MFA
145 TopicsHow to handle MFA for a shared account?
Hello, We have a business need where some users need to share an Entra ID account for Dynamics 365. I am trying to figure out how to handle MFA for a shared account and what's the best practice in such cases. We could setup the MFA for this account to the admins' phones, but this will only create headache for those admins (when they're out of office, travelling etc.). Any advice would be appreciated.Solved880Views0likes3CommentsPasswordless POC Blocked by CA BYOD Policy – Looking for Workarounds
We’re currently running a POC for passwordless authentication in our environment. One challenge we’ve hit is that our CA BYOD policy blocks personal devices, which prevents users from enabling passwordless sign-in via the Microsoft Authenticator app. Since Authenticator is not a cloud app, we can’t exclude it from the CA policy using the usual cloud app filters. This is causing issues when users try to register or use passwordless sign-in from their personal phones. Has anyone dealt with this scenario or found a workaround that allows passwordless sign-in while still enforcing BYOD restrictions? Any ideas, suggestions, or creative solutions would be much appreciated! Thanks in advance!74Views0likes1CommentEntra External Authentication Method giving AADSTS900144 missing externalAuthenticationMethodId
Hi All, Has anyone else noticed in the last couple of days if EAM (External Authentication Method) is configured for MFA end users are getting: AADSTS900144: The request body must contain the following parameter: 'externalAuthenticationMethodId' Its been working for us fine for months/years but the last couple of days we are seeing heaps of the error above. I have raised a support case but zero response so far Regards, Daniel155Views1like3CommentsConditional access, Persistant Browser sessions and Azure File shares in Storage Accounts
Hello, I am in the process of doing a POC for Azure file sync from DFS to Azure file shares with a end goal of using Azure files shares and getting rid of DFS. I want to use Entra for identity access. One of the changes I need to make is set Persistant browser session in our MFA all user policy to "Never" so that the storage enterprise app does not get targeted for MFA, otherwise it wont work. How do I go about doing this without effecting any other users as it's a global policy. I know I need to do this because I get this error when I add the Storage Account ent app to the targeted resources (formerly cloud apps) exclusion list; "Message from server: The server could not process the request because it is malformed or incorrect. 1032: ConditionalActionPolicy validation failed due to InvalidConditionsForPersistentBrowserSessionMode." Any ideas of how to get around this without affecting anyone else and only target the storage account ent app. Cheers140Views0likes1CommentUnable to Log Into Teams on iPhone. Error: Sign-in Error
Hello, Has anyone been able to resolve the Sign-In Error issue? It appears to be an issue between the Microsoft Authenticator app and Teams. Our organization is using Conditional Access policies to require MFA via the Microsoft Authenticator App. After MFA completes and the phone returns to Teams, the error message is displayed. Azure AD Sign-In log displays MFA success. Steps to produce: 1. Open Teams 2. add account yourdomain.com 3. select work account 4. Flips to Microsoft Authenticator 5. Enter Password 6. Flips to Teams 7. Displays error: Sign-In Error Here is what I've tried: - deleted the account from Teams - restarted the phone - reinstalled teams - tried to delete cache from Teams settings in iOS General (never seems to clear) - removed email address from personal Microsoft accountSolved125KViews0likes11CommentsSecurity Best Practices for Bookings Page's Mailbox Objects in Entra ID
Hi, are there any recommendations / best practices for hardening the user objects that are created in Entra ID when I create a new Microsoft Bookings page? Unlike regular shared mailboxes, the sign-in is enabled by default, I can simply reset the password, sign in via Outlook Web and see the Microsoft Bookings calendar. Bad actors could brute force this sign-in, register the MFA authentication method of their choice and gather data of the customers that used my public bookings page. What is the recommeded way to handle these objects in Entra ID? Conditional Access settings? Azure Monitoring alerts for sign-ins? Defender alerts for when an inbox rule is created? Kind regards, YaseminSolved185Views0likes2CommentsMFA claim expired - Breaking web apps
Hi All, Testing: - Passwordless (Phone Sign-in baseline) - Sign in Frequency (Shorter than tenant setting) - Desktops are hybrid, receiving their PRT but no not use WH4B - Tenant still has Remember Trusted device for X Days enabled I'm seeing some strange behavior where Azure AD is showing the MFA claim has expired when trying to access web portals (Auth loops, webapp access issues (Outlook fine but not Teams), error messages). If I revoke the session completely and re-login to the native app pop-ups, things are fine again for a while. If the user closes the native auth window, the native apps limp along even with the MFA claim issue within the browser but the webapps are still broken. WebApps continue to SSO in with the token in this state. Research is pointing that it might be the tenant wide remember trusted device settings, although I am not in a position to disable this global setting until after the test deployment. Disabling the SIF, seems to resolve the MFA claim expiry immediately, i'll check in a few days to see if that is still the case as it'd be outside the trusted device setting interval too. I have a support request at the moment with the advice to enable persistent browser sessions which I'll test but don't think that is the core of the issue. Is their a way around this, have others had similar issues? Thanks!5.2KViews0likes4CommentsFido passkeys blocked by policy
Hi all I'm helping out a customer with deploying physical passkeys and I'm running into a weird error. I've activated the sign in method and selected the two AAGuids for the Authenticator app and I've added the right AAGuid for the brand and model of passkey we are using. We can select the authentication method and enroll the security correctly but when trying to sign in using it we get the error as displayed in the attached picture. When checking the sign in logs i get this error message FIDO sign-in is disabled via policy and the error code is: 135016 I've not been able to track down any policy that would be blocking passkeys. anyone got any ideas?986Views0likes6CommentsKid finds a way into my account using an old PIN
I have set up parental controls. Somehow my sone managed to find the password logged in the Microsoft Familly app and changed the settings at will. I have changed my password in the meantime but he found an easy way around it as he selects use other methods to sign in and then selects PIN, inputs my old PIN and he is back in. How is this possible? I have changed the password, I have changed the PIN, turned on 2FA and reset Windows Hello and he just goes around all this in one go by introducing my old PIN. Is there a fix for this ?60Views0likes1CommentIssues with Passkey Login Hanging on "Connecting to Your Device"
Hi everyone, I'm currently working on enabling passkey login for some users. I have a test account where I enabled the passkey and enrolled it in Microsoft Authenticator. However, when I try to log in and scan the key, it hangs on "connecting to your device." Has anyone encountered this issue before? How can I find the root cause, and which log would show what might be blocking me? Thanks in advance for your help!225Views1like0Comments