User Profile
Spindle8551
Copper Contributor
Joined 2 years ago
User Widgets
Recent Discussions
Re: Excessive MFA prompts for a specific user
Their not MacOS or iOS are they? I find they do not play friendly whatsoever with MFA, SSO etc. I've found inconsistency with browsers as well. Edge is the most consistent with it's MFA behaviour. What did the sign-in logs say for incoming token?10KViews0likes0CommentsRe: Excessive MFA prompts for a specific user
What's your CA policy settings? Are your devices hybrid or azure ad registered? By every 90 days, I presume you mean this is a sign in frequency setting? Assuming the device is hybrid joined or azure ad registered (entra registered), it should be honoring a PRT. Look at the sign in logs and make sure you have the column 'incoming token' selected. It will show you either nothing or Primary Refresh Token. I suspect it will be nothing most of the time. If this is the case, the PRT is being invalidated and it's likely a TPM issue which is hardware related. I've had to get intimately familiar with this article https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-invalidated Hope that helps, but knowing more about the CA policy could be helpful too.10KViews1like3CommentsRe: Azure AD Connect - sync computer(device) extensionAttributes to Azure AD
YKatakKatak Firstly,what are you trying to achieve exactly? Secondly and unfortunately, it's a hard 'no' to be able to sync the on-prem extensionattribute. Yes, it would be so much easier if you could. Lastly, you should be able see which on-prem domain they're being synchronised from in AAD Connect. Yes, making a naming standard and sticking to it would help a lot more. But if you do a metaverse search for devices, you'll be able to see which connectors they've come from. You'll have to excuse that I've had to blank out the values in my screenshot, but I hope this guides you how to see them. If you search for a computer in the metaverse search with the attribute 'DisplayName' is equal to <computerdisplaynamevalue>the result will show you which connector (or AD domain) it's come from. Does it make your job harder? Yes! But the info is there. My scenario is, I needed to add a string value to an extensionattribute of a handful of devices to be exempt from MFA. You can filter devices with extensionattribute# with a value equal to <yourstringvalue>. I ended up writing my own PowerShell function to utilise the Microsoft.Graph.Identity.DirectoryManagement module.This function takes one or more device display names or a path to a CSV file containing device names as input, and adds a value I've specified to an extensionAttribute of my choosing for each device. The function requires a valid client ID and certificate thumbprint for authentication. In other words,I had to create a service principal with Graph permission Device.ReadWrite.All and utilise a certificate thumbprint as the "secret". Hope all that makes sense.8.8KViews0likes2CommentsRe: Azure AD Connect - sync computer(device) extensionAttributes to Azure AD
KatakKatakin short, no. It's not supported. You have to use the Microsoft Graph PowerShell SDK to add your own extension attributes. $Params = @{ "extensionAttributes" = @{ "extensionAttribute1" = "YourPreferredStringAttribute" } Update-MgDevice -DeviceId $Device.Id - BodyParameter ($params | ConvertTo-Json) Use get-mgdevice to grab the device Id. Hope that helps. I have had to do this revently.9.1KViews0likes4Comments
Recent Blog Articles
Re: Remediate User Risks in Microsoft Entra ID Protection Through On-premises Password Changes
If you have password hash sync (PHS) enabled as a back up method, does this work too? We have PTA enabled as our default method, but PHS as a back method, so keen to know if this will suffice.0likes0Comments