Password Expiration notification
I have a number of users who have recently transitioned to Azure joined devices and are authenticating directly through AAD, though their accounts were originated in On-prem AD. When their passwords expire, they aren't getting notification but finding out when certain on-prem services aren't connecting. We are using AD Sync and it's going both ways AAD to OP and OP to AAD . I guess my question is 2 fold: Is it possible that AD is still expiring the password and if not, where can I find where it is expiring? Is there any way to turn on expiration notification for Azure AD users? Thanks,
Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended
My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout threshold to 3 and lockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.ms as a reply url. Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of the smart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out. Then we found a quick fix/workaround in https://stackoverflow.com/questions/65802966/azure-ad-b2c-custom-policy-not-returning-account-lockout-error-50053#comment116482527_65802966. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out . Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts? If there are no fixes / workarounds based on the previously mentioned questions, can we instead implement the account lockout feature https://docs.microsoft.com/en-us/azure/active-directory-b2c/javascript-and-page-layout?pivots=b2c-custom-policy?
MS Authenticator app feature request: export to file / import from file
I really enjoy using the authenticator app, but I'm worrying about my phone getting stolen and losing access to all of the accounts associated with it. I see there is a cloud backup feature, but I have issues with it: (1) if it requires a strong login, that's an issue when my phone is stolen, because I also can't receive text messages anymore, or (2) if it doesn't require a strong login, that's also an issue, because anyone with my personal email + password could recover my MS authenticator data too. To me it seems like the cloud backup feature was intended for moving the account between phones, not as actual backup. To get an actual backup, I would like to be able to manually export the app data* to a file (possibly with password encryption), so that that file can then be imported by another phone in the event of phone theft. I can then put my pw (or an unencrypted backup file) in my locally stored password manager, and safely allow my phone to get stolen 😉 * everything required to generate the one-time tokens including private keys. So not a token that gives access to cloud storage. Alex Simons_ Olena Huang
AzureAD Password Policy impact after moving from AADConnec sync to Full cloud
Hi all, We plan to disable AADconnect dirsync to go full cloud and use only Azure AD. AD OnPrem domain use a very "light" password policy, less restrictive than Azure AD. AD OnPrem: - Complexity : Disabled - Minimum password lenght : 6 characters On Azure AD: - Complexity : Enabled - Minimum password lenght : 8 characters - We use the global setting "password never expire" and default settings. Question: With the Azure AD global setting "password never expire" : when all users go "Cloud Only" there will be no impact, right ? Even if they have only a 6 characters password without complexity, they can continue to use this password with an Azure AD cloud only account? Thanks !
Multiple Azure AD Password Policies
Hello, working with a complex Azure AD which contains different kind of users: AD Synced Users Cloud Only Users within different Administrative Units (Countrys) Is there any option to enforce different kind of password policies for them? Especally the synced Users should get no Azure AD Policy because the AD Sync is one direction. The secound group use different policies on their local ADs, sure the Azure AD Account is separated but the like to have their own "rules" ? Please point out any informations, technical od public adivce and adoption documents. Thx
New Blog | How to break the token theft cyber-attack chain
By Alex Weinert We’ve written a lot about how attackers try to break passwords. The solution to password attacks—still the most common attack vector for compromising identities—is to turn on multifactor authentication (MFA). But as more customers do the right thing with MFA, actors are going beyond password-only attacks. So, we’re going to publish a series of articles on how to defeat more advanced attacks, starting with token theft. In this article, we’ll start with some basics on how tokens work, describe a token theft attack, and then explain what you can do to prevent and mitigate token theft now. Tokens 101 Before we get too deep into the token theft conversation, let’s quickly review the mechanics of tokens. A token is an authentication artifact that grants you access to resources. You get a token by signing into an identity provider (IDP), such as Microsoft Entra ID, using a set of credentials. The IDP responds to a successful sign-in by issuing a token that describes who you are and what you have permission to do. When you want to access an application or service (we’ll just say app from here), you get permission to talk to that resource by presenting a token that’s correctly signed by an issuer it trusts. The software on the client device you’re using takes care of all token handling behind the scenes. Read the full post here: How to break the token theft cyber-attack chainPassword Change, No PHS, Hybrid Device HAADJ, Conditional Access MFA- NO MFA PROMPT
My Scenario:- We are not synchronising password hash with Azure AD. We have federated authentication setup. My Queries:- How does Azure AD senses/identifies when an user changes his/her password? Issuance of Azure AD tokens AT/RT/PRT are these some how related to om-premises Password Change task ? how please share all details Also it is seen when an on-premises user is changing password and device is Hybrid during Ctrl+Alt+Del sign in This is when machine is Authenticated using the certificates it is given by Azure AD for device authentication However then the user using this machine is at times is not prompted for MFA even when CA is enforcing MFA on every logon ? Is this known already ? what is/are the reasons ?
