Forum Widgets
Latest Discussions
How to: Enabling MFA for Active Directory Domain Admins with Passwordless Authentication
Administer on premise Active Directory Using Azure Passwordless Authentication removing Domain Admins passwords Hello Guys, I am here just to demonstrate that today is technically possible (Proof of Concept): Configure a modern MFA solution to access on prem Windows 10 PC Use that solution to protect privileged accounts passwords Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks) Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential Have only one identity with one strong credential Same credential can be used on prem and in cloud (if needed) Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On) Obtain above with a sort of simplicity and costs control I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept. It’s up to you to integer this work into your security posture and evaluate impacts. No direct or indirect guarantee is given, and this cannot be considered official documentation. The content is provided “As Is”. Have look more deeply above points: Many customers asked me, after they have used Azure/Office 365 MFA: is it possible to use something like that to log on to the domain/on prem resources. The solution is today present : the use a security key (FIDO2) : Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs. Please have a look also at Plan a passwordless authentication deployment with Azure AD | Microsoft Docs. I wanted to demonstrate that this solution can protect also Domain Admins group to protect high privileged accounts (important notice about is present in this document : (FAQs for hybrid FIDO2 security key deployment - Azure Active Directory | Microsoft Docs – “FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts. Why?”). After having substituted the password with one MFA credential (private key + primary factor) (here more information : Azure Active Directory passwordless sign-in | Microsoft Docs) we can configure a way to make the password not necessary for domain administration, very long and complex, and disabled: Passwordless Strategy - Microsoft 365 Security | Microsoft Docs With other MFA tool (e.g. Windows Hello for Business), if we want to use different PAWs (secured workstations from which the Administrator connects with privileged accounts Why are privileged access devices important | Microsoft Docs) we need to configure and enroll the solution machine per machine (create different private keys one for any windows desktop). With the described solution below the enrollment happens only once (the private key is only one per identity and is portable and only present inside the USB FIDO key) and is potentially usable on all secure desktop/PAWs in the domain. The dream is: to have one identity and one strong credential: this credential (private key installed in the FIDO physical key) is protected by a second factor (what you know (PIN) or what you are (biometric), it is portable and usable to consume services and applications on premises and in cloud To connect using RDP to another/third system after this kind of strong authentication is performed on the physical PC a password is needed (but we really want to eradicate the use of a password)….So.. We can use a Windows 10 / Windows 2016 and afterwards feature (Remote Credential Guard Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) - Microsoft 365 Security | Microsoft Docs) to remove this limitation. If you have a certain hybrid infrastructure already in place (What is hybrid identity with Azure Active Directory? | Microsoft Docs, Configure hybrid Azure Active Directory join for managed domains | Microsoft Docs, etc.), the activation of this solution is simple and there are no important added costs (a FIDO key costs around 20 / 30 euros) The solution is based on 3 important features: AzureAD/Fido Keys, Remote Credential Guard and primarily Active Directory SCRIL Feature [ https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/passwordless-strategy#transition-into-a-passwordless-deployment-step-3 : "...SCRIL setting for a user on Active Directory Users and Computers. When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: the do not know their password. their password is 128 random bits of data and is likely to include non-typable characters. the user is not asked to change their password domain controllers do not allow passwords for interactive authentication ...] Chapter 1 – Enable Passwordless authentication and create your key Enable the use of FIDO Keys for Passwordless authentication. In Azure AD \ Security \ Authentication methods, enable the use of a security key for a specific group and set the keys settings in accordance with the HW provider of the key (in my case Force Attestation and Key Restriction set to off). Confirm Hybrid Device Join. Confirm your Windows 10 2004+ PC are Hybrid Device Joined. Confirm users and all involved groups are hybrid Confirm all involved users or groups are correctly replicated by AD Connect, have Azure Active Directory properly configured and login in cloud works correctly Implement Kerberos Server to foster on prem SSO (Single Sign On) for on prem resources follow this guidance Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs Enroll the key. Please don’t use Incognito Web Mode (sign out already connected users and use “switch to a different account”). If during enrollment errors come up, check if any user is already signed into the browser (in the new Edge use “Browse as Guest” that is different from “Incognito Mode”). Login to Office.com with the user you want to provide the USB KEY and reach My Account page In My Account page open Security Info and initialize the USB Key. https://mysignins.microsoft.com/security-info If not completed before, enable MFA authentication by using a phone (SMS) or Authenticator App (in this case the user was not already provided of MFA , so the systems automatically make you enroll the authenticator app in your phone) Now, because you have an MFA tool, you can create/enroll a security key: add method / USB Key. The browser challenges you to insert a key.. to inject your identity into it Create a new PIN ! Confirm touching the key Name the key Done - security Key is enrolled with your identity Perform an Office365 Passwordless Authentication Verify you are able to sign on to O365 using the Key w/o the use of a password. Please use Microsoft Edge, if already logged click right corner and “browse as a guest” Please remember to click in “Sign in Options” to trigger key authentication : Well done: you are logged in the cloud Passwordless! Chapter 2 – Enable on prem multifactor login Deploy a GPO – Group Policy Object- to enable FIDO2 on prem login with Windows 10 2004+. In your on prem environment we can enable the use of USB key credential provider (Windows has multiple credential providers: password, usb key, smartcard, et.). Enable and link this setting to your Windows 10 2004+ machines. Restart involved machines. Now you will see a new icon to login to the PC. Clicking on sign in option you can use this new credential provides – FIDO security key - . Insert the Usb key, type the PIN… On some FIDO Keys you can avoid PIN with biometric (fingerprint). You can use the same identity/credential in all the PC with the FIDO credential provider enabled. Remember that currently for on prem sign on only one user per key is available (you can’t have multiple identity on the same usb key). Please note that this kind of authentication is recognized by Azure/O365 cloud as one already claimed MFA so when you open your preferred application the connection is in SSO (you don’t have to re-authenticate or perform another strong auth). Please note that with the same key you can login to the cloud applications using MFA from external computers w/o any modifications (like kiosks, byod computers, etc). Please note that you have access to all on prem services because the Kerberos server we installed above is useful to foster the obtention of Kerberos tickets for on prem AD service consumption Chapter 3 – Use FIDO KEYS to protect privileged users (Domain Admins) and De-materialize their password. Now we are going to enable a FIDO key for the Domain Admin or configure FIDO KEYS to work with privileged users. The default security policy doesn't grant Azure AD permission to sign high privilege accounts on to on-premises resources. To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (e.g. CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>). Remove all privileged groups you want to use with FIDO KEYS. Consider one user might be member of different groups, so remove all wanted user is member of. I removed all groups with the exception of Domain Controllers .. Make the test user member of Domain Admins group Wait AD Connect Sync Time (normally at least of 30 min) Now enroll the FIDO Usb Key for the privileged account following Chapter 1 of this guide Now test the Login with the Domain Admin using the FIDO KEY and check the possibility to be authenticated to onprem services (e.g. Fileshares, MMC - ADUC Consoles, etc.). Try the high privilege like creating a new user…. Now that we have one alternative way to Sign In on prem and in cloud (instead of password) we can work on password eradication. Obviously, every application we want to use must not use passwords (work in SSO with AD or Azure AD). This is not a problem for a privileged accounts because these should not have any application access nut only accesses to administrative consoles We will enable SCRIL policy (Smart Card is required for interactive logons) for the privileged user: Smart Card is required for interactive logon = the user password is reset and made random and complex, unknown by humanity, the use of password for interactive login is disabled Test you can’t access with password anymore To complete and strengthen the password eradication we want to prevent the use of the password also for network authentications using the NTLM protocol, so we are going to make the user member of “protected users” group Protected Users Security Group | Microsoft Docs. This because if a bad guy reset that user’s password, he/she might use the NTLM protocol to log on using password, bypassing interactive log on. Protected Users disables the entire usability of NTLM protocol that is not needed to common AD administration. If you don’t want to disable NTLM protocol and If you have Domain Functional Level 2016 you can also enable NTLM rolling to make NTLM password hash to cycle every login and improve the password eradication What's new in Credential Protection | Microsoft Docs (Rolling public key only user's NTLM secrets) Probably you want to use that user to log in to privileged systems with Remote Desktop. By default, Remote Desktop Protocol requests the use of passwords … Here we don’t have a password to write because the password is unknown by humanity….. so … how to? The simplest way to solve the above problem is to use Remote Credential Guard feature if you have the needed requirements (..Windows 10, version 1607 or Windows Server 2016.. or above) What's new in Credential Protection | Microsoft Docs To enable it on the server we want to connect to, just add this registry key using the example command reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD From the client where we used the FIDO login, just run RDP with the parameter /RemoteGuard Now also the RDP remote authentication performs well without passwords!!! Now we signed in a Domain Controller using a MFA key and is no more possible to use a password for domain administration. Update1: using temporary access password might be possible to never assign even a beginning password to a Domain Admin neither need a phone authentication. Configure a Temporary Access Pass in Azure AD to register Passwordless authentication methods | Microsoft Docs As detailed above, create a Domain Admin on prem, immediately enable SCRIL and Protected Users, wait AD connect sync time, create a temporary password for that admin user (the temporary password can only be used to enable an MFA credential w/o using a Phone and w/o the risk of someone else accessing applications during the configuration phase). We recommend to maintain Azure Global Admins and Active Directory Domain Admins identities separately, so don't make synced Domain Admins member of Azure Global Admins role.New additions in Compliance manager
Hi everyone, I was just marveling about the addition of custom regulations in Compliance manager but apparently very few users seem to be using this particular module in Purview , at least I can't seem to find any user forum for it. Can anyone point me in the right direction or am I the only user of Compliance manager in the know universe 🙃 Regards, GuðjónIs it possible to allow MFA registration only in a work profile on a managed phone
Hello, I'm currently rolling out MDM via Endpoint Manager and also enforcing compliance policies using conditional access. I would like to allow MFA registration only in work profiles, so that users can only register MFA (for Passwordless sign in) on the Microsoft Authenticator app in their work profile. Does anyone have experience with this, or is this currently even possible? BrS
Use Endpoint DLP to block uploads
Hello, I am trying to block files from being uploaded to specific domains using Endpoint DLP. I have added several domains to the Service Domain section of DLP and set it to Block. I have also added a Service Domain Group with those same domains (not sure if this is required in this case). Then I have created a DLP policy scoped to Devices only. The rule conditions in the policy are set to any file over 1 byte in size should be blocked from upload to those service domains. I have also added the Service Domain Groups to this policy and set it to block. I turn on the policy and it is applied to the appropriate endpoints but when I test, the only files blocked from being uploaded to those domains are files tagged a sensitivity label. Can this DLP policy apply to all files instead of just labelled ones? We just want to block upload to specific domains outright. Any help is appreciated!
Sensitivity Labels not working as expected
Hi experts, I've been playing with sensitivity labels recently and I'm in testing phase currently having few ppl testing it for me before I officially deploy to all. However, it looks like there are few things that do not work as expected and I'm not sure why. Hope I can find some help here. Here is what I have configured and what is the experience during our testing Email should inherit sensitivity label form attachment I have label for documents set as required , and email is set to no default label and selected "inherit" label from attachment I have "Confidential\View Only" label that has allowed only "View rights / Reply / Reply all" allowed permission. Testing experience: For emails, when I attach a document with this label assigned, there is no restriction at all and I can forward, download, etc... and the recipient can forward with no issues. Looks like inheritance of label from attachments to email is not working at all. When I (as a recipient) download the attachment, I see that the document has restricted permissions (can't print, save, etc) so it looks it is working on the document level. "Confidential\Internal" label should be blocked I can share with external users via SharePoint ...and can even open it as external user with no issues at all.. Label access control nor DLP prevents this!!! Is there something I miss here? Not sure if important - I have "MS Entra for Sharepoint enabled" DLP is configured to check Sharepoint, Emails, OneDrive for "Confidential\Internal" for "content shared outside the organization" and "sensitivity label Confidential\Internal" and BLOCK it DLP works fine for emails with attachments labelled with this label, and it is blocked as expected Confidential\Internal is blocked in the outlook when trying to send email when I am sending an attachment with Confidential\Internal document in Outlook (New Outlook), I see a note about external users that needs to be removed. When trying to send anyway, it is blocked and I get a message below. Which is great however, another two testers do not get this experience and their email is blocked with DLP (mentioned above) only - which is nice, but the experience I get is much better as users can correct recipients instantly (FYI - I am using NEW Outlook - need to check later this week with the testers if they are on Old or NEW one) Its a bit of text, and I apologize... Wanted to describe is as best as I can 🙂 ... and hopefully help anyone else facing the same... Would be grateful for your help.... As the testing is super time consuming due to the fact that any change I make to sensitivity label and policy, I prefer to wait recommended 24 hrs to see if it had any effect.... Update: forgot to ask, why I see some "built-in" labels when creating emails? When I go to "More Options", in new email, I can see the below: When I go through New Email > Options > Sensitivity - I can see the labels I configuredHere's how I prepared for the Microsoft Security, Compliance, and Identity Fundamentals exam SC-900!
Dear Microsoft 365 / Azure Security Friends, What I always have to tell myself when I read Fundamentals, never underestimate an exam like this. Such exams are always a kilometer long but only 1 centimeter deep. That means a lot of topics are asked, but not how to install or configure it. What does that mean exactly? For example, a question might be structured like this: You need to capture signals from an on-premises Active Directory with a cloud solution, what do you use? The answer is Microsoft Defender for Identity. On the exam there are single choice questions and multiple choice questions (minimum 2 answers). No case studies or sliding scale questions. Now to my preparations for the exam: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900 Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Mr81 2. So that I can prepare for an exam I need a test environment (this is indispensable for me). You can sign up for a free trial here. https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products I chose the "Microsoft 365 Business Premium" plan for my testing. 3. Now it goes to the Microsoft Learn content. These learn paths (as you can see below, all 4) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/describe-concepts-of-security-compliance-identity/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-identity-access/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-security-solutions/ https://docs.microsoft.com/en-us/learn/paths/describe-capabilities-of-microsoft-compliance-solutions/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/exams/sc-900 5. Thomas Maurer's exam preparation information is super helpful! https://www.thomasmaurer.ch/2021/04/sc-900-study-guide-microsoft-security-compliance-and-identity-fundamentals/ 6. What you should also definitely watch is the YouTube of John Savill, really super informative! https://youtu.be/Bz-8jM3jg-8 I know you've probably read and heard this many times: read the exam questions slowly and accurately. Well, that was the key to success for me. It's the details that make the difference between success and failure. One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom WechslerLow reputation
I am an independent developer, and I've been unable to publish my app on the Microsoft Store for about three months — it keeps getting rejected due to "10.2.10 Security": I realize this is because I'm not well-known, but how can I build a reputation when it’s impossible? Microsoft blocks the download: Microsoft even prevents it from being opened: Sure, I could provide a step-by-step guide on how to unblock my app, but, as experience has shown, users don’t trust unfamiliar apps (and rightly so!), because Microsoft has conditioned them for years to avoid running unknown software: "Make sure you trust before you open it" and "Running this app might put your PC at risk". Don't get me wrong: as a regular user, I fully support these security measures because they truly work and help. But as an independent developer, I don’t know what to do :( My app doesn't engage in cryptojacking, doesn't initiate unauthorized network activity, and doesn't pose any threat to users — it doesn't transmit any data to me and/or third parties, doesn't use telemetry and/or monitoring tools, doesn't track actions and/or location, doesn't have built-in diagnostics and/or analytics, doesn't request privilege escalation, doesn't collect statistics and doesn't learn from personal data. My app passes all the necessary Microsoft checks: And I can’t afford an EV certificate since I’m an individual, not an organization: But my app gets blocked anyway. So... does anyone have any ideas on what I can do in my situation?
DLP Alerts Issue - Windows Defender
Hi, I am encountering an issue where a single file containing multiple policy matches triggers multiple DLP alerts defined for Exchange. I would prefer to receive just one alert per email, regardless of the number of files or policy/rule matches in Windows Defender. Any suggestions on how to resolve this would be greatly appreciatedAll the locations where you can find Sensitivity labels
Update (14-Mar-25): Removed Windows Explorer Here are the locations where you can find the sensitivity label of a document (if there are any that I've missed, please feel free to add it here) Sensitivity Label Button in the Document: In Office applications such as Word, Excel, and PowerPoint, you can find the Sensitivity label button on the Home tab. This button allows users to apply or view sensitivity labels directly within the document interface. (Sensitivity label app on the upper right) Document Properties > Advanced Properties Sensitivity labels can also be found in the document properties. To access this, go to File > Info > Properties > Advanced Properties. Here, you can see detailed metadata, including any applied sensitivity labels. Sensitivity Label Column in SharePoint: In SharePoint, sensitivity labels are displayed in a dedicated column. This allows users to quickly see the sensitivity level of documents stored within SharePoint libraries (Removed) Windows File Explorer: - As it was rightly pointed in the comment section, this is a roadmap item that has yet to materialise. Mobile Applications: Office mobile apps for iOS and Android also support sensitivity labels, enabling users to apply and view labels on the go. Microsoft Purview Compliance Portal: Administrators can manage and view sensitivity labels applied across the organization through the Microsoft Purview Compliance Portal. This portal is only accessible to IT admins who has the right Purview role.Get $25 USD for reviewing a Microsoft Security product on Gartner Peer Insights in 2025
Turn your expertise into impact—and $25—by sharing your review of Microsoft Security products on Gartner Peer Insights. Your feedback helps other decision-makers confidently choose the right solutions and provides valuable input to improve products and services. Select a product to review: Security Copilot Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Purview Microsoft Sentinel Here’s all you need to do: To submit a product review, log in to your Gartner Peer Insights account or create a free account in seconds. Once you have completed your review, Gartner Peer Insights will prompt you to choose a gift card option. Gift cards are valued at $25 USD and are available in multiple currencies worldwide. As soon as your review is approved, the gift card will be sent to you digitally via email What makes a successful review? Choose a Product You Know Well: Pick a product you’ve used extensively to provide detailed feedback. Share Your Experience: Describe your specific user experience with the product and any outcomes you realized. Highlight Features: Note any features and capabilities that made an impact. Terms & Conditions: Only Microsoft customers are eligible; partners and MVPs are not. Offer valid for reviews on Gartner Peer Insights as linked on this page. Non-deliverable gifts will not be re-sent. Microsoft may cancel, change, or suspend the offer at any time without notice. Non-transferable and cannot be combined with other offers. Offer runs through June 30, 2025, or while supplies last. Not redeemable for cash. Taxes are the recipient's responsibility. Not applicable to customers in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and China. Please see the below for more information Microsoft Privacy Statement Gartner’s Community Guidelines & Gartner Peer Insights Review Guide
