Archive
Every article published on Sentinel Identity, organized as a searchable reading archive for Microsoft identity engineers and IT administrators.
Your user has Full Access to a shared mailbox but it isn't appearing in Outlook. Walk the five-step diagnostic — auto-mapping, replication, profile cache, mailbox type, and manual add — and fix the underlying cause, not the symptom.
The user clicks the shared mailbox and Outlook says 'You don't have permission.' Walk the access-flag hierarchy, deny-permission precedence, ACL inheritance, and the licensing trap that produces the same error message.
Send As is granted, propagation has completed, the user still gets 'The message could not be sent.' Walk the difference between Send As and Send on Behalf, the auto-complete cache that breaks new addresses, the From-field display rule, and the 60-minute permission-cache window.
Members were added but mail isn't reaching them. Dynamic group filter was changed but the group looks the same. Walk the three sync clocks (Entra Connect, EXO directory, EXO recipient cache) and the filter scope gotchas that produce these failures.
OOF is turned on but external senders aren't getting replies. Walk the external-replies toggle, the once-per-sender rule, the spam-filter override, transport rules that suppress OOFs, and the remote domain configuration that controls everything.
Why Conditional Access fails per-browser, what device evidence each browser actually sends, the private-mode trap, and the diagnostic sequence to convert 'works in Chrome but not Safari' into a real root cause.
An operator's guide to onboarding a custom domain to Microsoft 365 and configuring SPF, DKIM, and DMARC — including the seven anti-patterns that break enterprise mail, a verification command toolkit, and the cutover sequence that prevents delivery incidents.
Outlook keeps prompting for credentials in a loop, the user enters the right password, the prompt comes back. Walk the modern auth check, credential manager state, MFA enrolment, broken WAM token cache, and the registry keys that resolve the persistent loop.
Access denied after a sharing change, broken inheritance, external sharing disabled at the tenant level, and the Conditional Access policy that produces the same error. Walk the four layers of SharePoint permission and the OneDrive sync states that surface as access errors.
How to read the Microsoft Entra sign-in log, decode the Conditional Access tab, and use KQL against SigninLogs in Log Analytics to find why a policy blocked a user.
How passkey registration in Microsoft Entra ID actually works at the credential-issuance layer, what differs across Windows Hello, iOS Authenticator, Android Keystore, and FIDO2 keys, the platform-specific failure modes, and a Graph-driven inventory of what your users have registered.
The Microsoft Entra passkey option is missing or fails silently in Security info. Walk the seven-layer diagnostic, run the included Graph-based check script, and apply the policy-design pattern that prevents the failure mode at scale.
An engineer-level rollout plan for Microsoft 365 multifactor authentication using Conditional Access, Authentication Strength policies, staged user rings, and exception handling for service accounts and B2B.
An operator's view of Microsoft Entra Backup and Recovery — what it can and cannot do, where it differs from on-prem AD backup, an incident response playbook for accidental bulk changes, and a separation-of-duties workflow for multi-team recovery approval.
An engineering explanation of access, refresh, and ID token lifetimes in Microsoft Entra, how revocation actually propagates, and what Continuous Access Evaluation (CAE) changes for CAE-capable clients.
A technical guide to Password Hash Synchronization, Pass-Through Authentication, and federation with AD FS or PingFederate, centered on where validation really happens.
A technical guide to SAML, WS-Federation, OAuth 2.0, and OpenID Connect, focused on trust transfer, actor roles, and what the backend is validating.
A technical guide to Kerberos, NTLM, LDAP bind, passkeys, certificate-based authentication, and Windows Hello for Business, focused on what each method proves and how the backend validates it.
A technical guide to the major authentication protocols and sign-in models used in Microsoft environments, including Kerberos, NTLM, LDAP bind, SAML, WS-Federation, OAuth 2.0, OpenID Connect, passkeys, certificate-based authentication, AD FS, and Microsoft Entra sign-in models.
A technical guide to Microsoft Entra Agent ID, including the agent identity model, Conditional Access enforcement, identity governance, risk detection, and network-level controls for AI agents.
A technical guide to Microsoft Entra passkey sign-in, including same-device and cross-device flows, compatibility dependencies, and rollout design.
A technical guide to Microsoft Entra passkey profiles, AAGUID restrictions, attestation behavior, and the control-plane logic behind passkey governance.
A detailed technical guide to AADSTS50020 in Microsoft Entra ID, including resource-tenant identity resolution, invitation redemption, cross-tenant access, and external identity design.
A detailed technical guide to Microsoft Entra join and registration failures on Windows, including device registration service flow, pending objects, dsregcmd analysis, and downstream impact on compliance and PRT.
A detailed technical guide to Microsoft Entra Primary Refresh Token failures on Windows, including dsregcmd analysis, device trust, broker behavior, network dependencies, and remediation design.
A detailed technical guide to why Microsoft Entra can block a sign-in from an Intune-compliant device, including device identity proof, browser support, client certificate behavior, and Conditional Access evaluation.
A technical guide to Microsoft Entra passkeys for administrators, including passkey types, registration flows, Authentication Methods policy, Conditional Access, and deployment design.
A technical troubleshooting guide for Microsoft Entra passkeys covering registration failures, Conditional Access loops, Bluetooth issues, orphaned passkeys, compatibility gaps, and Authenticator-specific problems.
An engineering-level explanation of access tokens and refresh tokens in Microsoft Entra ID, including token ownership, lifetime, renewal, revocation, and common troubleshooting patterns.
A top-to-bottom engineering explanation of how Microsoft Entra Conditional Access evaluates scope, combines controls, and influences token issuance.