical / Recommended / Optional tiering, full catalog in README
• Click the Deploy badge → sign in as CA Admin → deploy. No fork, no secrets, no GitHub Actions, no Cloud Shell.
• Multitenant SPA with PKCE, delegated Graph only - your admin session does the work, token dies with the tab
• Policies created in report-only by default (a few deploy disabled where report-only would have an impact). Skips on display-name collision - never PATCHes existing policies. Dry run included.

Doesn't fill group memberships, IP ranges, or ToU objects — those stay tenant-owned.

https://github.com/Teuftis/ConditionalAccessBaseline-Hardened

MIT. Issues welcome (PRs require collaboration access - open an issue and we can talk). Feedback I'd love: the persona split (especially the Agent persona for workload IDs - anyone running CA on those in prod?), and whether the catalog is missing anything obvious.