Nested App Authentication (NAA) token to protect middle-tier server
I'm working on an outlook addin and want to use the NAA accesstoken to validate the user on an api running on a php webserver. The addin runs as a taskepane (created with yo office) with the app only manifest. I have setup NAA to do Microsoft graph calls on behalf of the user. I have used this guid to setup NAA (copy/past) https://learn.microsoft.com/en-us/office/dev/add-ins/develop/enable-nested-app-authentication-in-your-add-in I have setup a php server (not in Microsoft infrastruktur) for a simple API, that handlers MySQL calls and app only calls to Microsoft graph. The php api authenticate itself with a client secret from the Azure app registration. Both are working as expected. Can i use the accesstoken from the NAA, to authenticate the user on the php server? If it can be done how do I validate the token?
My Azure login is stuck at MFA and cannot proceed
In August, I was still able to log in to Azure, and by logging in through GitHub I could bypass 2FA. But now, no matter how I try, logging in via GitHub always requires 2FA. I can’t access my Azure account anymore—nothing works. The system prompts me to use Microsoft Authenticator to confirm a two-digit code in real time. My Microsoft Authenticator on my iPhone is logged into the same Microsoft account, but I’m not receiving any verification requests for Azure login. No matter how much I refresh, nothing shows up. I’ve already updated the Microsoft Authenticator app to the latest version from the App Store. However, my personal Microsoft account works fine and can log in without any issues.
Locked out because of bugged 2FA
Hello, I have one irritating problem. I did a reset of my microsoft authenticator app since it stopped working, i did not save the Authenticators security code, i got 2FA activated on my account. Now i have been trying to log in on my microsoft account for one month without succes. The 3 options i have for 2FA is Code to external my gmail - This works 2 times a day, then locked for 24h Code by text to my cellphone - This does not work when trying to log in, i get the error "Try another verification method, this method does not work at the moment". I know it works, its just in the combination with 2FA it wont work. Microsoft Authenticator - I cannot log into this one since the textmessage does not work on 2FA-login. I have been in a loop for the last month, i cant log into my ordinary e-mail, xbox and so on. Im still logged in on my computer and cellphone at the moment but im afraid it will time out very soon. Microsoft support says that they cannot do anything about it, it is only a server doing all the security. I cant remove 2FA on the account im still logged into, i need 2FA for that. Help!TAP Question
Hi All I hope you are well. Anyway, I'm looking for some clarification over Temporary Access Passes (TAP) as our testing seems to reveal some different results from those listed in the MS documentation. Here's the scenario's. My understanding: Require MFA policy deployed via Conditional Access New user F3 user starts Issue TAP to user where they can then setup MFA themselves via My Security Info etc Testing results: Require MFA policy deployed via Conditional Access New user F3 user starts User can setup MFA themselves via MS Auth app on a mobile device or via My Security Info in a browser MS TAP Info page: "The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts." Ref: Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods - Microsoft Entra ID | Microsoft Learn Have I missed understood something here and if a new user can indeed still setup MFA is there any real need for a TAP for first time user? Info appreciated. SKHow to register a second and a third mobile phone for MFA?
How do I register a second and a third device (iPhone / iPad in in this particular case)? First phone (main phone) is already using the Authenticator App without problem. Now we need to register a second phone as backup device (and with an alternative cellular carrier) and a iPad as third device. All devices should use the Authenticator App.
Challenges with New MFA and SSPR Policies: Need Guidance
I am currently transitioning our Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA) to the new Authentication Methods policy, moving away from legacy policies. However, the lack of clarity on which methods are compatible with both scenarios is quite frustrating, and I wonder if I might be missing something. Our goal is to exclusively use the Authenticator app and security keys for both MFA and SSPR, eliminating all other methods. Additionally, we want to maintain the requirement of two methods (Authenticator app and security key) for password changes. We are in the process of distributing security keys to all staff. The issue I’m encountering is that while Microsoft promotes this new portal as a unified solution for both MFA and SSPR, not all methods are supported across both. Specifically, the security key does not currently work for SSPR. If I am unable to use the security key for SSPR and must resort to a less secure second method, I would at least like to disable that less secure method for MFA. However, it seems there is no way to configure this in the policy. Am I on the right track here? I am aware that Authentication Strengths can be configured—perhaps this is where I should focus? Any advice or discussion would be greatly appreciated.Web Sign-In: Alert QR Code/Code for Mobile
Had 2FA turned off in the work account, on the web login screen a reminder only a few logins allowed without the Authenticator. Fair enough so instead of logging in, got out the Android tablet and installed the Authenticator and logged in with the account there, no problems. A few minutes later attempted to log in to the account on web, this time it presented a QR code with the link "phonefactor:/activateaccount .... mobileappcommunicator.auth ..." which didn't seem to go well in Android using QR scanner or camera. The web login suggested an alternative to the QR code, an 8? digit code, but nothing in the Authenticator app seemed to want it. All of a sudden everything seems to work fine, the web login (with a note that 2FA was used in the login) and the Authenticator on the tablet, thus turning out as a good news ending to a slightly shaky start. :)Authenticator App for visionOS Apple Vision Pro
Please add more options to visionOS version. I want to sign in with my personal account and synchronize my TOTP tokens and passwords into the visionOS so that I do not have to open my phone while wearing the headset (huge pain since the iphone app requires face unlock which does NOT work when wearing the headset). Also please support retina unlock in the visionOS app. Also support authenticator request approvals from inside the visionOS app.
Force additional MFA for PIN WH4B
so got a request from one of my clients and if you think about it, its on the verge of being valid but an edge case... Lets say you implement WH4B and leverage PIN, how do you prevent someone shoulder surfing and leveraging the PIN on that device if they take it? Or restrict pin patterns? (the patterns I am looking into) I know Fido2 is the best way along with biometrics...but they were wondering if there was a way to reprompt MS Auth App for a code after login/reboot... I couldnt find anything on this but I did find forcing a mfa device revalidation via graph api Any able to accomplish this with the entra joined device?Authenticator app issue
I am trying to log into Outlook and Teams on my iphone. When I try to enter in Username & PW, I get forced to open authenticator app, which asks for the same log in details I try to enter into Teams and Outlook, then it asks me to enter an authenticator app code which I cannot access as the current window prevents it from opening. I go back and have to start the whole process again. I just seem to go around in circles and end up in the same spot. i am the admin for the account , so i am unable to reset anything.
