SMS and Phone MFA
We saw a recent post that stated MS will be decommissioning SMS and Phone MFA as of July 10. It said the Message ID is: MC584364. Can anyone confirm this? I do not see the official notification from MS anywhere on this. Thanks Glen Original Post: https://m365admin.handsontek.net/changes-to-the-registration-campaign-feature-in-azure-ad/
Azure AD Security Defaults MFA not working (as expected?)
Hi, We use Microsoft 365 Standard and have enabled Security Defaults ( https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide ) so thought that our accounts would be as secure as they could be without Conditional Access. One of our users was Phished and emails were sent from their account. Checking the Interactive sign-in logs I can see the attacker attempted to login from Nigeria (we don't operate from Nigeria) using Chrome on Windows 10 and was denied login due to MFA (which is as expected - part log shown below) Date (UTC): 2023-05-10T09:12:20Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Interrupted Sign-in error code: 50074 Failure reason: Strong Authentication is required Client app: Browser Browser: Chrome 112.0.0 Operating System: Windows 10 Multifactor authentication result: User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others Authentication requirement: Multifactor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD 2 minutes after that attempt the attacker then tried using Safari on iOS 14 and this only asked for single factor authentication and let them in, which certainly wasn't expected! From there, they were able to monitor the email in this instance and send / modify emails until we detected them and locked them out. It could of been worse, we were lucky this time. The successful (part) log is shown below: Date (UTC): 2023-05-10T09:14:27Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Success Sign-in error code: Failure reason: Other Client app: Mobile Apps and Desktop clients Browser: Mobile Safari 14.1 Operating System: iOS 14 Multifactor authentication result: Authentication requirement: Single-factor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD I have logged this with Microsoft but all they are concerned with is that the account is now secure and not the fact that with Security Defaults on and a phished account was accessed without MFA (and from a country we don't operate from). I have since done some more testing with another account and after revoking sessions and MFA, they could login to the same PC they normally use and access http://www.office.com without MFA prompts only finally being asked when going into Security Settings in My Account. I can accept as the location this was from is the main office it might be flagged as safe by MS. So then I used the same account to login from another clients office not associated with us (using a VM there) and again it was able to login to http://www.office.com without any MFA prompts, which again is quite concerning. I wondered if anyone had any insights into why this might have happened like this? As far as I can see Security Defaults isn't really doing a very good job. Thanks RobMulti-factor Authentication (MFA) via Security Defaults enforced on tenants by Microsoft (status)
Hi all, - Security Defaults is enabled by default on all newly created Microsoft 365 tenants. - Microsoft has started enforcing Multi-factor Authentication (MFA) on all tenants. - MFA will not be enforced on tenants using Conditional Access policies (at least one Azure AD Premium P1 license is required to be able to use Conditional Access policies). - Self-service password reset (SSPR) will enforce Multi-factor Authentication on all accounts (and the breakglass account) but SSPR can be disabled. - Please check admin.microsoft.com >Health > Message center regarding notification. - Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins. - If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method. It is recommended: - to use MFA company-wide because this security-feature prevents 99.9% of attacks on your accounts. - to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication. https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/let-users-reset-passwords https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#revoking-active-tokens
Inviting guest who already has a Microsoft account
I am the global admin of an Office 365 domain for a small nonprofit. Of the people who need access to our Sharepoint and Teams channels, only a handful need a foo@mydomain.com identity; most will want "guest" access tied to their existing personal or work email instead. In cases where the guest email has no connection to Microsoft, this seems to work smoothly. However, when I try to add my personal MS Account as a guest, the invite link prompts me to create a new password. This seems wrong, as this email address has been an MS Account (formerly "https://en.wikipedia.org/wiki/Microsoft_account#History") since 1998, used daily for logging into my Windows 10 machines, licensing MS 365 Home, accessing OneDrive, etc. What am I missing? Many of my "guests" will have existing Microsoft accounts via their employer, their XBox, etc. I need to be certain we don't disrupt that access by creating duplicate accounts tied to the same email.Microsoft Authenticator Still Prompts Users for MFA after Switching to new MFA option on IPhones
Good Morning All, Our company recently made the change from Microsoft Authenticator to utilizing Duo through ADFS for our 365 MFA solution. The deployment was a success but we have noticed an issue involving all of our users who have iPhones and issues they run into when trying to sign into any of their Office 365 apps on their phone. Any user who goes to sign in on their iPhone is being prompted for MFA by the Microsoft Authenticator despite the Authenticator being disabled as an option in our tenant. This seems to be the case on brand new phones as well if both the authenticator and another 365 product are installed on the phone. The login is usually successful and the Microsoft Authenticator is seemingly doing nothing but just prompting the user to approve the login but it has caused some issues for certain users by giving them failed logins. We've found that removing the Authenticator app fixes this but that's not always a solution as some users have more than one account linked to the Microsoft Authenticator. Has anybody else run into this issue before and have you found any solutions to stop the Microsoft Authenticator from prompting users after switching to another MFA solution?
Difference between single "Approve" push MFA, and "match the number" push MFA in Office 365?
How do I force enable Azure AD MFA on my Microsoft 365 tenants to use the "match the number on screen" push MFA via the Microsoft Authentor app, versus the older traditional single step "Please click Approve" style of push MFA?
How to fetch users' authorized 3-rd party apps from office 365 on behalf of organization admin
Hello community, I have a task to fetch all authorized 3-rd party apps by users of an organization. I looked through Graph API and found a method [https://graph.microsoft.com/v1.0/applications](https://graph.microsoft.com/v1.0/applications) but it does not return authorized apps and it seems like I need another endpoint. To better understand what I need, I will overview a flow I do and what I expect to get: Go to the atlassian and click continue with microsoft Go to the enterprise applications section in the Azure Portal. You will see that a new enterprise application is created automatically Go to Microsoft Graph and login as an admin of an organization and make the [https://graph.microsoft.com/v1.0/applications?$select=displayName](https://graph.microsoft.com/v1.0/applications?$select=displayName) request. I expect to get the Atlassian application but the actual result is that it does not return my third party apps. As an admin of an organization, I need to get list of all authorized apps by my users within organization. I would like to monitor apps which are used by my users. How can I fetch this information from API?
Export list users never loged in
I'm trying to use this script I've found on the internet : #Set admin UPN $UPN = 'email address removed for privacy reasons' #Time range $startDate = (Get-Date).AddDays(-30).ToString('MM/dd/yyyy') $endDate = (Get-Date).ToString('MM/dd/yyyy') #We are looking for accounts that are active - not deactivated $allUsers = @() $allUsers = Get-MsolUser -All -EnabledFilter EnabledOnly | Select UserPrincipalName #We search $loggedOnUsers = @() $loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed -ResultSize 5000 #Create the list $inactiveInLastSixMonthsUsers = @() $inactiveInLastSixMonthsUsers = $allUsers.UserPrincipalName | where {$loggedOnUsers.UserIds -NotContains $_} #We get a result Write-Output "The following users have no logged in for the last 180 days:" #written to the screen Write-Output $inactiveInLastSixMonthsUsers #Export list to CSV $inactiveInLastSixMonthsUsers $inactiveInLastSixMonthsUsers > "C:\Temp\InactiveUsers.csv" dont know why, but this command never return any data in the variable : $loggedOnUsers = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn, PasswordLogonInitialAuthUsingPassword, UserLoginFailed -ResultSize 5000 When I check other variable, I get info, but this one never return anything. I tried with different option and nothing ... that's where my problem is. Any suggestion would be appreciate, or if you have another solution to find all users in the tenant that never loged in, that's what I need! Thanks!
