Prompt users for reauthentication on sensitive apps and high-risk actions with Conditional access
Additional capabilities now available for Conditional Access reauthentication policy scenarios. Reauthentication policy lets you require users to interactively provide their credentials again - typically before accessing critical applications and taking sensitive actions. Combined with Conditional Access session control of Sign-in frequency, you can require reauthentication for users and sign-ins with risk, or for Intune enrollment. With today's public preview, now you can require reauthentication for any resource protected by Conditional Access. Read the full blog update here: Prompt users for reauthentication on sensitive apps and high-risk actions with Conditional Access - Microsoft Community Hub
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- https://feedback.azure.com/d365community/idea/d5253b08-d076-ed11-a81b-000d3adb7ffd https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789 Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabledEnhance Your Online Security: A Step-by-Step Guide to Implementing Two-Factor Authentication (2FA)
It's the start of the new academic year for many students in the US and Europe and it's the time when you're in a new city meeting new people and having all sorts of fun, so you may accidently loose or damage your device.Protect your identities from a Token theft using Token Protection in Conditional Access
In this blog post, I will show you the steps required to enable the Token Protection feature using Conditional Access in Entra ID. Along with a brief simulation of the Token Theft and how Token protection will prevent the attacker from stealing the token. https://www.linkedin.com/pulse/protect-your-identities-from-token-theft-using-access-elie-karkafyReport suspicious activity (Preview)
Allows users to report suspicious activities if they receive an authentication request that they did not initiate. This control is available when using the Microsoft Authenticator app and voice calls. Reporting suspicious activity will set the user's risk to high. If the user is subject to risk-based Conditional Access policies, they may be blocked.MS Authenticator app feature request: export to file / import from file
I really enjoy using the authenticator app, but I'm worrying about my phone getting stolen and losing access to all of the accounts associated with it. I see there is a cloud backup feature, but I have issues with it: (1) if it requires a strong login, that's an issue when my phone is stolen, because I also can't receive text messages anymore, or (2) if it doesn't require a strong login, that's also an issue, because anyone with my personal email + password could recover my MS authenticator data too. To me it seems like the cloud backup feature was intended for moving the account between phones, not as actual backup. To get an actual backup, I would like to be able to manually export the app data* to a file (possibly with password encryption), so that that file can then be imported by another phone in the event of phone theft. I can then put my pw (or an unencrypted backup file) in my locally stored password manager, and safely allow my phone to get stolen 😉 * everything required to generate the one-time tokens including private keys. So not a token that gives access to cloud storage. Alex Simons_ Olena Huang
Issues with Passkey Login Hanging on "Connecting to Your Device"
Hi everyone, I'm currently working on enabling passkey login for some users. I have a test account where I enabled the passkey and enrolled it in Microsoft Authenticator. However, when I try to log in and scan the key, it hangs on "connecting to your device." Has anyone encountered this issue before? How can I find the root cause, and which log would show what might be blocking me? Thanks in advance for your help!
Windows Hello for Business Non-Destructive PIN Reset Requires Password?
Windows Hello for Business is working just fine. Non-destructive PIN reset is not...at least not as I would expect. If a user cannot sign into Windows because he has forgotten his PIN, there is an 'I forgot my PIN' link. If he clicks on it, he is prompted for his password. I would expect he'd be prompted to provide his MFA credentials instead since we're moving toward a world without passwords. What if hte user has also forgotten his password? What's the benefit of having self-service PIN reset above the lock screen if all the user has to do is sign in with his password instead, then reset his PIN in Windows settings? This CANNOT be the way this feature is designed to work, can it?
[Feature Request] NPS MFA with number matching
So I have an environment setup with RD Gateway for users to RDP through and receive a notification to approve or deny the login. I great add on would be to have those notification accept number matching, but as RDP can't display additional dialogues, I want to suggest a substitute. A need to enter the OTP into the notification before allowing access. I'm not sure if that's possible currently so I'm submitting it as a Feature Request.
