User Profile
SjoerdV
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
manshellstromOK, that is probably part of a road that could be taken. I do think for 'complete' E2E browsing security to be in place it should be covered on both server AND client sides. The 'CA token protection' you mentioned is a server side feature, as the token needs to be validated and processed accordingly (by MS servers) to make a difference. It also (at the moment) has a lot of limitations, amongst which is cross-platform compatibility. Browser makers (including Edge!) should not neglect their responsibility here and make their client side, in-rest/in-transit cookie/token handling more secure. As browsers always have access to their host system (or sandbox) a unique key can always be derived from such system on the fly, so the private keys used to decrypt an encrypted cookie DB (loaded into volatile memory) wouldn't even have to be stored locally. Instant security with cross-platform compatibility to boot! Any browser should have this IMHO.Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
Great stuff! I Really like the flexibility of this system. To top it of I also use a 'Location based' CA rule, so even when my full browser profile gets hijacked (including session tokens) it won't work, off my private network. Still I would like to see browsers encrypting their cookie database with some machine specific key, to make the cookies not work if they are used on a different machine. It feels very strange this massive security hole has gone unplugged for so long... Cheers!Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
Ah, finally got it to work. But just the other way around: - User logs in with username - Authenticator App is used as first factor (because passwordless is selected) (user types in the numbers at the prompt) - CBA is selected as second factor (user selects the certificate configured) In my setup CBA is configured with 'multi factor' as protection level CA has two rules: - one regular 'MFA required' (just like always) - a second one (new policy!) requiring 'phishing resistant MFA' with 'Require authentication strength (Preview)' grant That's Great!Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
Yes I got it to work with CBA as a single factor, but as soon as I try to a) enforce MFA (through CA) or b) use CBA as a multi factor method (in CBA settings) the login process breaks with "Multifactor authentication is required and the credential used is not supported. Try signing in with another method." What I just want to achieve is: - User logs in with username - CBA is selected as first factor (user selects the certificate configured) - Authenticator App is used as second factor (user types in the numbers at the prompt) If you (or anyone else) have a way to get this to work, I am very interested;-)Re: CBA, MFA, and AADSTS54008 Certificate is not supported as first factor
mikey365: "Currently, password can't be disabled when CBA is enabled and the option to sign in using a password is displayed.": https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication-limitations -> So your suggestion can not be done at the moment. Would be the end game though in my view. It's like jroth710 says: "They are ignoring the most obvious and beneficial use case -- eliminating the use of a password while still enforcing another factor of security." When you go to the Azure Portal, you can now add authentication strengths policies: https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/AuthStrengths. What we need is the "Certificate Based Authentication (Single Factor) + Microsoft Authenticator (Push Notification)" combination under 'Multifactor authentication'. I'll keep hopingRe: Why can't I join a meeting on iPhone without giving Teams access to scan my local network?
MS has got to get their act together. The whole M365 ecosystem is being riddled with marketing/sales/data driven crap that most *paying* customer do not want. Requiring excessive permissions for Apps we are all trying hard to promote within our businesses, does not help *at all*. OnlyOffice, NextCloud, Owncloud, etc. are knocking at the door, just saying!Re: "Error:The file is locked" when using Office Online within SharePoint Online
Great Stuff! Still seems weird that such a problem in a very common production scenario that already exists for 3 years, does not have some peeps at MS upping the prio on this. Especially considering that the "Sync-XHR method while exiting a tab/page" has been deprecated a long time for a reason: security concerns. Alternatives in the form of 'SendBeacon' and 'Fetch keep-alive' seem to exist btw.Re: Getting changes to Lookups to trigger a crawl
I think it is an obvious oversight in the architecture of Lookup columns. Microsoft should fix it that when a lookup column is configured on a target list the re-indexation is expanded to both source and target lists automatically when an item on the source list is changed. How to get this kind of 'niche' flaw noticed by the powers that be, is another question thoughRe: Powershell New-CsOnlineSession with AccessToken
hernan-invosys ah yes, I felt somewhat 'disappointed' when I noticed the absence of the Get-CsOnlineUser cmdlet in the MicrosoftTeams module. If only that would be there I could abandon having an additional module installed. Btw. running Connect-CSOnline as provided by the current MicrosoftTeams Module (1.1.3/4 and the 1.0.0.25 test version) gives me a lot of authentication issues in combination with other modules. There is still some work to be done, as it seems 😉Re: Powershell New-CsOnlineSession with AccessToken
hernan-invosys is there a reason why you should still be using these cmdlets? As they are now incorporated in the https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-release-notes module since 1.1.3-Preview. The latter supporting a wider variety of authentication methods. Still there might be a reason not to switch that I am unaware of... Thanks for your insight.
