Enable MFA for external idetnities in MS Entra
Hi all, I am planning to enable MFA for guest accounts and external identities using Conditional Access in MS Entra. I am however wondering how I can select what Authentication methods can they use - or what would be the default behaviour. Currently, I am still using legacy MFA for internal users. I will migrate MFA to MS Entra later this year however, not sure how this is working when enabling MFA for external users. As I do use legacy MFA, my setting in " Authentication methods > Policies" have MS Authenticator set to NO. Now, do I need to switch MS Authenticator to YES if I want guests to use that app? And if I enable it, how do I assign it to External identities only? I do not see that kind of option there at all... I can assign it to all, for example, but I am not yet ready to migrate internal users as well... Would be happy to get some clarification on this. Thank you
New Blog | The latest enhancements in Microsoft Authenticator
ByNitika Gupta Hi folks, I'm thrilled to announce three major Microsoft Entra ID advancements that will help you protect your users with phishing-resistant authentication: Public preview refresh:Device-bound passkey support in Microsoft Authenticator Public preview:Support for FIDO2 security keys on native brokered applications, such as Outlook and Teams, on Android 14 General availability:FIPS compliance for Microsoft Authenticator on Android These advancements are crucial, not only for adhering to theUS Executive Order 14028 on Improving the Nation's Cybersecurity, but also for safeguarding all organizations and users who rely on secure digital identities. Let’s dig deeper! Read the full post here:The latest enhancements in Microsoft Authenticator
employeeType attribute for Dynamic Group features
Dear Microsoft, I would like to suggest the feature of Dynamic Groups to support the employeeType attribute. As dynamic groups are used by features like Identity Governance Auto-Assignment policies and could be the base for Conditional Access Policies, this feature would be aligned with the Secure Futures Initiatives and the Conditional Access Policy Architecture implementation recommendation using various personas (Conditional Access architecture and personas - Azure Architecture Center | Microsoft Learn) as well as the Microsoft Recommendation not to use extensionAttributes for purposes other than a Hybrid Exchange deployment, as well as having Named Attributes for such important security configurations and Entitlement Management. Thanks, BConditional Access falsely detects logins from Android as Linux (and blocks them)
Hi everyone, we're facing an issue which we can't solve correctly: Scenario: Users are accessing M365 Content from Windows, iOS and Android Devices. Conditional Access is configured to block Logins from "unknown platforms", so only Win, iOS and Android are allowed. Issue: Some users experience weird issues: They're using an app with m365 SSO. The App opens up the Edge Browser for handling the login-flow. Afterwards the login fails. As i can see in the Entra SIgn-in Logs the user-agent is linux. (Therefore it gets blocked correctly) A few minutes before the same user, with the same mobile phone, with the same app access isn't blocked, because the login was recognized correctly as android. Currently i don't have any ideas and i was hoping some of you have great ideas. 🙂 (Adjusting the Conditional Access Policy to allow linux isn't an option, of course.) Regards, Patrick
How can I turn off PIM Digest emails?
Hi all, We currently receive a weekly digest email with an update on our risky users/sign ins. However, I check these daily and act accordingly, so we really don't need them. I tried disabling the weekly digest and unticking my role, but still they come. Can these weekly PIM digest emails be turned off and if so, how?Warning: PIM disconnects users from Teams Mobile
I have been working with Microsoft Support on this issue for three months. Hopefully I can save others the trouble. Sometime around April 2024, I and my colleagues started seeing regular alerts on our mobile devices saying "Open Teams to continue receiving notifications for <email address>", or "<email address> needs to sign in to see notifications". Just as promised, after this message appears, we do not get notified about messages and Teams calls do not ring on our mobile devices until we open Teams. We eventually determined that these alerts coincided with activating or deactivating PIM roles. Apparently, a change was made to Privileged Identity Management in Microsoft Entra ID around that time whereby users' tokens are invalidated when a role is activated or deactivated. Quoting the Microsoft Support rep: "When a user's role changes (either due to activation or expiration), Skype AAD[?] will revoke existing tokens of that users. Skype AAD will also notify PNH about that token revocation. This is expected behavior andis working as designed.These changes were rolled out in Skype AAD in April/May 2024 which is since when you are facing the issue as well." Anyway, as far as I can tell, this change was not announced or documented anywhere, so hopefully this message will show up in the search results of my fellow admins who are dealing with this.
SSE (Private access) for vendor access management
SSE is marketed as traditional-VPN replacement. However its client app supports only Entra-joined devices. https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#prerequisites Vendors and contractors accessing resources in any company are not having their devices Entra-joined (or they will be joined in *theirs* tenant at best). So SSE is currently unable to replace traditional VPNs solution in companies. Any plan for solution here?New Blog | Face Check is now generally available
ByAnkur Patel Earlier this year we announced thepublic preview of Face Check with Microsoft Entra Verified ID– a privacy-respecting facial matching feature for high-assurance identity verifications and the first premium capability of Microsoft Entra Verified ID. Today I’m excited to announce thatFace Check with Microsoft Entra Verified IDis generally available. It is offered both by itself and as part of the Microsoft Entra Suite, a complete identity solution that delivers Zero Trust access by combining network access, identity protection, governance, and identity verification capabilities. Unlocking high-assurance verifications at scale There’s a growing risk of impersonation and account takeover. Bad actors use insecure credentials in 66% of attack paths. For example, impersonators may use a compromised password to fraudulently log in to a system. With advancements in generative AI,complex impersonation tactics such as deepfakesare growing as well. Many organizations regularly onboard new employees remotely and offer a remote help desk. Without strong identity verification, how can organizations know who is on the other side of these digital interactions? Impersonators can easily bypass common verification methods such as counting bicycles on a CAPTCHA or asking which street you grew up on. As fraud skyrockets for businesses and consumers, and impersonation tactics have become increasingly complex, identity verification has never been more important. Microsoft Entra Verified ID is based onopen standards, enabling organizations to verify the widest variety of credentials using a simple API. Verified ID integrates with some of the leading verification partners to verify identity attributes for individuals (for example, a driver’s license and a liveness match) across 192 countries. Today, hundreds of organizations rely on Verified ID to remotely onboard new users and reduce fraud when providing self-service recovery. For example, using Verified ID,Skype has reduced fraudulent cases of registering Skype Phone Numbers in Japan by 90%. Read the full post here:Face Check is now generally availableNew Blog | Microsoft Entra certificate-based authentication enhancements
ByAlex Weinert Howdy, folks! Today I'm excited to share the latest enhancements for Microsoft Entra certificate-based authentication (CBA).CBA is a phishing-resistant, password less, and convenient way to authenticate users with X.509 certificates, such as PIV/CAC cards, without relying on on-premises federation infrastructure, such as Active Directory Federated Service (AD FS). CBA is particularly critical for federal government organizations that are already using PIV/CAC cards and are looking to comply withExecutive Order 14028, which requires phishing-resistant authentication. Today we're announcing the general availability of many improvements weintroduced earlier this year– username bindings, affinity bindings, policy rules, and advanced CBA options in Conditional Access are all GA! I am also excited to announce the public preview of an exciting new capability -issuer hints. Theissuer hintsfeature greatly improves user experience by helping users to easily identify the right certificate for authentication. Vimala Ranganathan, Principal Product Manager on Microsoft Entra, will now walk you through these new features that will help you in your journey toward phishing-resistant multifactor authentication (MFA). Thanks, and please let us know your thoughts! Alex Weinert -- Hello everyone, I’m Vimala from the Microsoft Entra PM team, and I’m excited to walk you through the new issuer hints feature, as well as the features that will go into general availability. Theissuer hintsfeature improves user experience by helping users to easily identify the right certificate for authentication. When enabled by tenant admin, Entra will send backTrusted CA Indicationas part of the TLS handshake. The trusted Certificate Authority (CA) list will be set to subject of the Certificate Authorities (CAs) uploaded by the tenant in theEntra trust store. The client or native application client will use the hints sent back by server to filter the certificates shown in certificate picker and will show only the client authentication certificates issued by the CAs in the trust store. Figure 1: Enhanced certificate Picker with issuer hints enabled Read the full post here:Microsoft Entra certificate-based authentication enhancements
