This Microsoft Entra ID and cloud services FAQ can help you manage your IT Pro teams as they work remotely.
Original product version: Microsoft Entra ID Original KB number: 4559203
Frequently asked questions
I'm new to Microsoft Cloud. How can I enable my employees to start working remotely by using Microsoft Teams with the free license that's offered by Microsoft?
Microsoft offers a free E1 license for six months to enable your employees to increase their productivity from home through Microsoft Teams. For information about licensing, and to check your eligibility, go to: Manage the Office 365 E1 Trial.
What guidance is available to set up Microsoft Teams from a Microsoft Entra perspective to work with my existing on-premises deployment?
Microsoft Teams uses identities stored in Microsoft Entra ID. You can integrate Microsoft Entra ID with on-premises AD environments. For more information, see Microsoft 365 integration with on-premises environments
I work in education, and I have no existing on-premises infrastructure. How can I use Microsoft Teams for educational purposes, such as online teaching?
Microsoft offers a free A1 license for education. For information about licensing, go to Get Office 365 free for your entire school. The following documentation provides useful information about how to enable remote learning at your school or university:
My administrators also work from home. How can I enable them to access our internal servers remotely and in a secure manner?
The answer depends on your current deployment. If you already have a VPN solution, you can integrate it by using our multi-factor authentication (MFA) solution to add another layer of security.
If you don't have a VPN solution yet, you can proceed with the deployment, and use a Windows gateway to allow remote access by having MFA as an extra layer of security.
Can you provide technical details to help me enable MFA to allow remote access to my internal servers if I'm using a third-party VPN solution or a Microsoft Windows gateway?
Yes, we provide technical guides.
If you have an Azure MFA server already in operation, and you have to use it, you can create such a deployment by using an existing VPN solution or a Windows gateway. (Notice that this kind of deployment has been deprecated, and only existing customers can use it.)
Here are examples of MFA server integration with third-party VPNs:
Advanced scenarios with Azure MFA Server
Here's how to integrate Azure MFA server with gateway.
If you're using the MFA NPS extension, see the following articles for technical details:
I want to enable Azure MFA. How can I choose the type of MFA to use?
The following table provides multiple scenarios in which to deploy MFA.
| Scenario | Prerequisite |
|---|---|
| Cloud-only identity environment that uses modern authentication | No additional prerequisite tasks |
| Hybrid identity scenarios | Microsoft Entra Connect is deployed, and user identities are synchronized or federated with the on-premises Active Directory Domain Services (AD DS) with Microsoft Entra ID. |
| On-premises legacy applications published for cloud access | Microsoft Entra Application Proxy is deployed. |
| Using Azure MFA with RADIUS Authentication | A Network Policy Server (NPS) is deployed. |
| Users have Microsoft Office 2010 or earlier, or Apple Mail for iOS 11 or earlier | Upgrade to Microsoft Office 2013 or later and Apple Mail for iOS 12 or later. Conditional access is not supported by legacy authentication protocols. |
For more information about how each MFA type works and when to use it, go to Plan an Azure Multi-Factor Authentication deployment.
How can I enable users to be able to reset their passwords directly from Microsoft Entra ID?
Microsoft Entra ID provides several methods to achieve this based on your current scenario:
If the user has Microsoft Entra ID P1 or P2 and wants to enable SSPR-U (SSPR for users), we recommend this option:
If the user doesn't have Microsoft Entra ID P1 or P2, and uses an Active Directory Federation Services (AD FS) for federation but doesn't have any SSPR, we recommend this option:
If the user doesn't have Microsoft Entra ID P1 or P2 but wants to use ADFS to change the password endpoint, they must explicitly enable the endpoint (Update password customization). They can do this also on a proxy endpoint. Doing this enables the capability on AD FS.
Users can send a claim that is named "passwordchangeurl" for the URL as a claim to Microsoft Entra ID. Microsoft Entra ID will honor this for Windows 10, Microsoft Entra joined workstations that are running Windows 10, version 1703 or a later version. The user will be directed to the URL that is shown in the claim when the user presses Ctrl+Alt+Del.
Here's are some sample references on claims in the context of AD FS:
I have a cloud-only deployment, and I have to add Azure MFA as an extra layer of security. Is there a free license for this?
Yes. Microsoft Entra ID Free or standalone Office 365 licenses use security defaults to require MFA for users and administrators.
To learn how to manage your users' MFA settings, go to View the status for a user.
Is it worth connecting my user's devices to Microsoft Entra ID while they are working remotely?
Microsoft Entra ID enables single sign-on to devices, apps, and services from anywhere through connected devices. IT professionals get the controls they must have to manage and secure your organization's resources. For more information, go to Getting devices in Microsoft Entra ID.
What kinds of device types can connect to Microsoft Entra ID?
You can connect three kinds of devices to Microsoft Entra ID: Microsoft Entra registered, Microsoft Entra joined, or Microsoft Entra hybrid joined, depending on your infrastructure. For more information, go to Getting devices in Microsoft Entra ID.
Is an extra license required to connect my device to Microsoft Entra ID?
No. An extra license is not required. Because the Microsoft Entra ID Free license is enabled by default together with the Office 365 license, users can connect devices to Microsoft Entra ID.
While working remotely, why can't I access Office 365 services after I reset my password from my Microsoft Entra joined device?
After you reset your password, you have to log out and log back in by using the new password.
While working remotely, why can't I access Office 365 services after I reset my password from my Microsoft Entra hybrid joined device.
When you reset your password on a Microsoft Entra hybrid joined device, you must have a line of sight to the domain controller. If you're outside the corporate network, make sure that you're connected through a VPN. Then, log out and log back in by using the new password.
Do I still have access to Office 365 resources from Microsoft Entra hybrid joined device when I work outside my corporate network?
Yes. You still have access to Office 365 resources from Microsoft Entra hybrid joined devices from outside the corporate network unless you change your password.
Is there a way to keep access to Office 365 resources from Microsoft Entra hybrid joined devices even if I changed my password while outside the corporate network?
If you're using Windows Hello for Business (WHfB) to sign in a Microsoft Entra hybrid joined device, you will retain access to Office 365 resources even after changing your password.
How I can verify the health status of my Microsoft Entra device?
You can verify the health status for all join types (Microsoft Entra hybrid joined, Microsoft Entra joined, and Microsoft Entra register) by using the Device Registration Troubleshooter Tool.
How can I verify that Single Sign-On (SSO) is working as expected on my device?
Run the dsregcmd /status command from a Microsoft Entra hybrid joined or Microsoft Entra joined device, and check whether AzureAdPrt is set as YES. For more information, go to SSO state.
What are the Hybrid Microsoft Entra device registration steps?
The following are the device registration steps for Microsoft Entra hybrid joined:
- The device tries to retrieve the tenant ID and domain name from the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ\AAD. - If step 1 fails, the device communicates with the Local AD (configuration partition) to get the tenant's information form the Service Connection Point (SCP). (You can get SCP information by using Device Registration SCP Tool PowerShell.)
- The device communicates with the Microsoft Entra tenant.
- The device authenticates against either Microsoft Entra ID or a federation service (for example, ADFS).
- The device registration process finishes.
For more information, go to Hybrid Microsoft Entra Device Registration.
What is the best method to troubleshoot device registration issues?
The Device Registration Troubleshooter Tool runs more than 30 tests to identify and fix the most common device registration issues for all join types (Microsoft Entra hybrid joined, Microsoft Entra joined, and Microsoft Entra register).
While working from home, I can't access cloud resources. My device's conditional access policy isn't registered, but the device seems to be connected to Microsoft Entra ID. What might be wrong?
Double-check the device connection to Microsoft Entra ID. Also check the Microsoft Entra PRT value. For more information, go to SSO state.
When users work from home, is there a way to allow them to reset their passwords?
Yes. You can allow users to change their password from home. Here's how to configure the password writeback feature:
Enable the password writeback feature from Microsoft Entra Connect. For more information, go to Enable password writeback in Microsoft Entra Connect.
Set the required permission to the Microsoft Entra Connect account by running the following PowerShell commands on the Microsoft Entra Connect server:
Import-Module "C:\Program Files\Microsoft Entra Connect\AdSyncConfig\AdSyncConfig.psm1"Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountNameAADConnectAccount -ADConnectorAccountDomain domain.localTo get ADConnectorAccountName and ADConnectorAccountDomain values:
Get-ADSyncADConnectorAccountTo enable password writeback from Azure portal, go to Enable password writeback for SSPR.
What is the required license for password writeback and SSPR?
The required licenses are listed in the following article:
How does self-service password reset writeback work in Microsoft Entra ID?
What are the required ports and URLs for password writeback and SSPR?
For a Microsoft Entra Connect server that is running behind a firewall or through a proxy, open the ports and URLs that are listed in this article.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.