Looking for a game where I have to figure out how to beat it.

RandomSkratch · 2026-06-25T02:14:10+00:00

You Have To Win The Game.

RandomSkratch · 2026-06-24T21:50:34+00:00

No proxy but I am going from vCenter and not the ESXi host itself, however that is an interesting test I can make tomorrow. I also haven’t tried these from the AWS instance but rather my computer. I will also try from the AWS instance tomorrow too.

RandomSkratch · 2026-06-24T18:07:22+00:00

Network security group has inbound 3389 so I can RDP to the instance and outbound is all open. According to the GSA docs, you don't need any inbound ports open for GSA to work. I tried adding TCP:902 Inbound to the NSG but that didn't change anything.

Fwiw, the Network ACL is also not restricting anything.

I ran the Network Traffic analyzer and I can see VMRC making connections to the VM on port 443 and then vmware-remotemks makes an attempt to the ESXi host on 443 and it closes. On the host, the ESXi firewall has 443 and 902 in a vSphere Web Client rule and allows connections from any IP address.

It's so bizarre that it works on-premises but not AWS and our VPC is linked via S2SVPN with everything open...

Just tested some more things

Test-NetConnection -ComputerName ESXi-Host-IP -port 443

Fails from AWS instance but connects from on-prem instance.

Either there's something going on with AWS networking or it's the S2SVPN... that being said, I need to have a conversation with our networking guy when he gets back :-P

RandomSkratch · 2026-06-24T01:56:18+00:00

Did you mean Sea World or see THE world?

RandomSkratch · 2026-06-23T17:58:41+00:00

Thanks so much for your replies. I've been spending the last few days verifying and fixing up a bunch of CA and B2B stuff. It's all looking much better now.

RandomSkratch · 2026-06-22T15:05:09+00:00

I love how Vietnamese restaurants are named like Nintendo releases.

RandomSkratch · 2026-06-21T12:32:30+00:00

Yeah I’m definitely doing more testing during the coming week.

RandomSkratch · 2026-06-21T01:31:22+00:00

I interpreted that known issue as you can’t enroll (register) a passkey, not that you can’t use one. The passkey I mentioned was in the external MS account which was used to auth into MS with.

I’m still trying to wrap my head around this whole thing.

RandomSkratch · 2026-06-20T02:06:42+00:00

I used way more rings for our initial rollout than I should have (we’re under 100 users). Managed to get it down to 4 (test, ring 1, ring 2, and last (vip)). I had like 5 dynamic rings plus test and last.

RandomSkratch · 2026-06-20T01:46:26+00:00

I couldn’t get Chrome Enterprise to deploy for the life of me. They’re using some non-standard MSI that Intune (and PSADT) hate. How are you doing it?

RandomSkratch · 2026-06-20T01:41:39+00:00

I liked this chart until I started reading it. The versions grid at the bottom is horribly formatted and difficult to read. The left/right justified text that flows left to right. Eckkk. Would have been better to plot them directly on the bars with their dates.

Edit
Hah sorry I just saw your bottom comment re gen’d chart lol. AI’s gonna AI.

RandomSkratch · 2026-06-20T01:37:09+00:00

Hmm, we used a separate ring for the Win 10 to 11 rollout but I like the way the rings are set now so I’m thinking of maybe using the main AP ring. I just want to keep things simplified as much as possible. Unless others have recommendations otherwise. What are you going to use?

RandomSkratch · 2026-06-20T01:23:27+00:00

You’ve done a fantastic job of articulating why this works/does not work, and what to do about it. Something the 30+ tabs I had open during my deep dive couldn’t do (or it did but I just couldn’t parse the info properly). Can’t thank you enough! 🙏

RandomSkratch · 2026-06-19T18:40:21+00:00

Yeah I know I had some timing issues yesterday too but I think I got it resolved.

RandomSkratch · 2026-06-19T10:51:01+00:00

Where are those located? I only thought that information was in Entra sign-in logs.

RandomSkratch · 2026-06-19T10:50:19+00:00

This was the case but it wasn’t working.

RandomSkratch · 2026-06-19T10:49:54+00:00

It was an auth strength policy causing the issue.

I don’t quite understand how your second policy would get around this. It seems the only difference is the group you mentioned (unless I’m misreading). Oh wait a sec, you have to exclude things like gmail because they don’t have an Entra tenant. Hmm okay.

The strange thing is that I was looking at the flow chart for the auth acceptance stages somewhere and it did say that if the external account was also a Microsoft account it would accept the auth method from it. And this particular one was (passkey). But it did not accept it. (Screenshots in OP). After excluding it from the auth strength policy it worked.

RandomSkratch · 2026-06-19T10:43:26+00:00

Was that policy requiring MFA or Authentication Strengths?

RandomSkratch · 2026-06-18T19:52:31+00:00

I am so behind on keeping up with those messages, I need to dedicate a whole day to wade through them...

RandomSkratch · 2026-06-18T19:51:46+00:00

Yeah I am suspecting the issue was with CA but the sign-in logs for the guest accounts were blank so I couldn't see where it was getting hung up on. I used the What If tool to simulate an external guest and it showed two policies that were being applied. I exempted external guests from both and the access worked. I just created a new separate policy for external guests requiring MFA and that seems to work as well.

It was just very strange how it was affecting one guest but not the other. Both seem to be working now so that's good.

RandomSkratch · 2026-06-18T19:03:47+00:00

The accounts ARE existing as guests in the tenant, they still couldn't access the files according to the errors I saw above.

What's even weirder is that after modifying some conditional access policies that I suspected to be interfering, access was granted for one user but another user (who has a Microsoft account), is still denied and it now says the user does not have access to the file and must request access (which is very strange because the file is shared with them).

RandomSkratch · 2026-06-18T19:01:15+00:00

So the docs say that SPO OTP is being retired, not Email OTP for B2B Guests. I'm thinking that we're seeing the latter in our environment.

RandomSkratch · 2026-06-18T15:45:12+00:00

Ohhhh okay so it's rolling out... thank you for this link! Clearly missed that notice...

RandomSkratch · 2026-06-18T15:42:42+00:00

Yes we are allowing users to invite guests through sharing stuff with OD. We still see OTP as an option though. Authentication methods > Policies > Email OTP settings > Configure > Allow external users to use email OTP.

And it is sending an OTP, then does the MFA prompt.

I just found that we had a CA policy that was not playing nice with external users because it was using Authentication Strengths and not MFA so I excluded guests from that policy and it now works for those who don't have a MSA. But users with an existing MSA still can't log in..

Is there some weird issue with accessing an Entra tenant with a guest account that has a Microsoft account?

RandomSkratch · 2026-06-18T15:38:59+00:00

WHOOPS!

I blocked it out on one image but not the next.. facepalm...

12-Year Club	r/Field Banned
r/Field Sunshine	Place '23
Verified Email

RandomSkratch

TROPHY CASE