How to disable option to stay signed in
The option for users to choose to stay signed in to Office 365 is a potential security problem. We have MFA turned on, but if users stay signed in another person may access the tenant if the computer is left unattended or is hacked. It was possible to turn this option off in Company Branding in AAD until the latest (preview) version of Company Branding was released. For some reason that feature is not available in the latest version. I assume I can revert to the previous version, and then turn it off, but when doing that, I receive a warning that it may have negative consequences for SharePoint Online, but it doesn't say what those consequences are. So, my questions are: 1. Can I turn it off by reverting to the previous version of Company Branding and what are the consequences? 2. Is it possible to achieve the same result in another way? PowerShell or Conditional Access maybe?
Windows Hello for Business 0x80090010 NTE_PERM
Hi all, I'm encountering an issue with Windows Hello for Business on the latest version of Windows (July 2025 update). The setup process fails during initialisation, and no biometric or PIN options are being provisioned for the user. Environment: Windows version: 11 24H2 Enterprise (latest update) Deployment mode: Hybrid Cloud Trust Hybrid joined devices Symptoms: Users are prompted to set up WHfB but the process fails at the last step with error 0x80090010 Users who already have WHfB authentication methods created can successfully login Event ID 311 & 303 in the User Device Registration logs Screenshots: Troubleshooting so far: Unjoined and rejoined to Entra ID Granted modify permissions on folder in which NGC container would be created Rolled back to June 2025 update (this worked) So it seems like this is caused or related to the latest Windows Update, which is rather unfortunate for us as we are just beginning to rollout WHfB for our organisation. I'm posting here to raise awareness of the issue, if there is a more appropriate place to post then please suggest.Multi-factor Authentication (MFA) via Security Defaults enforced on tenants by Microsoft (status)
Hi all, - Security Defaults is enabled by default on all newly created Microsoft 365 tenants. - Microsoft has started enforcing Multi-factor Authentication (MFA) on all tenants. - MFA will not be enforced on tenants using Conditional Access policies (at least one Azure AD Premium P1 license is required to be able to use Conditional Access policies). - Self-service password reset (SSPR) will enforce Multi-factor Authentication on all accounts (and the breakglass account) but SSPR can be disabled. - Please check admin.microsoft.com >Health > Message center regarding notification. - Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins. - If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method. It is recommended: - to use MFA company-wide because this security-feature prevents 99.9% of attacks on your accounts. - to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication. https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/let-users-reset-passwords https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens
Add filters/ grouping to microsoft authenticator app accounts
Hello! Hope you are all well! I would like to see filters of personal/ Work and school accounts or by domain. Or even the ability to organise accounts manually into groups. Currently have a long list of personal accounts and work account.
Password-less authentication with using One-time passcode from Microsoft Authenticator App.
Recently one of my users was in Internet restricted zone and when he tried to sign-in with Password less method, He didn't get the code due to no internet in mobile and in addition to this, he forgot the user sign-in password. Is there any method or way to setup that we can be able to sign-in with using the 6-digit Microsoft Authenticator App Code instead of the push notification and password.Allow any UTF8 characters in Microsoft account passwords
Hello, I tried to use characters like «¼∃≒∀» in passwords and the form always reject them while local windows accounts and on premise domain controllers accept them. I opened a support ticket to report this as a bug and was told it works this way by design (case 28980531). Was also directed here if I had any suggestions so here I am: please allow any and each UTF8 characters in your online service in the password field. Not being able to is a regression from using on premise domain controller that gladly accept even emojis in passwords. Thank you.
