Step-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview) ?
Microsoft Entra ID supports a long list of Authentication methods. Windows Hello for Business Microsoft Authenticator app Authenticator Lite Passkey (FIDO2) Certificate-based authentication Hardware OATH tokens (preview) Software OATH tokens External authentication methods (preview) Temporary Access Pass (TAP) Short Message Service (SMS) sign-in and verification Voice call verification Password This enables organizations to select the most secure and productive authentication methods for their business. While the most secure method may not always be the most productive, and vice versa, having a variety of supported authentication methods helps to strike a balance between these two aspects. Microsoft Entra ID now supports QR authentication, a method specifically designed for frontline workers who use shared devices. This provides a convenient and secure login experience for these workers. How it works ? 1) An account with Authentication Policy Administrator permission or higher can enable QR code as an authentication method. 2) Once the method is enabled, a QR code and temporary PIN can be generated for the user. 3) The QR code should be made available to the user. It can be downloaded, printed, or added to a badge. 4) The QR code is unique but cannot be used without the PIN. 5) The temporary PIN must be reset when the user authenticates for the first time. 6) Once the QR code and PIN are set up, the user can use them for subsequent logins. Things to remember ! 1) QR authentication is designed for frontline workers and should not be widely used. Phishing-resistant authentication is recommended wherever possible. 2) Do not enable this authentication method for all users; only enable it for required users. 3) QR authentication is currently only supported on mobile devices running iOS/iPadOS or Android. 4) QR authentication does not allow self-service PIN reset for users. In this blog post I am going to demonstrate how to configure QR authentication for the Microsoft Entra ID users. Let’s start with enabling authentication method. Log in to the Entra admin portal at https://entra.microsoft.com/as an Authentication Policy Administrator or higher. Navigate to Protection | Authentication Methods. Under Policies, click on QR code (Preview). In the QR code (Preview) settings page, click on Enable to turn on the authentication method. Then, select the relevant user group as the target. Click on the Configure tab. Here, you can adjust the PIN length and the lifetime of the QR code. The default is 365 days, but it can be extended up to 395 days. Once changes are made, click on Save to apply them. This enables the QR code as an authentication method for the tenant. Next, let's see how to generate a QR code for a user. Generate QR code authentication for a user To generate QR code for user, Navigate to Users | All users. Select the user from the target group configured in the previous section. Click on Authentication methods. Click on + Add authentication method. From the dropdown, select QR code (Preview). In the settings page, define the expiration date and activation time. Click on Generate PIN to create a temporary PIN. Note down the PIN and click on Add. This will generate the QR code. Download it for use with authentication. Now that we have generated a QR code for a user, let's proceed with some testing. Testing For testing, I used an iOS device to log in to the office portal. On the login page, I typed the username and then clicked on Sign-in options. In the Sign-in options page, I selected Sign in to an organization. On the next page, I chose Sign in with QR code. I clicked on Allow to grant access to the camera. After that, I scanned the QR code downloaded in the previous step. Once the QR code was successfully detected, I entered the temporary PIN that was generated and clicked on Sign in. On the next page, I was prompted to define a new PIN since this was the first login. After defining the PIN, I clicked on Sign in. As expected, I was able to log in successfully. This marks the end of the blog post, and I believe you now have a better understanding of how to enable and use QR code for authentication.Step-by-Step Guide : How to use Temporary Access Pass (TAP) with internal guest users
Passwords are fundamentally weak and vulnerable to being compromised. Even enhancing a password only delays an attack; it does not render it unbreakable. Multi-Factor Authentication (MFA) offers more security but still depends on passwords. This is why passwordless authentication is a more secure and convenient alternative. Source : https://learn.microsoft.com/entra/identity/authentication/media/concept-authentication-passwordless/passwordless-convenience-security.png Microsoft Entra ID supports password less authentication natively. It supports six different password less authentication options. Windows Hello for Business Platform Credential for macOS Platform single sign-on (PSSO) for macOS with smart card authentication Microsoft Authenticator Passkeys (FIDO2) Certificate-based authentication Based on the organisation's requirements, they can select the most convenient options. However, the initial setup requires a method to authenticate the user before onboarding other passwordless authentication methods. For this, we can use: 1) Existing Microsoft MFA methods 2) Temporary Access pass (TAP) A Temporary Access Pass (TAP) is a time-limited passcode that can be configured for single use or multiple sign-ins. Organisations not only have internal users to manage but also guest users. Until now, the TAP method was only available for internal users, and guest users were not permitted to use this method. This makes sense because if guest users also need to use passwordless authentication, it should occur in their home tenant. But now Entra ID supports TAP for “Internal Guest” users. Internal Guests Guest users are typically categorised as user accounts that exist in a remote tenant. However, some organisations prefer to use user accounts in their own directory but with guest-level access. This is typically for contractors, suppliers, vendors, etc. These are known as 'internal guest accounts'. Such accounts were also used for guest users in the past when B2B collaboration wasn't in place. In this demo I am going to demonstrate how to use TAP with internal Guest user. Enable TAP as Authentication method Before we configure TAP for user we need to make sure TAP is enabled as authentication method. To do that, Log in to the Entra portal as an Authentication Policy Administrator or higher. Navigate to Protection > Authentication methods > Policies. Click on Temporary Access Pass Ensure it is enabled and the target is defined. If not, make the necessary changes and click Save. Create TAP for Internal Guest User I already have an internal guest user for this task. As you can see below, the user type is Guest, but the user is still part of the same tenant. To create TAP, Click on the selected user from the Entra ID users list to go to user properties. Next, Click on Authentication methods Then Click on + Add authentication method From the drop-down, select the Temporary Access Pass method. In the settings window, make the adjustments based on the requirements and then click on Add. It will create TAP as expected. Testing To verify the configuration, I am attempting to log in as the test user. This is the user's very first login. As expected, the initial login prompts for the TAP. After a successful login, it allows me to configure the account with passwordless authentication. As we can see, the TAP for the internal guest feature is working as expected.How to In-Place Upgrade Windows Server 2008 R2 to Windows Server 2019
As you know the Windows Server 2008 and Windows Server 2008 R2 are out of support on January 14th, 2020. Customer will need to upgrade their Windows Server 2008 and Windows Server 2008 R2 to a newer version of Windows Server or migrate these servers to Microsoft Azure.Setting up DNS in a Hybrid Environment.
Hello Folks, I’m not sure when this became a series, but it’s looking like it’s going to be ongoing. I’m hoping it can give the community a sense of how you can slowly adopt cloud services to enhance your on-prem environment. It started a few weeks ago with the post on how I needed to replace the edge device on my home network. Then I followed up with how I now can use the site-to-site VPN I set up to access (RDP & SSH) all the servers in my environment using the Bastion host on Azure. But I’m at a point where I’ve got demo servers and services on both sides of the VPN. Name resolution is fast becoming an issue. How do I set up a DNS structure to efficiently resolve server IP addresses from an on-premises environment and vice versa without deploying VM-based DNS servers.
