23H2 Passkeys: default to security key instead of mobile devices
Microsoft invested time & money to introduce Passkeys in Windows 11 23H2, as it should. Unfortunately, it defaults to a mobile device (iPhone, iPad or Android device) everytime you try to log on. This is very annoying for everybody that is using a Security Key (FIDO2). Before we just needed to enter our PIN but now we need multiple clicks to log on. I'm not aware of a solution to manage these options (manually or through Intune). Is anyone aware of a solution? I'm quite amazed Microsoft didn't think of this.Block access with Conditional Access for Unmanaged Devices
Today, we will discuss nothing new, but it’s still a topic that remains as relevant and important as ever. If you decide to block users working from unmanaged devices, you can securely mitigate various security risks, such as data leaks and successful phishing attacks. For example, we see the rise of Man-in-the-Middle (MitM) phishing attacks, which can easily steal your credentials and access tokens and use these to sign in to your account while completely bypassing multi-factor authentication. Conditional Access can prevent these attacks without relying on phishing-resistant authentication methods such as Hello for Business, FIDO2 hardware keys, or soon Microsoft Authenticator with Passkeys. In this blog, I’ll share seven recommendations to prepare you for a smooth implementation, look at the user experience, and show you how to block access with Conditional Access for Unmanaged devices. https://myronhelgering.com/block-access-with-conditional-access-for-unmanaged-devices/Microsoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available hereDouble entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?Questions about moving Windows endpoint from locally joined domain to Azure AD
Just a couple questions, when moving a current AD domain joined endpoint (i.e. Windows 10/11 Pro) to Azure AD. 1. Does the user's desktop look/feel change upon their next Azure AD-centric login, versus their previous domain joined profile? 2. If there were previously changes pushed out to the endpoints via local AD Domain GPOs, do those changes still remain on the endpoint machine, even after the cutover to Azure AD? 3. Is there a way to have an Azure AD authenticating machine, while still allowing the machine to access local network SMB shares, if the Azure AD and Local AD domain are in hybrid mode?My favorite Conditional Access policies to implement (part two)
Today, I released part two of my blog post about my favorite conditional access policies to implement. Just like the previous post, we won't dive to deeply into each policy, but it will provide enough guidance to easily implement the policies yourself. Have a great day everyone! And give my post a read if you are interested 👍 https://myronhelgering.com/my-favorite-conditional-access-policies-to-implement-part-two
New Blog | Step-by-Step Guide to Identify Inactive Users using Entra ID Governance Access Reviews
Within an organization, inactive user accounts can persist for various reasons, including former employees, service providers, and service accounts associated with products or services. These accounts may remain inactive temporarily or for extended periods. If an account remains inactive for 90 days or more, it is more likely to remain inactive. It’s crucial to periodically review these inactive accounts and eliminate any that are unnecessary. Microsoft Entra ID Governance Access Reviews now offers the capability to detect inactive accounts effectively. Using the Entra ID Governance Access Review feature, it’s possible to identify accounts that have not been actively used to sign into Entra ID, either interactively or non-interactively, for up to 720 days. Accounts that are left inactive are susceptible to being targeted by cybercriminals for several reasons: Inactive accounts may still use well-known passwords or credentials that have been compromised. Inactive accounts are less likely to have multifactor authentication (MFA) enabled. Due to their inactivity, these accounts may go unnoticed by advanced security controls in place. Read the full blog here: Step-by-Step Guide to Identify Inactive Users by using Microsoft Entra ID Governance Access Reviews - Microsoft Community HubDeleted computer object in local AD still in Azure AD
Hi, I'm dealing with a client who reported the following "issue". They have configured Azure AD Connect and device sync, everything seems to work. They deleted some computer objects from AD (dsa console) without disjoining them beforehand. Azure AD Connect continues to perfom synchronizations, but the computers still appear in Azure AD with Join Type <empty> (no longer Hybrid Azure AD Joined). I'm wondering if this is normal and those computersmust be manually deleted from Azure AD, or Azure AD should automatically delete the computers objects once the related AD object is deleted. Kind Regards, David
