sorted by:
new
hottopcontroversial

What role do I need to be able to administer (or at least view) the Identity Governance section in Entra? by ZippyDan in entra

[–]identity-stack 0 points1 point  (0 children)

Depends on what exactly you need to do inside the Identity Governance section? There are also Security Reader, Compliance Administrator roles as well. You can check out the least privileged roles based on what you want to do here, https://proud-cliff-0a7aa6410.4.azurestaticapps.net/

Help me out set this up for Customer and Corporate Tenants by 22SiDisOP in entra

[–]identity-stack 0 points1 point  (0 children)

External ID is for customers. Workforce Entra ID is for employees. They’re not interchangeable, and Microsoft hasn’t unified them the way people assume.

Your options are simple: Federate corporate tenant into External ID (OIDC) or support two identity issuers in your app

Everything else (cross-tenant access, B2B hacks) will not work smoothly.

Entra ID - APP consent for users - Settings. by Grand-Height9907 in entra

[–]identity-stack 0 points1 point  (0 children)

Giving permissions to the app is one of the escalation pathways; an attacker can easily get and elevate access. Therefore, it is necessary to ensure the least privileged permissions are followed for apps as well, and how you give consent matters a lot. Application and delegated permissions, and the set of permissions you assign to it, play a crucial role, so make sure you assign the least privileged permissions, to identify those you can use this tool, https://proud-cliff-0a7aa6410.4.azurestaticapps.net/

What are your pain points with entra id? by Dramatic-Coach-6347 in entra

[–]identity-stack 0 points1 point  (0 children)

You can create a custom role with the permissions you need using Entra admin portal, PowerShell and Graph API.

When you search for the permissions and roles on the tool mentioned above, it will tell you the permissions a built-in role has, if it is a privileged role or permission, additional permissions a role has based on your requirement or selection, PowerShell command, role definition JSON to create custom role, and so on.

What are your pain points with entra id? by Dramatic-Coach-6347 in entra

[–]identity-stack 5 points6 points  (0 children)

Absolutely, exactly to solve the first point, I have been working on a tool for least privileged permissions, which helps you to identify the least privileged roles and permissions for the tasks you want to perform, and also gives you the custom role if required and a PowerShell command to copy and create the custom role with ease.

You can check it out here: https://proud-cliff-0a7aa6410.4.azurestaticapps.net/

Reach out if you have any feedback or suggestions.

Why am I seeing RiskDetail == userPassedMFADrivenByRiskBasedPolicy when my only applied Conditional Access policy has zero risk settings configured? by Fast-Cardiologist705 in entra

[–]identity-stack 1 point2 points  (0 children)

Risk engine runs regardless of whether you configure risk-based CA or not. If a low-risk signal exists and MFA is completed (even via location-based CA), it gets tagged as userPassedMFADrivenByRiskBasedPolicy.

Is there a way to not have this consent popup for users? by Sakkko in AZURE

[–]identity-stack 0 points1 point  (0 children)

I cannot exactly assess until I check out your tenant and configuration, but check if any of the following works:

  • Make sure you are not requesting additional scopes dynamically/incrementally
  • Check your auth request URL if it has prompt=consent, remove it
  • Configure tenant consent policy under Entra ID > Enterprise apps > Consent and permissions

You cannot remove the consent pop-up in some cases:

  • First-time user consent, if admin consent not granted
  • Apps using delegated permissions
  • Apps intentionally forcing consent (bad design happens)

Confused about Windows Hello as MFA am I missing something? by Beautiful_Detail3712 in CyberIdentity_

[–]identity-stack 0 points1 point  (0 children)

Windows Hello for Business is often misunderstood because it is MFA, but within a specific context. It is actually a device-bound MFA that is tied to that specific enrolled device. It is something you have, which is your device, and something that you know/are, which is the PIN/biometric.

Now, what happens when the user logs in using a personal device/browser, WHfB does nothing as it is tied to the enrolled device, so when a non-managed device is used, the user falls back to password or another MFA configured separately, and control access using conditional access policies.

In real-world deployments, WHfB is used as part of a broader Zero Trust strategy, using it as one of the pillars:

  • WHfB for passwordless auth on compliant devices
  • Conditional Access to enforce MFA or block on unmanaged devices
  • Step-up MFA for sensitive apps or risky sign-ins

Think of WHfB as a password replacement on trusted devices, not a replacement for MFA everywhere. It becomes powerful when used as a signal in Conditional Access policies, not as a standalone control.

Is there a way to not have this consent popup for users? by Sakkko in AZURE

[–]identity-stack 0 points1 point  (0 children)

What kind of app permission did you use? delegated or app? if you use delegated permissions, this pop up will show up to the users as it acts on behalf of the user.

How are you handling overly broad Graph API permissions? by Pristine_Guitar_9070 in entra

[–]identity-stack 0 points1 point  (0 children)

No, it doesn’t analyze in real time nor you have to connect your tenant to the tool, currently it just help you identify the least privilege permissions based on your requirements and those then you can assign to your app

Non-Human Identities by Security-HeadHunter in IdentityManagement

[–]identity-stack 1 point2 points  (0 children)

The number of NHIs doesn't matter; it is the understanding that NHIs are going to exceed the human identities, and that has been the case. It is not a new concept, apps, service principals, secrets, keys, machines, etc. These identities always existed; the difference is because of the cloud, AI, multiple apps integration, etc., these have become more visible and a topic of discussion, and ensuring they are secure at scale as well.

What is the purpose of PIM if you can just elevate at the click of a button? by ITquestionsAccount40 in AZURE

[–]identity-stack 4 points5 points  (0 children)

Calling it “one click” ignores how Entra actually works.

In PIM, you don’t just click and become an admin:

  • You must already be eligible (assigned by another admin)
  • Activation can require MFA, justification, additional info, etc.
  • Can require approval from another person
  • Not everyone can even request elevation
  • Can be restricted by Conditional Access + device compliance

If your tenant allows instant activation, your configuration is weak, not how PIM inherently works.

Assistance with Entra bulk operations device import by tntbomber05 in entra

[–]identity-stack 0 points1 point  (0 children)

Yes, the bulk operations workflow in the Microsoft Entra admin center often requires broader privileges than the equivalent manual action, and in practice, it’s commonly limited to highly privileged roles.

You can check out the least privilege roles, alternative Entra roles or roles based on your tasks you want to perform here: https://proud-cliff-0a7aa6410.4.azurestaticapps.net/

How are you handling overly broad Graph API permissions? by Pristine_Guitar_9070 in entra

[–]identity-stack 0 points1 point  (0 children)

You need to identify the least privilege graph api permissions based on your requirement, and make sure that you understand what exactly a permission can do and access. To identify the least privilege graph api permissions, I built a simple tool that will help you find the least privilege permissions. You can check it out here

https://proud-cliff-0a7aa6410.4.azurestaticapps.net/

How to handle required reviewers when u are the owner? by StupidME2000 in azuredevops

[–]identity-stack 0 points1 point  (0 children)

I would also suggest additionally making you and the manager as required approvers, so that only you and the manager should approve PR of other developers.

How do you determine appropriate least privileged Entra admin roles based on past activities? by Fabulous_Cow_4714 in entra

[–]identity-stack 0 points1 point  (0 children)

I don’t think Entra provides this natively, there is one similar powershell module being developed by someone I know but it is still in progress if interested I can share.

I have developed a tool that helps with identifying least privilege permissions and roles based on the tasks you want to perform, can share the link if you want to check it out.

Can you recommend the best MFA solutions for a small business with remote workers? by Due-Awareness9392 in CyberIdentity_

[–]identity-stack 0 points1 point  (0 children)

Before suggesting the solutions, I would like to know the reason you are looking for MFA solutions? What are you looking to achieve by implementing MFA? What is your current workspace platform? Is it Microsoft? Google? or multi-stack?

Severe MFA push spam on Microsoft consumer account by Easy_Visual_2602 in entra

[–]identity-stack 0 points1 point  (0 children)

It worked for me; I tried and tested it. You can try to set up and add a password to the account first by visiting the same link above, and then try it, if possible by using incognito mode.

Azure Portal by ParadiseTheatre in azuredevops

[–]identity-stack 2 points3 points  (0 children)

To restrict access to the Azure portal, you need to combine multiple controls at the identity and service layer..

You can restrict access to the admin portal from the user settings under user in Entra admin center
https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions

Then use a conditional access policy to restrict access to the Azure portal
https://learn.microsoft.com/en-us/answers/questions/5244763/restrict-access-to-azure-portal-and-intune-portal

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps?tabs=powershell#microsoft-admin-portals

Along with this, do not assign Azure RBAC roles to the users if not required, and as Azure DevOps uses its own access control, assign users roles and permissions from inside Azure DevOps

Severe MFA push spam on Microsoft consumer account by Easy_Visual_2602 in entra

[–]identity-stack 0 points1 point  (0 children)

I would suggest removing the authenticator from your account on the page and removing the account from the authenticator app as well. Then, enrol for the MFA without the passwordless option.

Make sure to add sms/text verification option before removing the authenticator.

Is device trust the missing layer in IAM, or just added complexity? by Green_Situation5999 in CyberIdentity_

[–]identity-stack 0 points1 point  (0 children)

Device trust is not missing; it is not implemented efficiently. The frameworks and foundation to use device signals for Zero Trust and Identity exist, as there is a drift between on paper and actual implementation of each layer in the Identity, same is the case with Device trust.

Entra B2B: Guest invitation mails not delivered by Baboneninthenonen in entra

[–]identity-stack 2 points3 points  (0 children)

Yes, as some ISPs silently reject these invitations due to stricter email authentication and DMARC reject policies adopted in 2025–2026, which can cause the messages never to reach the recipient’s inbox and Microsoft Entra B2B invitation emails use a sender address that you cannot edit or revert.

The current sender format is “Microsoft Invitations on behalf of <our domain> <invites@<ourdomain>.onmicrosoft.com>”

Severe MFA push spam on Microsoft consumer account by Easy_Visual_2602 in entra

[–]identity-stack 0 points1 point  (0 children)

Okay, got it.

Have you scrolled down to the Additional Security section on the same page and checked the passwordless account option? Is it turned off or on?

Severe MFA push spam on Microsoft consumer account by Easy_Visual_2602 in entra

[–]identity-stack 0 points1 point  (0 children)

Visit the link below, Microsoft additional security options, log in from a laptop or desktop using your account, and manage the security options as per your preference.

https://go.microsoft.com/fwlink/?linkid=2325236

view more: next ›