Password Protection
17 TopicsEnable MFA method
Dear, Currently in our company, the authentication methods policy > Microsoft Authenticator defaults to “any”. Either “passwordless” or “Push”. It is possible to enable the following authentication method through a conditional access policy, currently it is enabled for some users. Desired authentication method: The current method is as follows: Can it be enabled for professional accounts or is it only focused on personal accounts? Thanks in advance.18Views0likes0CommentsNew Blog | Evolve your CIAM strategy with External ID
ByAnkur Patel Last monthwe announced the general availabilityof our next generation customer identity and access management solution,Microsoft Entra External ID.External ID makes Customer Identity & Access Management (CIAM) secure and simple by enabling you to: Secure all external identities:Managing several disparate solutions can overcomplicate your security strategy. By adopting External ID as your CIAM solution, you can secure all identity types within your Microsoft Entra admin center, safeguarding all external identities with industry-leading security, including our own conditional access engine, verifiable credentials, and built-in identity governance. Create frictionless user experiences:The rise of fraud, GenAI, and identity attacks has increased end-user fear when it comes to security risks online. With External ID, you can build frictionless, branded, user centric interfaces into your web and mobile applications to increase brand awareness, build user trust and drive user engagement. Check out an example in theWoodGrove Groceries demo! Streamline secure collaboration:Collaborating with external users and ensuring they have the right access at the right time is complex. Simplify collaboration by inviting business guests with External ID and defining what internal resources they can access across SharePoint, Teams, and OneDrive. Accelerate the development of secure applications:Integrating robust and extensive user flows into apps can take developers months. Shorten development time to minutes by leveraging External ID’s rich set of APIs, SDKs, and integrations with developer tools, such as Visual Studio Code, to build secure and branded identity experiences into external-facing web and mobile apps. Best in class value at scale:Managing several security stacks can be costly. External ID brings innovative CIAM features at a cost-effective value for any growing customer without compromising on scalable, end-to-end security. For example, this approach helps us bring best-in-class identity verification like Face Check withVerified IDto reduce help desk costs for combatting fraud.Learn more about External ID pricing here. Our goal is to provide best in class protection from bot attacks, sign in and signup fraud and ability to audit every step of external user’s journeys Read the full post here:Evolve your CIAM strategy with External ID448Views0likes0CommentsNew Blog | How to break the token theft cyber-attack chain
ByAlex Weinert We’ve written a lot about how attackers try to break passwords. The solution to password attacks—still the most common attack vector for compromising identities—is toturn on multifactor authentication (MFA). But as more customers do the right thing with MFA, actors are going beyond password-only attacks. So,we’re going to publish a series of articles on how to defeat more advanced attacks, starting with token theft.In this article, we’ll start with some basics on how tokens work, describe a token theft attack, and then explain what you can do to prevent and mitigate token theft now. Tokens 101 Before we get too deep into the token theft conversation, let’s quickly review the mechanics of tokens. A token is an authentication artifact that grants you access to resources. You get a token by signing into an identity provider (IDP), such as Microsoft Entra ID, using a set of credentials. The IDP responds to a successful sign-in by issuing a token that describes who you are and what you have permission to do. When you want to access an application or service (we’ll just say app from here), you get permission to talk to that resource by presenting a token that’s correctly signed by an issuer it trusts. The software on the client device you’re using takes care of all token handling behind the scenes. Read the full post here:How to break the token theft cyber-attack chain593Views0likes0CommentsNew Blog | Securing access to any resource, anywhere
ByJoseph Dadzie Zero Trust has become the industry standard for safeguarding your entire digital estate. Central to Zero Trust is securing identity and access, which is essential for protecting resources, enforcing security policies, and ensuring compliance in today’s dynamic digital landscape. With Microsoft Entra, we help our customers createa trust fabric that securely connects any trustworthy identity with anything, anywhere. Driven by the adoption of multicloud strategies in the era of AI, customers are encountering more challenges in securing access, not just across multiple public and private clouds, but also for business apps and on-premises resources. Unlike securing access for humans or within a single environment, where customers have established methods to address challenges, securing access anywhere is more complicated due to the dynamic nature of today’s digital estate and tools to address emerging challenges need further development. To support our customers, we unveiledour vision for securing access in any cloud at this year’s RSA conference. Today, we're excited to dive deeper into our future investment aimed at securing access to cloud resources from any identity across diverse cloud environments. Managing multicloud complexity in a rapidly evolving digital environment Organizations are grappling with substantial challenges in navigating cloud access complexities, often citing issues like fragmented role-based access control (RBAC) systems, and compliance violations. These challenges are compounded by the growing use of cloud services from various cloud service providers. There have been links to several notable breaches attributed to over-permissioned identities. Our customer engagements reveal that organizations are currently using 7 to 8 products, including privileged access management (PAM) and identity governance and administration (IGA) solutions to tackle multicloud access challenges. Despite their efforts, such as toggling across multiple solutions and increasing their workforce, many organizations still struggle to achieve full visibility into their cloud access. Our 2024 State of Multicloud Security Risk Reportunderscores these ongoing challenges arising from over-permissioned human and workload identities. Analysis of past year usage data fromMicrosoft Entra Permissions Managementconfirms that the complexities in multicloud environments primarily stem from rapid identity growth and over-provisioned permissions (learn more), including: Over 51,000 permissions that can be granted to identities – 50% of which are identified as high-risk permissions. Only 2% of those 51,000 permissions were used. Of the 209M identities discovered, more than 50% are identified as super identities that have all permissions to access all resources. Figure 1: 2024 State of Multicloud Security Risk key findings Read the full post here:Securing access to any resource, anywhere358Views0likes0CommentsNew Blog | Microsoft Entra announcements and demos at RSAC 2024
ByIrina Nechaeva The Microsoft Entra team is looking forward to connecting with you next week atRSA Conference 2024(RSAC) from May 6 to 9, 2024, in San Francisco! As we enter the age of AI and there are more identities and access points to protect, identity security has never been more paramount. From protecting workforce and external identities to non-human identities—that outnumber human identities 10 to 1—the task of securing access and the interactions between them requires taking a more comprehensive approach. To help customers protect every identity and every access point, I’d like to highlight recent innovations that we’ll be showcasing at this upcoming event: Expanded passkey support for Microsoft Entra ID Microsoft Entra ID external authentication methods Microsoft Entra External ID general availability Microsoft Entra Permissions Management and Microsoft Defender for Cloud integration general availability Our vision for cloud access management to strengthen multicloud security We will be demonstrating these new innovations and sharing more about how to take a holistic approach to identity and accessat RSA Conference 2024 (see the table at the end of this blog for more information).Now, let’s take a closer look at Microsoft Entra innovations that we’ll be showcasing at RSAC. Expanded passkey support for Microsoft Entra ID In addition to supporting sign-ins via a passkey hosted on a hardware security key, Microsoft Entra ID now includesadditional supportfor device-bound passkeys in the Microsoft Authenticator app on iOS and Android. This will bring strong and convenient authentication to mobile devicesfor customers with the strictest security requirements. A passkey is a strong, phishing-resistant authentication method you can use to sign in to any internet resource that supports the W3C WebAuthN standard. Passkeys represent the continuing evolution of the FIDO2 standard aimed at creating a secure and user friendly passwordless experience for everyone. To learn more about using passkeys in the Microsoft Authenticator app,check out this blog. Read the full post here: Microsoft Entra announcements and demos at RSAC 2024477Views0likes0CommentsNew Blog | Windows Local Administrator Password Solution with Entra ID now Generally Available!
We’re excited to announce the general availability ofWindows Local Administrator Password Solution (LAPS) with Microsoft Entra IDandMicrosoft Intune. This capability is available for bothMicrosoft Entra joinedandMicrosoft Entra hybrid joineddevices. It empowers every organization to protect and secure their local administrator account on Windows and mitigate anyPass-the-Hash (PtH)and lateral traversal type of attacks. Since our public preview announcement in April 2023, we’ve continued to see significant growth in deployment and usage of Windows LAPS across thousands of customers and millions of devices. This feature is available on the following Windows OS platforms with the April 11, 2023, or later Windows Updates installed: Windows 11 22H2 Windows 11 21H2 Windows 10 20H2, 21H2 and 22H2 Windows Server 2022 Windows Server 2019 Read the full update here:Windows Local Administrator Password Solution with Microsoft Entra ID now Generally Available! - Microsoft Community Hub1KViews0likes0CommentsPassword Expiration notification
I have a number of users who have recently transitioned to Azure joined devices and are authenticating directly through AAD, though their accounts were originated in On-prem AD. When their passwords expire, they aren't getting notification but finding out when certain on-prem services aren't connecting. We are using AD Sync and it's going both ways AAD to OP and OP to AAD . I guess my question is 2 fold: Is it possible that AD is still expiring the password and if not, where can I find where it is expiring? Is there any way to turn on expiration notification for Azure AD users? Thanks,29KViews0likes2CommentsNew Blog | Conditional Access for Protected Actions is Now Generally Available!
Conditional Access for Protected Actions is now available!This powerful feature empowers organizations to safeguard critical administrative operations with Conditional Access policies. Protected actions refer to high-stakes operations that carry significant risk, such as altering conditional access policies, adding credentials to an application, or changing federation trust settings. These actions, if executed by a malicious actor, can severely compromise your organization's security posture. Read the full blog:Conditional Access for Protected Actions is Now Generally Available! - Microsoft Community Hub711Views0likes0CommentsOn-Prem Azure Ad Password Protection doesn't work
Even if a user's password contains a banned password, the password change has been accepted. I have configured on Customer Tenant anOn-premises Azure Active Directory Password Protection. But evenif a user's password contains a banned password, the server accepts the banned password. It says It is compliant! Troubleshootingshows that all are right. VerifyProxyConnectivity VerifyAzureConnectivityViaSpecificProxy Test-AzureADPasswordProtectionDCAgentHealth -VerifyProxyConnectivitydomain.com Test-AzureADPasswordProtectionDCAgentHealth -VerifyAzureConnectivityViaSpecificProxy domain.com Troubleshooting DC AGent DC agent health tests Test-AzureADPasswordProtectionDCAgentHealth -VerifyPasswordFilterDll Test-AzureADPasswordProtectionDCAgentHealth -TestAll Troubelshooting Proxy Proxy verification of all tests Test-AzureADPasswordProtectionProxyHealth -TestAll DC Agent version is the last version. 1.2.177.1 Do you have Ideas why It is not working? Microsoft says that even if theuser's password contains a banned word, the password change will be accepted if it is compliant with password policy complexity 🙂 - Does anyone have the experience? Thanks In Advance! Farhad FKH900955Views0likes2CommentsAzure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended
My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout thresholdto 3 andlockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.msas a reply url. Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of thesmart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out. Then we found a quick fix/workaround in stackoverflow. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out . Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts? If there are no fixes / workarounds based on the previously mentioned questions, can we instead implement the account lockout feature using JavaScript?8.8KViews0likes3Comments