Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?
New blog post | 2023 State of Cloud Permissions Risks report now published
As organizations are embracing and adopting multicloud infrastructures, identity permissions have increased across three leading cloud platforms: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GPC). Although this shift brings new opportunities for innovation, it presents new permission challenges organizations have never faced before. 2023 State of Cloud Permissions Risks report now published - Microsoft Community HubPre-Register and/or ONLY force registration of Azure MFA for users without enable MFA on the account
I'm often been asked by customers if it is possible to pre-register (even bulk) users for MFA but don't enable it directly for the whole account, because they want to use it in Conditional Access. So I did a blog post on that recently: https://justidm.wordpress.com/2018/09/14/bulk-pre-register-mfa-for-users-without-enable-mfa-on-the-account/ Another thing that is often been asked is, if it is possible to only force the registration for Azure MFA but also don't activate it on the account, mostly because MFA should be used in Conditional Access. Currently you need an AAD P2 license for that and set the MFA registration policy, but I found a NEW way to do that without this license. See my blog post about that here: https://justidm.wordpress.com/2018/09/15/force-azure-mfa-registration-without-enabling-mfa-on-the-user/ Hope that is valuable for you. Feel free to comment or share updates, additions, corrections to what I wrote. /Peterbulk Pre-registration for Azure MFA for more Seamless Single Sign on and smooth for MFA roll out
We’ve been asked many times to do a bulk pre-registration for Azure Active Directory MFA to provide our customers’ users more Seamless Single Sign on and smooth for MFA rolling out. This script helping you to: Configure MFA Strong Authentication Methods Set a default MFA authentication method for all users or number of users. Update Mobile Number for a List of users. Update Strong Authentication Methods for List of users Get MFA Strong Authentication Details for all users. Get MFA Authentication contact info where the phone number is Null Update Mobile Number Only If user Mobile is not exist NOTE : Before we proceed with MFA and SSPR Enablement and configuration, Users will be able to change their Authentication mobile phone number whenever they need to, Admins won’t have a control on Authentication mobile phone number however they can pre-define them but still users will be able to change it. Keep in mind: If you have provided a value for Mobile phone or Alternate email, users can immediately use those values to reset their passwords, even if they haven't registered for the service. In addition, users see those values when they register for the first time, and they can modify them if they want to. After they register successfully, these values are persisted in the Authentication Phone and Authentication Email fields, respectively. If the Phonefield is populated and Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow. The Alternate phonefield isn't used for password reset. If the Emailfield is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow. If the Alternate emailfield is populated and Email is enabled in the SSPR policy, the user won't see that email on the password reset registration page, but they see it during the password reset workflow. Download here. Script In details. Parameters $UsersCSV = "<Users CSV File Path>" # Example C:\Temp\UsersMFA.csv $OutPutFolder = "C:\Temp" # Example C:\Temp If User Mobile is exist (AD users with specific AD attribute NOT null) Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -ne $null } If User Mobile is exist (AD users with specific AD attribute is null) Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -eq $null } #Get All Users Details Get-AzureADUser | select DisplayName, UserPrincipalName, otherMails, Mobile, TelephoneNumber | Format-Table List users "Authentication contact info" attributes from AzureAD Get-MsolUser -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder"\StrongAuthenticationUserDetails.csv" -Verbose List users "Authentication contact info where Phone number is Null" attributes from AzureAD Get-Msol User -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | Where-Object { $_.PhoneNumber -eq $null } | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder"\StrongAuthenticationUserPhoneNumberNull.csv" -Verbose StrongAuthenticationUserPhoneNumber File Details List users "Strong Authentication Methods" attributes from AzureAD Get-MsolUser -All | select DisplayName, UserPrincipalName -ExpandProperty StrongAuthenticationMethods | select UserPrincipalName, IsDefault, MethodType All users who have signed up for SSPR. (get-msoluser -All | Where { $_.StrongAuthenticationUserDetails -ne $null }) All users who have not signed up for SSPR (get-msoluser -All | Where { $_.StrongAuthenticationUserDetails -eq $null }) Update Mobile Number for List of users Import-CSV -Path $UsersCSV | ForEach-Object { Set-AzureADUser -ObjectId $_.UserPrincipalName -Mobile $_.Mobile -ErrorAction SilentlyContinue} Microsoft StrongAuthenticationMethod Parameters $OneWaySMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $OneWaySMS.IsDefault = $false $OneWaySMS.MethodType = "OneWaySMS" $TwoWayVoiceMobile = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $TwoWayVoiceMobile.IsDefault = $true $TwoWayVoiceMobile.MethodType = "TwoWayVoiceMobile" $PhoneAppNotification = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $PhoneAppNotification.IsDefault = $false $PhoneAppNotification.MethodType = "PhoneAppNotification" $PhoneAppOTP = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $PhoneAppOTP.IsDefault = $false $PhoneAppOTP.MethodType = "PhoneAppOTP" $methods = @($OneWaySMS, $TwoWayVoiceMobile, $PhoneAppNotification, $PhoneAppOTP) Set Default Strong Authentication Methods for List of users Import-CSV -Path $UsersCSV | Foreach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationMethods $methods} -ErrorAction SilentlyContinue Pre-register authentication Info for List of users. Import-CSV -Path $UsersCSV | ForEach-Object { Set-AzureADUser -ObjectId $_.UserPrincipalName -OtherMails $_.OtherMails -Mobile $_.Mobile -TelephoneNumber $_.TelephoneNumber -ErrorAction SilentlyContinue}
MFA IP whitelist not working after enabling Conditional Access policy
A new requirement for CSP partners is enabling conditional access policies "Baseline policy: Require MFA for admins" and "Baseline policy: End user protection". We already have MFA enabled/enforced for all end users and admins, with IP whitelist for main office and soho. That worked fine. But after enabling those CA policies our IP whitelist stopped working. End users at the office are asked for MFA, and our O365 backup running with global admin credentials can no longer login. I tried to create our main office public IP as a trusted location, but no luck. As a quick fix i disabled the policies while digging into this. Can anybody explain why this is happening?
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp desc
Global Administrator MFA recovery not possible
Since Microsoft automatically enforced MFA on administrator role in Azure you can end up in the situation where it is no longer possible to recover your tenant. If your only account on that tenant is with Global Administrator role and you accidentally loose your MFA, the only way is to call Microsoft support. Support on the phone is automated where any question regarding Azure is redirected to visit Azure portal. If your only user cannot login then Azure portal is not accessible.Authenticator Settings Target vs. Conditional Access
I recently saw that Microsoft has enabled some number matching functionality for Microsoft Authenticator to reduce the ability for users to be spammed into just accepting an MFA push notification that they didn't trigger. To enable this, however, we need to navigate to AAD>Security>Authentication methods>Policies>Microsoft Authenticator and then enable this option and move on to the Configure tab. When enabling Authenticator from this section you're required to define the TARGET list of users: We, however, have enabled MFA for the organization using Conditional Access policies and are enforcing and adding exceptions to that policy as necessary. If we're to trial and use this new feature, however, I need to enable this Microsoft Authenticator settings option and it's unclear how the target user selection set will interact with the Conditional Access policy. Can anyone offer clarity on how these two sections would interact? Do I need to define the same criteria for user selection within the Authenticator settings that are defined within the Conditional Access policy? Or is there a simpler or more straightforward way to handle this?MFA on Windows desktop and RDP logins
We run local AD with Azure AD Connect to sync to AAD. We do not utilize any MFA solution on local domain joined Windows desktop logins or RDP logins to local domain joined RDP servers. We do have NAC in place and MFA in place for M365/Azure AD logins and SSL VPN logins. Are you using MFA on Windows desktop and RDP logins? What solution/setup? Looking for guidance or input on using MFA solution for Windows desktop and RDP logins. Do use Duo with some high sensitivity servers. Also, have Windows Hello configured on fleet of Surface devices and HP desktops where we have the Logitech BRIO 4K Pro Webcam installed.
