passwords
40 TopicsPassword expired for Hybrid Users
Hey guys we have a AVD environment configured with hybrid users working on windows 11 23h2 multiuser session host's in a pooled session host. As access devices we use either Thinclients with IgelOS and the AVD Client or Windows 11 Notebooks with the Windows App installed on it. The users passwords are expire every 3 months. I see in the Azure Log Analytics Log some errors with expired passwords. We have Password Writeback enabled on the Entra ID Connect Server. Is there a way to present the user let's say 14 days ahead that the password is going to expire soon? Many thanks for your feedback Best regards, Marc74Views0likes2CommentsChallenges with New MFA and SSPR Policies: Need Guidance
I am currently transitioning our Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA) to the new Authentication Methods policy, moving away from legacy policies. However, the lack of clarity on which methods are compatible with both scenarios is quite frustrating, and I wonder if I might be missing something. Our goal is to exclusively use the Authenticator app and security keys for both MFA and SSPR, eliminating all other methods. Additionally, we want to maintain the requirement of two methods (Authenticator app and security key) for password changes. We are in the process of distributing security keys to all staff. The issue I’m encountering is that while Microsoft promotes this new portal as a unified solution for both MFA and SSPR, not all methods are supported across both. Specifically, the security key does not currently work for SSPR. If I am unable to use the security key for SSPR and must resort to a less secure second method, I would at least like to disable that less secure method for MFA. However, it seems there is no way to configure this in the policy. Am I on the right track here? I am aware that Authentication Strengths can be configured—perhaps this is where I should focus? Any advice or discussion would be greatly appreciated.222Views0likes2CommentsAccount Hacked
Hello Community, My account has been hacked, copied and/or duplicated with some other account as I was originally Sids1 with this email for more than 6 months now and this has changed somehow. It's very concerning to me since I also found some other person named Siddhartha when I was logging into my account. I reported that to the Microsoft Account Team but have not received any replies yet. Please suggest anything that can be done to catch this hacker who is stealing my identity to and fro. Best Regards Siddhartha SharmaSolved659Views1like3CommentsCan't change PasswordExpirationPolicy of all users with Update-MgUser
Hello, Ive got into a problem where we disabled Password expiration in the GUI but some account keep having it enabled when you look with Powershell. Microsoft provides a guide where they explain hot to set all users policy to never expire, sadly it doesn't work, I've tried it in several Tenants already. Here is the link to the guide: https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide The command: Get-MGuser -All | Update-MgUser -PasswordPolicies DisablePasswordExpiration The error when the command is used: Update-MgUser_UpdateViaIdentityExpanded: The pipeline has been stopped. Exception: InputObject has null value for InputObject.UserId I know that you should set a UserID as a scope for it to work, but this isn't possible as far as I know on update-mguser. Please help me find a solution to update everyone's PasswordExpirationPolicy to never expire. I was thinking about creating a script that goes through every userid and performs the action, but my knowledge isn't as advanced to create it.Solved502Views0likes1CommentProblem z zalogowaniem się no nowym telefonie z maila firmowego
Dzień dobry , Mam problem , ponieważ wymieniłem swojego starego Iphona na nowszy model , i po przeniesieniu wszystkich danych na nowy telefon , ze starego Iphona usunąłem wszystkie dane i wyzerowałem go, jednak gdy chciałem zalogować się na nowym telefonie do aplikacji mailowej Outlook wyskoczyła mi informacja o zatwierdzeniu żądania logowania z numer "33". Nie mam możliwości potwierdzić tego numeru na starym telefonie ponieważ na starym telefonie już nic nie ma. Proszę o odpowiedź co w tej sytuacji mam zrobić ? P.S Próbowałem przez aplikacje Authenticator , logując się do aplikacji swoim prywatnym mailem i po zalogowaniu chciałem dodać konto służbowe jednak po raz kolejny wyskakuje informacja odnoście potwierdzenia logowania na urządeniu przenośnym ...235Views0likes0CommentsWhen is Microsoft going to bring Microsoft Authenticator windows aka desktop or within edge itself?
When is Microsoft going to bring Microsoft Authenticator windows aka desktop or within edge itself? (People like me lose mobiles) Isn't Windows device considered anything? Only mobiles and android and iOS devices matter? People like don't store important info on Windows devices? Edge has support for in-built password manager like chrome with chrome and google passwords then why is edge not having 2fa support on windows yet in 2024? Is windows still usable if my phones goes for service center, dies randomly, or is stolen? Can I consider windows devices to be of valuable in 2024 or should I shift 100 percent to android and MacOS and ios? Should I throw my windows devices out of window since it is not dependent device when any other fails? On a sidenote, I tried checking out but WinAuth Authenticator exists for Windows PC is open-source & offers 2-step verification (but unfortunately not updated since 2016) so why Microsoft which focuses so much of AI of everything has been able to bring desktop version for windows users? Or am I asking too much in the name of security and privacy that big tech promotes all the time? Can we trust microsoft and windows devices? Or is everything going to be done by google and chrome?1.5KViews0likes2CommentsPassword-less authentication with using One-time passcode from Microsoft Authenticator App.
Recently one of my users was in Internet restricted zone and when he tried to sign-in with Password less method, He didn't get the code due to no internet in mobile and in addition to this, he forgot the user sign-in password. Is there any method or way to setup that we can be able to sign-in with using the 6-digit Microsoft Authenticator App Code instead of the push notification and password.5.5KViews0likes2CommentsHow to change user passwords in bulk - without force to change
Hello everyone, I'm in the process of updating the passwords for multiple users, and I'd like to set specific passwords of my choice. Additionally, I want to ensure that these accounts won't prompt users to change their passwords upon their first login. I'd greatly appreciate your assistance, as the scripts I previously used are no longer effective.Solved16KViews0likes3CommentsFIDO2 enabled user receive "Protect your account"
We are having issues in two different scenarios with Azure MFA for users who use FIDO2 exclusively. It seems, any settings somehow still require Microsoft Authenticator. First scenario: Registering FIDO2 after the 14 days grace period When a user is created in Azure (either directly or on-prem sync, no difference here), the user has a 14 days grace period. During this period, configuring FIDO2 works flawlessly using a Temporary Access Pass (TAP). After the 14 days, the user logs in using the provided TAP to https://aka.ms/mysecurityinfo, starts the "Add sign in method", follows the steps for the FIDO2 key, once the key is confirmed and the user is redirected back to mysecurityinfo, Azure prompts for a "Additional information is required" and requires the user to register the Microsoft Authenticator app first. The only logs we see is that the user interrupted the MFA setup. We tried several browsers, normal or incognito mode, different users, nothing prevented this, except for configuring MS Authenticator first, then configuring FIDO2 afterwards. We deleted the MS Authenticator app for these users as it was only a workaround. Now these users seem to face the second scenario below. Second scenario: FIDO2 sign in prompts for a "Protect your account" - skippable for 14 days Users are able to sign in using the FIDO2, and immediately after, they are prompted a "Protect your account" window, which asks them to configure MS Authenticator again. They have the option to skip this for 14 times (not days). If we check the user's sign in logs, it shows Failure for the user satisfying the Conditional Access requiring MFA, which is rather unexpected because the user does in fact manage to sign in using the FIDO2 security key, and is able to access the resources when skipping the "Protect your account" request. We thought it may be App specific, but finally the users face this issue with different apps (Workday, Concur, MS Teams...) After asking Google, many articles point out this is related to Security Defaults. This is not our case, as we are using Conditional Access and they are not compatible. The Conditional Access (CA) is enforcing an MFA of a custom Authentication Strength which includes the FIDO2 as one of the accepted options. The per-user MFA settings are configured to be Disabled for the affected users, as it is already enforced by the CA. The only setting that we have not modified yet is the Multifactor authentication registration policy which is set to Enabled - we cannot customise this as we have only P1 license (and we cannot find information if disabling this would later prevent us from enabling it afterwards due to missing license). As mentioned at the beginning, it seems there is somewhere a setting that expects everybody to use MS Authenticator for MFA regardless of what we configure, except if we disable MFA altogether (not gonna happen). Are there any other settings we should check or review or we can test? Thanks in advance.1.3KViews0likes2CommentsWindows Hello for Business Configuration Issue with multiple Devices
Hello everyone, We are currently facing an issue with our Windows Hello for Business configuration for Multiple Users/Devices, and I'd like to seek your assistance and insights on this matter. We've implemented Windows Hello for Business through Group Policy (User Configuration) and deployed it within our User Organizational Unit (OU). Initially, everything seemed to be working seamlessly. Users were able to log in to their devices, set up Windows Hello for Business, and use it without any problems. However, a problem arises when the same user attempts to log in from another device. Ideally, we expect the same behavior, where the user gets the Windows Hello configuration, successfully sets up their PIN, and can use it for subsequent logins. However, after a reboot, the user is prompted to log in with their password only, and the Windows Hello Sign-in option does not appear. What's even more concerning is that this issue has now started affecting the user's ability to log in with a PIN on their initial device as well. We would greatly appreciate your insights and suggestions on how to troubleshoot and resolve this issue. If anyone has encountered a similar situation or has any guidance on resolving Windows Hello for Business configuration problems, please share your expertise. Thank you in advance for your assistance. Best regards, Rashad Bakirov630Views0likes0Comments