Microsoft's Verification and Support System
Microsoft's verification and support system is absolutely appalling. Despite providing every piece of required information for my company, their system continues to reject my verification attempts. I've gone above and beyond by paying extra to create additional email accounts in the format email address removed for privacy reasons. I've submitted QR-coded invoices officially verified by government authorities. Our WHOIS data is current and accurate. My name matches perfectly across all documentation and our DUNS number is correct. Yet, I keep receiving the same frustrating response: "This is because the primary contact details did not match." When I reach out through their official support channels, it takes them five days just to respond. It's been two months now, and I'm still waiting for approval just to register. It's absurd that such a large company maintains such a disastrous system. All they need to do is verify real users directly without relying on AI algorithms. They're so focused on automating everything with artificial intelligence that they've created a dysfunctional process. Despite all their technology, humans still remain superior at handling these verification tasks, yet Microsoft seems determined to automate a process they haven't properly designed.Better Together: Making Nonprofit Collaboration Safe with Conditional Access
Collaboration the Cornerstone of Growth It’s a big world out there, teeming with potential evangelists to your cause. As a leader, your goal is to find and empower champions for the cause to support the community. Help can be comprised of volunteers, partners, donors, etc. The modern age demands collaboration, communication, and transparency. Whether you're partnering with local governments, donors, or other NGOs, secure and efficient access to shared resources is critical. But how do you protect sensitive data while allowing trusted partners and volunteers to collaborate? The answer lies in the Microsoft Entra Admin Center. Conditional Access within Microsoft Entra Admin Center In the Microsoft Entra Admin Center, you can create Conditional Access Policies that employees, interns, partners, and guests must follow to ensure secure collaboration. Conditional Access (CA) is Microsoft’s policy engine that brings signals together—such as user identity, location, device health, and risk level—to make real-time access decisions. This is especially powerful for nonprofits, where data sensitivity is high, and IT resources are often limited. For example, you can require multi-factor authentication for accessing sensitive data, restrict access based on geographic location, or mandate device compliance to minimize risks. Conditional Access evaluates signals from: User or group membership IP location information Risk detections (sign-in or user risk from Microsoft Defender) Device state (compliant, hybrid-joined) Application being accessed Based on these, it enforces controls like: Multi-factor authentication (MFA) Device compliance Session limitations (e.g., limited access or web-only) Understanding Guest and Partner Access in Microsoft Entra Before diving into policies, it's important to understand how guest and partner access works: Guests are external users invited to collaborate with your tenant. Think of volunteers, board members, or researchers needing access to Microsoft Teams or SharePoint. Partners (B2B collaboration) typically come from other organizations and can be managed through Microsoft Entra B2B. Both types of users have external identities, and without proper controls, they can pose a risk to your organization's data and compliance. Key Conditional Access Scenarios for Guest and Partner Users Policies are a critical security tool for nonprofits striving to protect sensitive data while enabling collaboration. These policies ensure that access to organizational resources is granted only under trusted conditions, thereby maintaining both security and privacy. By requiring Multi-Factor Authentication (MFA), nonprofits can significantly reduce the risk of unauthorized access. Restricting access to specific applications, such as limiting guest users to Microsoft Teams or SharePoint, helps safeguard internal systems from unnecessary exposure. Additionally, enforcing conditional rules—such as blocking access unless a user is on a compliant device or within a trusted network—creates a layered security approach that adapts to evolving threats. These are foundational examples, and in the sections that follow, we’ll explore more tailored recommendations to help nonprofits implement strong, yet flexible Conditional Access strategies. 1. Require MFA for Guest Access Guest accounts are often less secure by default. Require MFA for all external users to reduce risk from phishing or account compromise. Policy Configuration: Assign to: Directory roles > Guest or External users Cloud apps: All cloud apps Grant: Require multi-factor authentication Tip: Encourage partners to use their own organization’s identity provider (via Entra External Identities). 2. Restrict Guest Access to Specific Applications Not every guest needs full tenant access. Limit external users to only necessary apps (e.g., SharePoint sites or Microsoft Teams channels). Policy Configuration: Assign to: Guests and external users Cloud apps: Select apps (e.g., SharePoint Online, Teams) Grant: Block access or Allow access with conditions 3. Block Guest Access from Non-Compliant Devices Enforce policies that only allow access from managed or compliant devices, particularly when sharing sensitive donor data or medical records. IT Admins can block unmanaged devices as resources are connected via conditional policies and SharePoint: IT Admins - SharePoint and OneDrive unmanaged device access controls - SharePoint in Microsoft 365 | Microsoft Learn. Policy Configuration: Assign to: Guests Conditions: Device state = Require compliant device Grant: Require device to be marked as compliant For smaller nonprofits, consider web-only access policies to reduce risk without needing full device management. 4. Limit Sessions for Guest Users Control how guests interact with your data by restricting download/upload capabilities or forcing browser-only access via Microsoft Defender for Cloud Apps (formerly MCAS). Policy Configuration: Assign to: Guest users Session: Use Conditional Access App Control to monitor or limit sessions 5. Use Terms of Use (ToU) for Guest Invitations Ensure guests acknowledge your data handling policies or acceptable use guidelines before gaining access. Terms of use in Microsoft Entra - Microsoft Entra ID | Microsoft Learn Policy Configuration: Assign to: Guests or External users Grant controls: Require terms of use Customize ToU documents for your nonprofit’s values—include PII/PHI handling, donor confidentiality, and social media policies. Best Practices for Policy Management Start in Report-Only Mode: Before enforcing, simulate policy impact using report-only to avoid accidental lockouts. Use Named Locations: Define “trusted” IP ranges (e.g., partner offices) to allow less restrictive access. Enable Policy for High-Risk Sign-ins: Leverage Microsoft Defender for Identity to identify risky users and enforce stricter access. Avoid Over-Blocking: Make sure legitimate partners aren't hindered—review sign-in logs regularly. Educate Your Guests: Use Microsoft’s invitation redemption experiences and provide clear onboarding instructions. Conclusion By thoughtfully implementing Conditional Access policies, nonprofits can strike a balance between enabling external collaboration and protecting sensitive organizational data. From enforcing Multi-Factor Authentication to restricting app access and requiring compliant devices, each policy adds a layer of defense against cyber threats. These strategies are not only aligned with security best practices but are also scalable, enabling organizations to grow confidently without compromising their mission or stakeholders' trust. What’s Next? In our next blog, we’ll guide you through the process of setting guest permissions in Microsoft Entra. You’ll learn how to configure collaboration settings, define user roles, control invitations, and align guest access with your security posture. This step-by-step guide will empower your nonprofit to manage external users effectively and securely within your Microsoft 365 environment. Hyperlinks What is Conditional Access in Microsoft Entra ID? - Microsoft Entra ID | Microsoft Learn Microsoft Entra External ID documentation - Microsoft Entra External ID | Microsoft Learn Terms of use in Microsoft Entra - Microsoft Entra ID | Microsoft Learn Restrict guest user access permissions - Microsoft Entra ID | Microsoft Learn Configure external collaboration - Microsoft Entra External ID | Microsoft LearnDon’t Be Vulnerable: Registering Phishing-Resistant Passkeys for Android Devices
Alex, the ever-diligent Global Administrator, took on the task of registering a phishing-resistant passkey for their Android device using the Microsoft Authenticator app. After enabling the necessary company authentication policies, Alex downloaded the app from the Google Play Store and followed the intuitive steps: adding their work account, signing in with credentials, and creating a secure passkey. With multi-factor authentication enhancing security, Alex completed the process by configuring additional options like QR code linking, ensuring no step was overlooked. Finally, setting up a lock screen added a robust layer of protection. Completing the registration filled Alex with pride—not just for securing their device but for paving the way for safe digital practices across their organization. The Microsoft Authenticator app proved its worth as a vital ally in safeguarding against phishing threats. 📲Option 1: Registering Passkey Authenticator for Android Devices After enabling the right Authentication methods policies for registering devices for Phishing Resistant Passkey usage. Now you will need to register your device to be paired with a passkey. Make sure that you download Microsoft Authenticator from the Apples Official App Store. Download the Microsoft Authenticator app from the Google Play Store. If you are using the app for the first time, On the Secure Your Digital Life Screen, tap Add “work or school account.” Sign-in to your account by clicking on the + button then select “Add account.” Once your account has been added or you have already added your account to the Authenticator, then select “Create passkey.” Complete the Multi Authentication process by entering your “Username” and “Password”, then click Next. Already Using Microsoft Authenticator App If you have previously utilized the Microsoft Authenticator application, you may add your account by selecting the “+ Add account” button and following the provided prompts. Additionally, if your organization has enabled QR Code functionality, you may use this method to link your device. Upon completion of the sign-in process, please proceed to the subsequent steps Disclaimer: To register a passkey on your Android device, check your phone's settings for "Passkey" as the process can vary by model. Note that Android devices must run Android 15 or later to use this method. Devices with Android 14 or earlier are not compatible with passkey registration and will need an alternative authentication method. Configuring Settings 6. You can set up a lock screen by pressing the “Settings” button. 7. Now you need to press the “Settings” button to enable the Authenticator Passkey Provider. 8. Open “Settings” and clicks “Passwords & accounts.” 9. Turn on the Authenticator as passkey provider by selecting the toggle to enable. 10. Press the back icon to return to the Authenticator, then tap “Done.” If you would like to learn more about your passkey and how you now can use this method to authenticate, click the “How to use passkey” button for more information. Now that you have successfully registered your passkey key you can sign-in with the assurance of security utilizing phishing resistant authentication. 📲Option 2: Passkey registration from Security info (Android) Here is another way you can register your passkey. To register your passkey for the Microsoft Authenticator using the Security Info login, follow these steps: Navigate to the Security Info Click on the “ + Add sign-in method” button. Select the option to add a new authentication method and choose "Passkey" from the list. Click the Next button on the “Create Your Passkey in Microsoft Authenticator.” In the authenticator app select the “Work or school account” you want to add the passkey. Select “Create a passkey,” then follow the prompts to complete the instructions. Once completed, you will have your authentication method properly set up. You can then authenticate with a managed device using the Microsoft Authenticator app. While this method can be used for emergency accounts, it is recommended to utilize a FIDO2 security key USB that is compatible with Microsoft for enhanced security. Implementing this method within your organization helps mitigate phishing risks and promotes better security practices, thereby reducing your attack surface. Conclusion Registering a passkey through either the Microsoft Authenticator app or the Security Info login is an exciting and transformative way to secure your online identity! By enabling phishing-resistant multi-factor authentication (MFA), you’re taking a proactive step towards a safer digital experience. Embrace this cutting-edge technology with confidence, knowing that your accounts are now fortified against malicious intrusions. This is more than just security, it’s peace of mind, reinvented! Hyperlinks Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn Passkeys in Microsoft Authenticator FAQs - Microsoft Entra ID | Microsoft Learn Enable passkeys in Authenticator for Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods - Microsoft Entra ID | Microsoft LearnDon't Be Vulnerable: Registering Phishing-Resistant Passkeys for iOS Devices
Overview Adele Vance, the Lead Security Administrator at a midsize nonprofit, had a mission: to strengthen account protections for critical roles and systems. Like many IT leaders, she faced the challenge of safeguarding privileged accounts from phishing, credential theft, and sophisticated cyberattacks—without compromising accessibility during emergencies. Her solution? Registering phishing-resistant passkeys for emergency access accounts using Microsoft Entra ID. If you're like Adele—looking to raise the bar on identity security—this guide will walk you through two highly secure sign-in methods: Microsoft Authenticator app and FIDO2 security keys. These modern passkeys enable strong, phishing-resistant Multi-Factor Authentication (MFA) that keeps your organization resilient in the face of growing threats. ✅ Prerequisites Before getting started, ensure the following are in place: An active Microsoft Entra ID Plan 1 or Plan 2 subscription. The account you're using has Global Administrator privileges. A Temporary Access Pass (TAP) policy is enabled and assigned. Both Microsoft Authenticator and FIDO2 methods are enabled in the Authentication Methods Policy within the Microsoft Entra Admin Center. 📲Option 1: Registering Passkey Authenticator for iOS Devices After enabling the right Authentication methods policies for registering devices for Phishing Resistant Passkey usage. Now you will need to register your device to be paired with a passkey. Make sure that you download Microsoft Authenticator from the Apples Official App Store. Registering Passkey Download the Microsoft Authenticator app from the Apple’s Official App Store. If you are using the app for the first time, On the Secure Your Digital Life Screen, tap Add “work or school account.” Sign-in to your account by clicking on the + button then select “Add account.” Once your account has been added or you have already added your account to the Authenticator, then select “Create passkey.” Complete the Multi Authentication process by entering your “Username” and “Password”, then click Next. You can set up a lock screen by pressing the “Settings” button. Now you need to press the “Settings” button to enable the Authenticator Passkey Provider. iOS 17: Settings> Passwords > Password Options. iOS 18: Settings> General > Autofill & Passwords. 10. Press the back icon to return to the Authenticator, then tap “Done.” 11. You will see the passkey added as a method to your device. 12. Next, tap done to complete the process. If you would like to learn more about your passkey and how you now can use this method to authenticate, click the “How to use passkey” button for more information. Now that you have successfully registered your passkey key you can sign-in with the assurance of security utilizing phishing resistant authentication. 📲Option 2: Using Registering Passkey from Security Info Here is another way you can register your passkey. To register your passkey for the Microsoft Authenticator using the Security Info login, follow these steps: Navigate to the Security Info Click on the “+ Add sign-in method” button. Select the option to add a new authentication method and choose "Passkey" from the list. Click the Next button on the “Create Your Passkey in Microsoft Authenticator.” In the authenticator app select the “Work or school account” you want to add the passkey. Select “Create a passkey,” then follow the prompts to complete the instructions. Once completed, you will have your authentication method properly set up. You can then authenticate with a managed device using the Microsoft Authenticator app. While this method can be used for emergency accounts, it is recommended to utilize a FIDO2 security key USB that is compatible with Microsoft for enhanced security. Implementing this method within your organization helps mitigate phishing risks and promotes better security practices, thereby reducing your attack surface. Conclusion Registering a passkey through either the Microsoft Authenticator app or the Security Info login is an exciting and transformative way to secure your online identity! By enabling phishing-resistant multi-factor authentication (MFA), you’re taking a proactive step towards a safer digital experience. Embrace this cutting-edge technology with confidence, knowing that your accounts are now fortified against malicious intrusions. This is more than just security, it’s peace of mind, reinvented! What’s Next? If you’re an Android user, get ready to embark on an effortless and exciting journey to secure your accounts! Setting up a passkey on your device is as seamless as it gets. In the next section, we’ll guide you through the steps to unlock the power of this cutting-edge authentication technology using your Android device. Stay tuned and prepare to embrace the future of digital security with confidence and ease! Hyperlinks Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn Passkeys in Microsoft Authenticator FAQs - Microsoft Entra ID | Microsoft Learn Enable passkeys in Authenticator for Microsoft Entra ID - Microsoft Entra ID | Microsoft LearnPlatform Alerts with Azure Health Service
Staying Informed with Azure Health Services If you are a nonprofit that is new to Azure, managing your subscription can be daunting. Azure is a powerful platform that constantly iterates adding advanced services. More importantly, there are times that services hosted on Azure may need to be down for maintenance, expanding new service rollouts, and platform updates. Azure Health Services helps keep you up to date for your subscriptions Globally. Getting a high-level understanding of any new service alerts will keep organization. What is Azure Service Health? Service Health is hosted on the Azure Platform, which is secure, reliable, and flexible. Allowing organizations to have the tools and services they need at any moment notice. Although Azure is globally available, there are times when services or regions may be down for maintenance. It is important to monitor services to get a full picture view of your development landscape. That bug you caught may simply be a service being unavailable for maintenance. So, a scheduled site maintenance may suffice for your audience. Resource health, Azure status, and Service health are the dynamic trio that make up Azure Service Health. Presenting a unified experience within Azure with all the combined services. Azure status: Global view of services unavailability. Resource health: Information about personal individual cloud resources which utilizes Azure Monitor to setup alerts & notify members about services being unavailable. Service health: View of services within your personal subscription that may be experiencing an outage, maintenance, and advisories. Service Health Menu Active Events Service issues: Real-time information about ongoing service issues affecting your Azure resources. It helps you stay informed about any disruptions and their impact on your services, enabling you to take appropriate actions to mitigate the effects. Planned maintenance: This feature notifies you about upcoming maintenance events that may affect your Azure resources. It includes details about the schedule, scope, and potential impact of the maintenance Health advisories: Important updates and recommendations regarding the health of your Azure resources. It includes information about potential issues, best practices, and guidance to help you maintain the optimal performance and availability of your services. Security advisories: Provides critical information about security-related issues and vulnerabilities that may affect your Azure resources. It includes details about the nature of the threats, recommended actions, and updates to help you protect your services and data from potential security risks. Disclaimer: In order to view Security advisories, updates, notifications, and important information about personal services and resources impacted by outages, critical, and non-business issues across regions. History Health history: provides a detailed record of the health status of your Azure resources over time. It includes information about past incidents, maintenance events, and health advisories, allowing you to analyze trends and identify recurring issues. Resources Health Resource health: provides a comprehensive view of the health status of your Azure resources. It helps you quickly identify and diagnose issues, ensuring that you can maintain the availability and performance of your services. Detailed information about resource health, including current and past incidents, planned maintenance, and health advisories. Alerts Health alerts: Real-time notifications about the health status of your Azure resources. It alerts you to any issues or changes that may affect the availability and performance of your services Creating an Alert Rule Now that we know a little more about Azure Health Service. Let's explore creating your first alert. First you need to navigate the Azure Portal at https://portal.azure.com. After logging in you will need to type in the top search bar Service health then click the heart icon. You need to have an active service you will need to have created a resource group and a active service within the resource group for example a virtual machine. This is necessary if you want to set up the optional step under Actions. Next follow the steps below to create a service alert: In the left-hand menu under Active Events, then select "Service issues." For the scope, select the subscription you would like to receive alerts. then click "Next: Condition." Under Condition in the dropdown selectors Services, Regions, and Event types click "Select all," then click "Next: Actions." You will now create a action group. Click on the "Create action group" button then fill out the following: Basic: Select the "Subscription, Resource group, and Region." Then under instance details, name your "Action group name" and "Display name." Then select "Next: Notification." Notifications: Select the "Notification type" and then create a unique name under "Name." Under Notification type choose between "Email/Azure Resource Manager" role to email specific roles within your subscription to receive notifications. Then select the roles then click ok. We will choose this option to save time though it is recommended you create two alerts using both Email/Azure Resource Manager and Email/SMS message/Push/Voice. Once you are done select "Next: Actions." Actions: You now will select the "Action type" and the Name. Choose between the types of resources to receive a condition-based alert. You then will need to follow the instructions pertaining to which service. Automation Runbook Azure Function Event Hub ITSM Logic App Secure Webhook Webhook Tags: You can create tags as an option to track. Choose relevant tags depending on the subscription, department, team, or testing as an example. Create the "Name" and "Value." Select "Review + Create." Review + Create: Review all the information is correct and the pricing and privacy statement information then select "Create." After you create your action group you will then be sent back to the "Create an alert rule" where you will continue creating your alert, then click the "Next: Details." In Details, under Alert rule details create an "Alert rule name" and description, then click "Next: Tags." Create "Name" and "Value" pair for your tags for your alert. Then select "Next: Review + create." Review all details are correct then click "Create." Creating the alert might take a few minutes, but once it is ready, you will see a notification under the bell icon located in the top menu. Congratulations on taking your first step in creating a plan to be prepared. Setting up alerts keeps your team up to date with the latest information. Conclusion In conclusion, you learned about Azure's tools to inform users of the health of operations of services globally. Teams can track issues concerning their personal resources and improve security, outages, and planned maintenance. You also started down the path of improving your security practices within Azure, so way to go. If you would like to take a even deeper look by following quick start guides and tutorials with the links below. Now, go learn, grow, and achieve the mission that you are so passionate about. Hyperlinks What is Azure Service Health? - Azure Service Health | Microsoft Learn Azure Service Health Video | Microsoft Learn Azure status overview - Azure Service Health | Microsoft LearnDon't Be Vulnerable - The Necessity of Having Emergency Access Accounts
Don't Get Locked Out! Nonprofit organizations face unique challenges when it comes to managing their Microsoft accounts. Limited budgets and allocations require for stringent measures when adopting new software. More importantly, nonprofits handle sensitive data such as Personal Identifiable Information (PII), Protected Health Information (PHI), and financial information just to name a few. Maintaining privacy and security is of the utmost importance and violations of these standards can come with steep penalties and erode trust. Being locked out, can spell disaster and leave your organization vulnerable to attack. Which is why it is imperative to have a Emergency Access Account. What Are Emergency Access Accounts? Emergency Access (Break Glass) Accounts are high-privilege, cloud-only accounts created to ensure administrators can access your tenant during identity-related outages, misconfigurations, or Conditional Access lockouts. Emergency accounts play a pivotal role in safeguarding financial security and ensuring uninterrupted access to critical resources during times of crisis. Whether it’s a natural disaster, a cyberattack, or an internal administrative challenge, having a well-structured emergency account strategy allows organizations to maintain operational stability and protect the communities they serve. It is recommended to have at least two emergency access accounts. A Break Glass Accounts ensures that authorized personnel can regain control promptly and mitigate further risks or operational downtime. Microsoft has been steadily enforcing Multifactor Authentication in Azure, Microsoft Admin portals, and Office 365 in phases since 2024. Phase 1 rolled out officially around October 2024 within Azure Portal, Microsoft Entra Admin Center, and Intune Admin Center. Common Scenarios Organizations Face Privilege Roles Left Organization: The sole Global Administrator or Billing Administrator has left the organization. Privilege Roles are Eligible and Not Active: Global Administrator or Privilege Role Administrators were configured to be eligible which needs approval. Therefore, no approval can be given and now the account is locked out. Federated Accounts with Identity Providers: Federated devices through identity provider and can't access Microsoft Entra ID for authentication. Cellular Network outage for Authentication: Cellular network is down or natural disaster impacting authentication since only authentication method is using SMS phone authentication. Emergency Access Accounts Prevent Ensures access during emergencies when standard methods are compromised. Prevents delays in critical activities like payroll and funding allocation. Mitigates risks from technical failures, such as system outages. Safeguards operational stability during crises like cyberattacks or natural disasters. Allows authorized personnel to promptly regain control and minimize downtime. These scenarios leave the organization, potentially leaving access credentials in limbo. This could delay critical activities like payroll, funding allocation, or payments to service providers. Similarly, technical failures such as system outages or inaccessible online platforms can hinder account access, disrupting ongoing projects and community services. Moreover, scenarios are just some of the challenges that nonprofits face. Creating preventative measures help minimize downtime. Beware of Phishing Setting up phishing-resistant Multifactor Authentication (MFA) for emergency access accounts is an essential step in keeping your organization secure during critical situations. Below is a list of the different types of phishing that target accounts. Types of Phishing Business Email Compromise (BEC): is a targeted cybercrime involving the impersonation of a trusted person or organization to manipulate victims into transferring money, sharing sensitive information, or granting access to systems. Whaling: A specialized form of phishing that targets high-ranking individuals, such as executives or decision-makers, within an organization. Email Phishing: A widespread form of phishing where attackers send deceptive emails pretending to be legitimate organizations or individuals to trick recipients into sharing sensitive information, such as passwords, credit card details, or downloading malicious software. Spear Phishing: A targeted phishing attack using personalized messages to trick specific individuals or organizations into sharing sensitive information or performing actions like wire transfers. Clone Phishing: A phishing technique where attackers duplicate legitimate emails previously sent by trusted sources, replacing links or attachments with malicious ones to deceive recipients into sharing sensitive information or installing malware. Voice Phishing (Vishing): A phishing method where attackers use phone calls to impersonate trusted entities, such as banks or government agencies, aiming to extract sensitive information like account details or personal data from victims. SMS Phishing (Smishing): A phishing attack using deceptive text messages that impersonate trusted entities, such as banks or service providers, to trick victims into sharing sensitive information or clicking malicious links. As phishing techniques grow more sophisticated and pervasive, the need for dynamic security measures becomes paramount. Phishing-resistant Multifactor Authentication (MFA) serves as a vital defense mechanism by incorporating multiple layers of verification, making unauthorized access significantly more challenging. By moving beyond traditional passwords, MFA ensures that even if credentials are compromised, attackers face additional barriers to breach systems, mitigating risks and fortifying overall security. Phishing Resistant Authentication Methods An authentication method is a security mechanism used to verify the identity of a user before granting access to systems or resources. It may involve techniques such as security keys, certificates, biometrics, or passkeys, ensuring secure and often password-less access while minimizing risks of unauthorized entry and phishing. Phishing Resistant MFA Passkeys (FIDO2): Fast IDentity Online 2 (FIDO2) is the second iteration of password-less protocol used as an authentication method within the Microsoft authentication app or a FIDO2-compatible USB device to securely log into systems without relying on passwords. These keys are ideal for desktop computers (Work Identities/ Managed Devices) and servers requiring physical access. Certificate-Based Authentication: Certificate-Based Authentication (CBA) in Microsoft Entra ID uses digital certificates to verify user identity. Instead of passwords, it relies on cryptographic keys within certificates issued by trusted Certificate Authorities (CAs). This method enhances security by preventing phishing and impersonation since certificates are difficult to duplicate. Widow Hello for Business/ Platform Credential: Windows Hello for Business/Platform Credentials is a secure, multi-authentication method replacing traditional passwords. It uses biometrics like fingerprints, facial recognition, or a PIN tied to the device, ensuring only authorized access. As phishing techniques grow more sophisticated and pervasive, the need for dynamic security measures becomes paramount. By using authentication methods like Passkeys for security keys or app-based authenticators, phishing-resistant MFA helps block unauthorized access attempts, even when sophisticated phishing techniques are at play. This ensures that emergency accounts remain safe and accessible only to authorized personnel, allowing them to respond quickly and confidently without risking sensitive data or systems. Requirements & Considerations Passkeys can be used with the Microsoft Authentication App (Currently in Preview) and FIDO2 USB Security Keys. However, it is critical that you complete the multifactor authentication steps within 5 minutes before you can register a Passkey (FIDO2). Make sure your FIDO2 Security key is Microsoft & FIDO2 compliant. Learn more about it here attestation and compliance here: Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn. Emergency accounts can be used across various platforms, including Windows, macOS, Linux, iOS, and Android, ensuring cross-platform accessibility during critical situations. Passkey (FIDO2) must comply with Attestation GUID (AAGUID) standards to ensure enhanced security and compatibility with trusted systems. Conclusion Emergency access accounts are not a luxury—they are a necessity. For nonprofits, which are often targets of cyber threats and face limited resources to respond, having a contingency plan is mission critical. These accounts serve as a lifeline during emergencies like identity lockouts, outages, or cyberattacks. By following the best practices outlined in this guide, nonprofits can dramatically reduce downtime, maintain access to donor and client data, and continue operations seamlessly even when adversity strikes. Planning, documenting, securing, and testing these accounts ensure you’re prepared for the unexpected. Implementing these safeguards today could be what protects your organization tomorrow. What’s Next? In our next blog, we’ll walk through how to create an Emergency Access Account in your Microsoft Entra ID tenant, step-by-step. We’ll cover naming conventions, secure password practices, how to create an emergency access account, and more—so your nonprofit can be prepared for anything. Stay tuned! Hyperlinks Manage emergency access admin accounts - Microsoft Entra ID | Microsoft Learn Password-less sign-in with Authenticator - Microsoft Entra ID | Microsoft Learn Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn Enable passkeys in Authenticator for Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn Phishing resistant authentication in Microsoft Entra ID - Microsoft Entra ID | Microsoft LearnEnabling Self-Service Password Reset for Your Organization
What Is SSPR? It is a frigid February morning. The time is approximately 6:30 AM. Your morning cup of joe is interrupted by an urgent call from your system administrator Jonathan. He informs you about a suspicious email incident over the weekend that potentially impacted numerous employees. He suggests resetting all passwords to reduce any potential impact after handling most of the preliminary measures. Jonathan is thinking about enabling Self-Service Password Reset (SSPR) to maximize time and efficiency. SSPR allows organizations to members to reset their own password. In this blog we will cover a useful feature that can be enabled in your Microsoft Entra Admin Center. Naturally, this blog assumes that you have not enabled this feature as you are just getting started. However, I do suggest looking into the links below for a deeper dive. Navigating to Microsoft Entra Admin Center First, before beginning to enable this feature, make sure to have your admin credentials handy. You must have the appropriate administrative role and access. Lastly, if you want to enable this policy for on-premises integration. You will need to set up a sync engine to be connected to your account. Please see the following link to learn more: Enable Microsoft Entra password writeback - Microsoft Entra ID | Microsoft Learn. Let us continue to the login page. Sign In Navigate to the following website https://entra.microsoft.com. Using your administrative credentials type in your “Username and Password.” If you have forgotten your password, click on “Forgot my password” then follow the prompts accordingly. You will be prompted to authenticate using your phone via the “Microsoft Authentication app.” After you sign in, you'll arrive at the Microsoft Entra Admin Center Home directory. From there, we'll guide you through the process of enabling the feature, one step at a time. Enabling SSPR In the home screen, select the “Protection” tab in the left-hand menu, then click “Password reset.” The first menu item is “Properties” on the right side you will see “Self-service password reset enabled.” Select between three options: None: No users within the organization selected for reset (this is selected by default if never enabled). Selected: Select the Microsoft groups within your organization to apply for self-reset. All: Apply for all users within the organizations for self-reset. Select one then click the “Save” button. Now that SSPR is enabled, you will see “Forgot my password” based on the option you selected. If all options were chosen, all members would see it; otherwise, it will be visible according to the groups you specified. This allows the Systems admin to send just one email to reset their passwords. Conclusion Moving forward, this policy aims to enhance self-sufficiency and improve security measures. By enabling Self-Service Password Reset (SSPR), organizations can streamline password management, lighten IT support loads, and boost security. Users can reset their passwords quickly and securely keeps productivity high and mitigates risks associated with forgotten credentials. Monitor its effectiveness and adjust settings as needed to meet your organization's unique needs and security standards. Hyperlinks License self-service password reset - Microsoft Entra ID | Microsoft Learn Enable Microsoft Entra password writeback - Microsoft Entra ID | Microsoft Learn Self-service password reset deep dive - Microsoft Entra ID | Microsoft Learn Microsoft Entra Admin Center - Secure, Protect, & Manage | Microsoft Community HubPartner Blog | What's new for Microsoft partners: April 2025 edition
We value partner feedback and celebrate the range of perspectives within our community as we continue to enhance the Microsoft AI Cloud Partner Program. Our second blog of 2025 provides expert insights, updated learning resources, and recent benefits from the last four months to support your development. Announcements Microsoft at 50: the journey and future of the partner ecosystem As we celebrate Microsoft’s 50th anniversary in April, our annual State of the Partner Ecosystem blog was a great opportunity to reflect on the incredible journey we’ve shared with our partners, employees, and customers. Celebrate with us! Watch this video from Judson Althoff, Executive Vice President and Chief Commercial Officer, Microsoft. Join the Microsoft AI Skills Fest for 50 days of learning and discovery starting April 8! Gain skills that will empower you and your team to build innovative AI solutions with Microsoft’s apps and services. Download the Microsoft 50th Anniversary Social Toolkit. See the full list of partner quotes on the Microsoft 50th Anniversary celebration site. Upcoming API changes for Microsoft partners: what you need to know Security and compliance are vital to maintaining trust and enhancing business efficiency. Our recent blog outlines several significant updates to application programming interfaces (APIs) that Microsoft partners will need to implement over the coming months to ensure compliance and avoid disruptions in business operations. These changes include updates to billing frequency scheduling, Partner of Record (POR) assignment, CSP billing reconciliation APIs, Partner Center pricelist upgrades, and the deprecation of Azure AD graph tokens. Additionally, the blog emphasizes the importance of multi-factor authentication (MFA) and upcoming changes to Microsoft Customer Agreement (MCA) attestation methods. Continue reading hereStep-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview) ?
Microsoft Entra ID supports a long list of Authentication methods. Windows Hello for Business Microsoft Authenticator app Authenticator Lite Passkey (FIDO2) Certificate-based authentication Hardware OATH tokens (preview) Software OATH tokens External authentication methods (preview) Temporary Access Pass (TAP) Short Message Service (SMS) sign-in and verification Voice call verification Password This enables organizations to select the most secure and productive authentication methods for their business. While the most secure method may not always be the most productive, and vice versa, having a variety of supported authentication methods helps to strike a balance between these two aspects. Microsoft Entra ID now supports QR authentication, a method specifically designed for frontline workers who use shared devices. This provides a convenient and secure login experience for these workers. How it works ? 1) An account with Authentication Policy Administrator permission or higher can enable QR code as an authentication method. 2) Once the method is enabled, a QR code and temporary PIN can be generated for the user. 3) The QR code should be made available to the user. It can be downloaded, printed, or added to a badge. 4) The QR code is unique but cannot be used without the PIN. 5) The temporary PIN must be reset when the user authenticates for the first time. 6) Once the QR code and PIN are set up, the user can use them for subsequent logins. Things to remember ! 1) QR authentication is designed for frontline workers and should not be widely used. Phishing-resistant authentication is recommended wherever possible. 2) Do not enable this authentication method for all users; only enable it for required users. 3) QR authentication is currently only supported on mobile devices running iOS/iPadOS or Android. 4) QR authentication does not allow self-service PIN reset for users. In this blog post I am going to demonstrate how to configure QR authentication for the Microsoft Entra ID users. Let’s start with enabling authentication method. Log in to the Entra admin portal at https://entra.microsoft.com/as an Authentication Policy Administrator or higher. Navigate to Protection | Authentication Methods. Under Policies, click on QR code (Preview). In the QR code (Preview) settings page, click on Enable to turn on the authentication method. Then, select the relevant user group as the target. Click on the Configure tab. Here, you can adjust the PIN length and the lifetime of the QR code. The default is 365 days, but it can be extended up to 395 days. Once changes are made, click on Save to apply them. This enables the QR code as an authentication method for the tenant. Next, let's see how to generate a QR code for a user. Generate QR code authentication for a user To generate QR code for user, Navigate to Users | All users. Select the user from the target group configured in the previous section. Click on Authentication methods. Click on + Add authentication method. From the dropdown, select QR code (Preview). In the settings page, define the expiration date and activation time. Click on Generate PIN to create a temporary PIN. Note down the PIN and click on Add. This will generate the QR code. Download it for use with authentication. Now that we have generated a QR code for a user, let's proceed with some testing. Testing For testing, I used an iOS device to log in to the office portal. On the login page, I typed the username and then clicked on Sign-in options. In the Sign-in options page, I selected Sign in to an organization. On the next page, I chose Sign in with QR code. I clicked on Allow to grant access to the camera. After that, I scanned the QR code downloaded in the previous step. Once the QR code was successfully detected, I entered the temporary PIN that was generated and clicked on Sign in. On the next page, I was prompted to define a new PIN since this was the first login. After defining the PIN, I clicked on Sign in. As expected, I was able to log in successfully. This marks the end of the blog post, and I believe you now have a better understanding of how to enable and use QR code for authentication.
