SMS and Phone MFA
We saw a recent post that stated MS will be decommissioning SMS and Phone MFA as of July 10. It said the Message ID is: MC584364. Can anyone confirm this? I do not see the official notification from MS anywhere on this. Thanks Glen Original Post: https://m365admin.handsontek.net/changes-to-the-registration-campaign-feature-in-azure-ad/
Can multiple users use the same Authenticator app on one device
Hi, My use case is as follows: We have one shared mobile device and one shared laptop Authenticator installed on the above mentioned shared device Multiple users use the same mobile device and laptop (they work in shifts) Each person has their own private 0365 account Question: Can we configure Authenticator on the shared mobile device so, that there are multiple accounts but one can sign in only to one's own account by using the Authenticator, i.e. no access to sign in to other accounts by using the Authenticator. Best, Arde
aka.ms/mfasetup: old vs new user experience
Hi On some tenants I get https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 when accessing https://aka.ms/mfasetup, while on others I end up at https://mysignins.microsoft.com/security-info I couldn't find any documentation how to control this. Also I wonder if I can manage App passwords using the new https://mysignins.microsoft.com/ and what the roadmap for the two interfaces is. Thank you
Authenticator app not working on new phone - old phone with app is gone
Hello Tech Community, I have trouble with my email (hotmail) account. About 12 months ago I downloaded and activated the authenticator app after having hackers trying to enter my hotmail account. A few months ago I changed my phone and I have never been asked for second factor authentication until today (so I did not pay much attention to it as I could see it. The phone number attached is old and have no access to it and that device is long gone too). BIG PROBLEM! I have the app on my new phone but it is not linked to my account (and cannot do a Cloud Recovery). If I try to do anything with my account (forward emails or change anything) it asks me for the authenticator approval/code (that I do not have access to). I am scared about doing something that will log me out of my email (which I still have access to) but cannot make any changes nor log out. Please help. Can I deactivate the authenticator app somehow? or re-set it-up to work again? Can I migrate all my emails to a new account so I do not lose years of information if I get logged out? Can I set the forwarding emails option without having to pass by second facto authentication? Looking forward to hearing from you wise community, Thank youAZ-500: Microsoft Azure Security Technologies Study Guide
The AZ-500 certification provides professionals with the skills and knowledge needed to secure Azure infrastructure, services, and data. The exam covers identity and access management, data protection, platform security, and governance in Azure. Learners can prepare for the exam with Microsoft's self-paced curriculum, instructor-led course, and documentation. The certification measures the learner’s knowledge of managing, monitoring, and implementing security for resources in Azure, multi-cloud, and hybrid environments. Azure Firewall, Key Vault, and Azure Active Directory are some of the topics covered in the exam.
How to register a second and a third mobile phone for MFA?
How do I register a second and a third device (iPhone / iPad in in this particular case)? First phone (main phone) is already using the Authenticator App without problem. Now we need to register a second phone as backup device (and with an alternative cellular carrier) and a iPad as third device. All devices should use the Authenticator App.
Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }Azure AD Security Defaults MFA not working (as expected?)
Hi, We use Microsoft 365 Standard and have enabled Security Defaults ( https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide ) so thought that our accounts would be as secure as they could be without Conditional Access. One of our users was Phished and emails were sent from their account. Checking the Interactive sign-in logs I can see the attacker attempted to login from Nigeria (we don't operate from Nigeria) using Chrome on Windows 10 and was denied login due to MFA (which is as expected - part log shown below) Date (UTC): 2023-05-10T09:12:20Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Interrupted Sign-in error code: 50074 Failure reason: Strong Authentication is required Client app: Browser Browser: Chrome 112.0.0 Operating System: Windows 10 Multifactor authentication result: User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others Authentication requirement: Multifactor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD 2 minutes after that attempt the attacker then tried using Safari on iOS 14 and this only asked for single factor authentication and let them in, which certainly wasn't expected! From there, they were able to monitor the email in this instance and send / modify emails until we detected them and locked them out. It could of been worse, we were lucky this time. The successful (part) log is shown below: Date (UTC): 2023-05-10T09:14:27Z Username: email address removed for privacy reasons Application: Microsoft Authentication Broker IP address: 105.112.183.103 Location: Lagos, Lagos, NG Status: Success Sign-in error code: Failure reason: Other Client app: Mobile Apps and Desktop clients Browser: Mobile Safari 14.1 Operating System: iOS 14 Multifactor authentication result: Authentication requirement: Single-factor authentication Sign-in identifier: email address removed for privacy reasons Token issuer type: Azure AD I have logged this with Microsoft but all they are concerned with is that the account is now secure and not the fact that with Security Defaults on and a phished account was accessed without MFA (and from a country we don't operate from). I have since done some more testing with another account and after revoking sessions and MFA, they could login to the same PC they normally use and access http://www.office.com without MFA prompts only finally being asked when going into Security Settings in My Account. I can accept as the location this was from is the main office it might be flagged as safe by MS. So then I used the same account to login from another clients office not associated with us (using a VM there) and again it was able to login to http://www.office.com without any MFA prompts, which again is quite concerning. I wondered if anyone had any insights into why this might have happened like this? As far as I can see Security Defaults isn't really doing a very good job. Thanks RobWindows Hello for Business 0x80090010 NTE_PERM
Hi all, I'm encountering an issue with Windows Hello for Business on the latest version of Windows (July 2025 update). The setup process fails during initialisation, and no biometric or PIN options are being provisioned for the user. Environment: Windows version: 11 24H2 Enterprise (latest update) Deployment mode: Hybrid Cloud Trust Hybrid joined devices Symptoms: Users are prompted to set up WHfB but the process fails at the last step with error 0x80090010 Users who already have WHfB authentication methods created can successfully login Event ID 311 & 303 in the User Device Registration logs Screenshots: Troubleshooting so far: Unjoined and rejoined to Entra ID Granted modify permissions on folder in which NGC container would be created Rolled back to June 2025 update (this worked) So it seems like this is caused or related to the latest Windows Update, which is rather unfortunate for us as we are just beginning to rollout WHfB for our organisation. I'm posting here to raise awareness of the issue, if there is a more appropriate place to post then please suggest.
How to logon with Azure AD credentials on a Windows 10 device with MFA enabled
Hi together, maybe one of you have got the same requirements and run into the same problem. situation: Windows 10 enterprise or windows 10 s Microsoft Intune Cloud (EMS) Microsoft Multi-Factor Authentication (MFA) on-premises handled by ADFS (internal no mfa, external (wap) force mfa) Company Wifi protected with certificates Credentials from Azure AD Problem 1: As far as I have found, Intune is only able to deploy user certificates (SCEP profile) for wifi on windows devices. This causes us that you initially can only logon with your azure ad credentials to a windows machine if you have plugged in the company network or you have a public wifi connection with no authentication, so that you can connect to a wifi on the logon screen. Does anyone managed to deploy client certificates with Intune? Problem 2: As mentioned above we use MFA on-premises and it’s handled by adfs. If a user authenticates from external (over wap) we force mfa on adfs side. This is fine for web applications and other apps but it seems that windows logon cannot handle mfa request and therefore it fails. Does anyone know if this can be achieved somehow that this scenario works? Could this be handled by conditional access? The goal should be that we can use a windows 10 enterprise or windows 10 s device with azure ad credentials which is authenticated to our company wifi network at logon screen already and that we can use multi-factor authentication somehow. Thanks in advance for any input!
