Sign-in Frequency Policy for Office / FLW's
Hi All I hope you are well. Anyway, I'm a bit confused with the Conditional Access Sign-in Frequency Session Control and MFA. Info here: https://learn.microsoft.com/en-us/entra/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime#recommended-settings So, what would be a good recommendation for: Office staff (M365 E3 license) Front Line Worker's (F3 license) And am I correct in saying that this includes MFA and that the default MFA period is 90 days Any help or advice on a good workable setting would be greatly appreciated. Stuart
Generating Additional riskEventType Events in Microsoft EntraID
Hello, We are using Simulated Risk Detections to test specific riskEventType detections based on Microsoft's documentation: Reference: Simulated Risk Detections in Microsoft Entra ID So far, we have successfully simulated the following risk detections: Anonymous IP address Unfamiliar sign-in properties Atypical travel Leaked credentials in GitHub for workload identities However, the documentation states that other risk detections cannot be simulated in a secure manner. We are looking for guidance on how to generate events for additional riskEventType detections in a controlled environment.Has anyone successfully tested or triggered these risk detections for security research or validation purposes? Any insights, best practices, or alternative approaches would be greatly appreciated. Thanks!
GSA - Web content filtering - Custom blocked page
Hello everyone, I have a quick question. I just tested the 'Web Content Filtering' of Global Secure Access. However, in Microsoft's documentation, two processes are mentioned for displaying blocked sites (related to HTTP and HTTPS). I wanted to know if it is possible to create a custom page (for example, adding the company logo, indicating the reason for blocking such as the associated web category, etc.). I tried to search, but no documentation related to this is available (or at least I couldn't find it). Thanks in advance for the help!
Security Info blocked by conditional access
Hello, We have a conditional access policy in place where a specific group can only access Microsoft 365 (deny all apps, except Office 365). The moment a user clicks on Security Info in My Account, the user is blocked by this policy. I cant find a way to exclude the app "My Signins" (AppId 19db86c3-b2b9-44cc-b339-36da233a3be2). Since MFA is forced for this group, they can't change their authenticator app registration. Is there a solution for this? Initial MFA setup works by the way. UPDATE jan 23, 2025: I contacted Microsoft support and this was their answer (in short): " MySignin is a very sensitive resource that is not available in the picker and cannot be excluded in the conditional access policy. Also, the application is calling Microsoft Graph. I understand that this is not the information you are looking to hear at this time, I would have loved to help but the application cannot be excluded from the policy. "
Enable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.Block none enrolled device to user who have enrolled devices
First of all, thank you for everything. I have users who have their device enrolled with the company. I have others who don't yet. I need to block access with personal devices to those users who already have their device enrolled. I do NOT have a group that identifies which users have it and which don't, it's random. Thanks for the help !!!
CA policy for corporate devices
I would like to create a conditional access policy to block all non corporate devices from accessing Office 365 resources. I created a policy: Applies to -> User Group Applies to -> all resources Applies to -> Win 10 Filter for devices exception-> Ownership: company & trust type: Entra Hybrid joined. Action: block The above works fine for office desktop login, i.e. blocks non corporate devices and allows corporate devices. However, a side effect is that sign ins from browser on a corporate device is still blocked."sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?Entra Private Access Licensing
I'm a bit stuck trying to figure out what licensing we need to get us working on BYOD devices such as iPads if we want to use the Private Access part of Global Secure Access. A few places on Microsoft's website mention that as long as we have an Entra ID P1 or P2 license and a Private Access license assigned to a user, we should be able to enrol mobile devices without any issues. However, when I try to sign into MS Defender on an iPad (tried 2 different ones), I get an error saying invalid license. One of the users I am currently testing has an Office 365 E3 license assigned as well. Where am I going wrong?
