Remote Dekstop Connection using Azure MFA
Hello Everyone, I am facing a little problem now. We are thinking to implement MFA to login in to our servers on-prem from internal network. Obviously we can use some third party tools such us DUO or AD Professional Plus. However from what I can see there is a possibility to use RD Gateway with NPS that will have MFA plugin on it. I just need to understand something correctly - am I right saying that I can handle all RDP traffic to all the servers through RD Gateway that will be redirecting authentication through NPS to Azure MFA or it is no go? Regards, Wojciech
Disable approval popup in MS Authenticator app
Hi, I have a tenant with MFA setup on all accounts and most people have used the Microsoft Authenticator app. Unfortunately someone was silly enough to press approve on their phone when they weren't getting prompted on their PC, and let a hacker in who knew their password. We're trying to educate them better but still I'd like to remove the feature where the they get that popup in the MS Auth app, and make them have to get a code from the app only so they can't accidentally let a hacker in. Can I do this by powershell somehow? I have 50+ users in this tenant and other tenants I may want to change too so not viable to ask them all to setup their MFA again a different way. Running powershell reports shows they all have two MFA methods of PhoneAppNotification and PhoneAppOTP and so I assume I just need to remove PhoneAppNotification. I found a script in the below thread to switch the default, but I assume that means a hacker could still try the other method and make their app do a approval popup, I want it removed. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/powershell-cmdlets-for-mfa-settings/m-p/157678/thread-id/132 $m1=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $m1.IsDefault = $true $m1.MethodType="PhoneAppNotification" $m2=New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $m2.IsDefault = $false $m2.MethodType="PhoneAppOTP" $m=@($m1,$m2) set-msoluser -Userprincipalname "UPN" -StrongAuthenticationMethods $m Thanks
Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }Private Network is currently disabled in my tenant
Hi All, I am interested to test the Entra ID private access, but when I go to the connectors, it shows as "Private Network is currently disabled for your tenant.". Does anyone knows what is the reason for this and How should I overcome this? Thanks in advance, DilanOutlook MFA issues, asks for "need password" and get blank screen
Hello everyone, Premier support is failing to make an progress, I have had a ticket open for a month now with no luck (Getting escalated to Tier 3 this morning). Here is the scenario We have Conditional Access rule that says if someone accesses Office 365 (All Office) from a Non-trusted Location require MFA. For most people it works fine but we have about 10% of the people who run into a really weird problem in outlook only, all other apps (Skype, Word, etc.) work fine. User opens outlook (2016 current monthly) and it shows the "need password" screen at the bottom and no email is sent/received, when we click on it we see a white box comes up and goes away, it does not give them the option. So kind of stuck there! When you go to File->Accounts and do a Sign-out and then try to sign-back in it comes up with the email window but as soon as you submit the email the window goes away and they stay signed out. Here is where it gets interesting, lets say you put someones email in there that works (but is also part of the same MFA rules), it takes that and then brings up the MFA prompt for original user. Once that user then presses approve (MS authentication app, push notifications) then it signs that user in and email starts flowing again. It seems to work for a couple of weeks and then stops again with the same prompt. We put in all the normal reg keys to enforce modern auth (EnableAdal -1, Alwaysusemsoauthforautodiscovery = 1, disableADALaptopWAmOverrride - 1,Disable AADWAM) but I think it may be something on the username side since putting in another username works.
'Microsoft App Access Panel' and Conditional Access with SSPR combined registration bug
Currently, enabling self-service password reset (SSPR) registration enforcement causes the app 'Microsoft App Access Panel' to be added to the login flow of users who have SSPR enabled. This app is not able to be excluded from Conditional Access (CA) polices and is caught by 'All cloud apps', which breaks secure zero-trust scenarios and CA policy configurations. Best way to demonstrate this is through examples... ----Example 1---- Environment: CA Policy 1 - 'All cloud apps' requiring hybrid/compliant device, but excluding [App] (for all non-guest accounts) CA Policy 2 - [App] requiring MFA only (for contractor accounts, etc) CA Policy 3 - [App] requiring hybrid/compliant device (for internal accounts, etc) SSPR registration enforcement (Password reset > Registration) - set to 'Yes' MFA registration enforcement (Security > Authentication Methods > Registration campaign) - set to 'Enabled' Scenario: A new user requires access to web [App] on an unenrolled device and is assigned an account that falls under CA Policy 1 and 2, however [App] is excluded from 1 and shouldn't apply to this login. When accessing [App] for the first time, users must register SSPR/MFA. They see the below message, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/passwordreset/register.aspx: Then they see this screen, which will block the login and try to get the user to download the Company Portal app: While behind the scenes, the login to [App] is being blocked by 'Microsoft App Access Panel' because it is seemingly added to the login flow and caught in CA Policy 1 in Req 2/3: CA Policy 1 shows as not applied on Req 1, CA Policy 2 shows as successful for Req 1/2/3 and CA Policy 3 shows as not applied for Req 1/2/3. Creating a CA policy for the 'Register security information' user action has no effect on this scenario and also shows as not applied on all the related sign-in logs. ----Example 2---- Environment: Same as above, but SSPR registration enforcement - set to 'No' Scenario: Same as above, but when accessing the [App] for the first time, they see the below message instead, click 'Next' and are directed to https://accounts.activedirectory.windowsazure.com/proofup.aspx: Then they are directed to the combined SSPR/MFA registration experience successfully: The 'Microsoft App Access Panel' doesn't show in the sign-in logs and the sign-in is successful after registration. From the two examples, it seems to be a bug with the SSPR registration enforcement and the combined registration experience. ----Workarounds---- 1 - Prevent using 'All cloud apps' with device based CA policies (difficult, requires redesigning/thinking/testing policies, could introduce new gaps, etc) 2 - Turn off SSPR registration enforcement and turn on MFA registration enforcement like in example 2 (easy, but only enforces MS MFA App registration, doesn't seem to re-trigger registration if the MS MFA App is removed, no other methods are supported for registration, and doesn't remind users to update) 3 - Disable SSPR entirely for affected users (medium depending on available security groups, and doesn't allow for affected users to use SSPR) ----Related links---- https://feedback.azure.com/d365community/idea/d5253b08-d076-ed11-a81b-000d3adb7ffd https://feedback.azure.com/d365community/idea/1365df89-c625-ec11-b6e6-000d3a4f0789 Conditional Access Policies, Guest Access and the "Microsoft Invitation Acceptance Portal" - Microsoft Community Hub MS, please either: 1 - Allow 'Microsoft App Access Panel' to be added to CA policies so it can be excluded 2 - Prevent 'Microsoft App Access Panel' from showing up in the CA login flow when SSPR registration enforcement is enabled
