Conditional Access
44 Topicspasswordless together with MFA
edit: was an issue using edge under linux which has now support for FIDO2 tokens. you need to use chrome, when login into azure using a linux client. Hi, we are running a CA which enforces MFA through MS-Authenticator App for all users. We would like to set up an alternative way through FIDO2 tokens (passwordless). We still do have users without smart-devices and we also want a soft way for migration. Right now the passwordless login fails because the CA enforces MFA for all users. Is there a way to solve this problem? Or do we have to choose for one to authenticate way for all users? My first idea is to configure the CA so it excludes certain users from the policy? Make a group for passwordless users and exclude them from MFA. Is this the way to go or are there better solutions? Would it be possible to generate this group dynamically for all the users with at least one FIDO2 token in their authentication methods? Or would this idea mean that we have to set this group manually? What are the consequences if an user has MFA and FIDO2 within its authentication methods? Thanks for any answers and any solution. Cheers SebastianSolvedBlocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan RojasOnly Outlook and Teams on Personal mobile devices
We are looking to let users access Outlook and Teams using their personal iOS and Android devices but not allow them to access the SharePoint side within the Outlook app. I have made two conditional access policies to accomplish this, but only the Outlook side of things is working. Teams won't let a user log in and are being blocked by the first Conditional access policy. First CA - Target Resources Include = Office 365 Exclude= Micorosft Teams Service, Office 365 Exchange Online - Conditions Device Platform =Android,iOS Filter for devices = device.deviceOwnership -eq "Personal" - Grant = Block access Second CA - Target Resources Include = Microsoft Teams Services, Office 365 Exchange Online -Conditions Device Platform =Android,iOS Filter for devices = device.deviceOwnership -eq "Personal" - Grant = Grant Access > Require device to be Marked compliant Can anyone help?Allow use of One Time Password
Hello, We have setup Passwordless authentication using Conditional Access Policies, which is working great. The question I have is how can I setup the option to allow the use of the one time password (6 digit code in the authenticator) to be used when the mobile device is offline and cannot receive the number matching. For example, the user is in a plane and has purchased the use of WiFi for the laptop, but the phone is offline and want to use the 6 digit code from the authenticator.Whenever login into the office applications different OTP needs to be applied Outlook and teams
When signing into Office applications, adifferent OTP is required for both Outlook and Teams. To address this issue, there is any resolution this issue supports or a supporting document as proof to confirm that this is a standard procedure.Using CBA with a device certificate on Windows Server
Hi, will it be possible to use CBA as "filter for devices" some day? e.g. A Windows Server which is not hybrid joined or managed by Intune could then be identified as a "valid device" which is allowed to access Admin portal. Like a RADIUS Auth. BR StephanNew Blog | Now available: Modernize your SAP environment with Microsoft Entra ID
ByMelanie Maynes Building on our jointannouncementwith SAP earlier this year, we have now released guidance to help customers modernize their SAP environment and move their identity management scenarios from SAP Identity Management (SAP IDM) to Entra ID. Withthis documentation, SAP IDM customers can migrate seamlessly to the cloud-based IAM and identify the right partners that can assist. In February, SAP announced that the on-premises tool for managing identity would reach end-of-maintenance by 2030. We are honored that SAP has recommended Microsoft Entra ID, our cloud-based identity and access management solution, to facilitate a seamless migration and ongoing enterprise-wide identity and access management. Read the full post here:Now available: Modernize your SAP environment with Microsoft Entra IDIs it possible to protect the Primary Refresh Token (PRT) if attacker has hands on keyboard
Hi everyone, I want to ask if anyone know if possible to defend against pass-the-prt attack? We are about to embark on a journey to deploy privilege access workstations to all IT admins with more or less no internet access. The idea is to have a clean source and heavily reduce an attacker getting hold of the credentials / PRT of an admin account. But because it is so heavily locked down it is already causing issues for us. So I want to find out how big of an issue it is if an attacker was able to get a foothold on a device which is used by a standard user account that has Microsoft Entra ID roles assigned via PIM. So we have Defender for Endpoint installed on all devices, Tamper protection is on and the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" is set to block. further to that we require a FIDO2 security key for all IT admins and CA policies are set to require both MFA and a compliant device. But as mentioned above, if an attacker gets a foothold on a device used by an IT admin user who logs in with his or hers standard account and elevate into an Entra admin role, is it game over by then? If that is the case, it seems to me that the PRT is the weekend and we would be better off not having the device used for admin privileged joined Microsoft Entra.1.2KViews0likes2CommentsConditional Access Applications
When I review the applicaitons in Conditional Access Overview, I see under Users without coverage Microsoft Authentication Broker with most employees listed (ie: 33 out of 33). Most status is Success but Conditioal Access shows Not Applied. Is this a normal behavior or am I missing something under Policy? I have a Policy -Require MFA for internal users (admins not included) - Basic where the Control selected is Requred multifactor authentication. We have all users using the Microsoft Authenticator app.7.1KViews0likes4Comments