Microsoft Entra ID (Azure AD) support for Passkeys
Hi, Has anyone seen any reference or blog as to when Microsoft Entra ID (Azure AD) will support Passkeys on iOS or Android devices and will this be classified as Phishing-Resistant MFA under Conditional Access Sign In policies. When you navigate to aka.ms/mysecurityinfo and attempt to enroll and new Security Key it now defaults to a QR Code to setup a Passkey and lets you go through the enrollment process however once you reach the final stage to give the Passkey a logical name under your account it prompts with an error message (see below). We have been using YubiKey as a FIDO2 Security Key for Phishing-Resistant MFA however as this is not supported for use with iOS and Android and has limited support for macOS we are hoping that Passkeys will be able to fill this gap. We have also explored Azure CBA however we do not have an existing PKI infrastructure and managing the lifecycle of certificates is painful and expensive compared to the cost of using a FIDO2 Security Key or Passkey.
List external users and their status
Hi all I desperately need a way to list all external Azure AD users including their status (if they have accepted the invitation or not), and it would be nice to be able to filter on domain. On TechNet I have found this PowerShell command: Get-SPOExternalUser -Position 0 -PageSize 30 -Filter @testsite.com It doesn't work though, because it doesn't accept the "@" and if I use the commend without filter, it doen't list information about the users invitational status. Another problem is that -PageSize can't exceed 50 - and we have hundreds of external users. Any suggestions? Thanks Jakob
Azure AD Security Defaults MFA not working (as expected?)
Hi, We use Microsoft 365 Standard and have enabled Security Defaults ( https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide ) so thought that our accounts would be as secure as they could be without Conditional Access. One of our users was Phished and emails were sent from their account. Checking the Interactive sign-in logs I can see the attacker attempted to login from Nigeria (we don't operate from Nigeria) using Chrome on Windows 10 and was denied login due to MFA (which is as expected - part log shown below) Date (UTC): 2023-05-10T09:12:20Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Interrupted Sign-in error code: 50074 Failure reason: Strong Authentication is required Client app: Browser Browser: Chrome 112.0.0 Operating System: Windows 10 Multifactor authentication result: User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others Authentication requirement: Multifactor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD 2 minutes after that attempt the attacker then tried using Safari on iOS 14 and this only asked for single factor authentication and let them in, which certainly wasn't expected! From there, they were able to monitor the email in this instance and send / modify emails until we detected them and locked them out. It could of been worse, we were lucky this time. The successful (part) log is shown below: Date (UTC): 2023-05-10T09:14:27Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Success Sign-in error code: Failure reason: Other Client app: Mobile Apps and Desktop clients Browser: Mobile Safari 14.1 Operating System: iOS 14 Multifactor authentication result: Authentication requirement: Single-factor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD I have logged this with Microsoft but all they are concerned with is that the account is now secure and not the fact that with Security Defaults on and a phished account was accessed without MFA (and from a country we don't operate from). I have since done some more testing with another account and after revoking sessions and MFA, they could login to the same PC they normally use and access http://www.office.com without MFA prompts only finally being asked when going into Security Settings in My Account. I can accept as the location this was from is the main office it might be flagged as safe by MS. So then I used the same account to login from another clients office not associated with us (using a VM there) and again it was able to login to http://www.office.com without any MFA prompts, which again is quite concerning. I wondered if anyone had any insights into why this might have happened like this? As far as I can see Security Defaults isn't really doing a very good job. Thanks Rob
Separate On-Prem Account from Sync' Office 365 Account
Hi, I have a company that has some users that are on-prem, and have an account in Active Directory. This company ALSO has a lot of mobile users that do NOT have\need an on-prem Active Directory Account, but they do have an Office 365 account. (I'm not sure this is optimal setup, but it is what it is for now). There is a user that no longer needs an on-prem AD account, but she needs to keep her Office 365 account. Is there any way I can delete her on-prem account, and have it not 'break' her Office 365 account? Essentially, I need to separate her from the on-prem AD, but keep her Office 365 account working properly. Thanks for any advice
Exclude Microsoft first party applications in Azure conditional access policy
We have app built on Microsoft Graph resource and we have a conditional access policy that targets all cloud apps. when users sign into this app using Chrome browser on iOS they get error and prompt to use Edge. We do not want users to change the browser and tried to exclude Microsoft Graph from CA policy using all options including API but fails with the below error. Policy contains invalid applications: unsupported firstpartyapplication. Is there a way to exclude Microsoft Graph from the policy?
Attribute Filter for local domain in AzureADConnect
Dear All, I have one question, I have local domain and custom domain. when I setup azure adconnect and office 365. I synced with the OU filtering that has user has .local and .com in the same OU. my .com domain is synced corretly but .local domain is synced to .onmicrosoft.com My question, can I prevent .local sync to office 365 because I have thousand users have used .local, I cannot change all user to .com domain. I don't want .onmicrosoft to show in portal. and I need azure ad connect should synced automatcally when I will change UPN suffix from .local to .com. I know the attribute filtering but I don't know which attribute should i select. thank you
MFA denied; duplicate authentication attempt
We see a lot of entries in the Entra ID Sign in logs with "MFA denied; duplicate authentication attempt". Most of the time a lot of them are registered in a short amount of time Users are not (yet) complaining. May be users don't even see something wrong. Anyone who knows what this means? (MFA denied; duplicate authentication attempt) kind regards Jurgen
Using Security Admin Center as B2B Guest
Hi everyone, I was adding a guest account from AAD and gave this account Security Administrator role. Now I am trying that this account can get access to https://security.microsoft.com" but I am not able to change the tenant. I can change tenant in portal.azure.com and aad.portal.azure.com. Is it possible to access Defender Portal as guest? Thanks in advance and best regards Andreas
