Practical Graph: Nag Users to Upgrade to a Strong Authentication Method
Convincing people to use MFA is one challenge. Convincing them to use a stronger authentication method than SMS is another. This article explains how to use PowerShell to find people still using SMS for MFA and send email to ask them to upgrade their authentication method. https://practical365.com/upgrade-stronger-authentication-method-mfa/
Force additional MFA for PIN WH4B
so got a request from one of my clients and if you think about it, its on the verge of being valid but an edge case... Lets say you implement WH4B and leverage PIN, how do you prevent someone shoulder surfing and leveraging the PIN on that device if they take it? Or restrict pin patterns? (the patterns I am looking into) I know Fido2 is the best way along with biometrics...but they were wondering if there was a way to reprompt MS Auth App for a code after login/reboot... I couldnt find anything on this but I did find forcing a mfa device revalidation via graph api Any able to accomplish this with the entra joined device?MFA Rollout Question(s)
Hi All I hope you are well. Anyway, I'm normally more active in the Intune space but I have been tasked with rolling out MFA to a lot of non technical users. One of the questions is: What if I forget my phone with the MS Authenticator app on it? I can't seem to find any documentation or clear answer to this. Any ideas? SK
Lost mfa global admin can not login, no break glass account
No partner or another global admin or break glass account. Yes I know thats a mistake but just need mfa reset for the global admin account. Hi. I have been calling ms support for multiple days, on hold for hours at a time. I know the story about getting hold of the data protection team and there hold times. I can't login to my tenant to open a case since I lost my mfa, changed phones and the restore is not working. Already tried sspr and thats not working either, my backup email is not getting the pin. Anyone as MS that can help open a case vs being on hold for days at a time. txs M
Dynamic group based on custom security attribute
Can anyone answer this question. Can or should i be able to create a Dynamic group filtering on a customer security attribute. Yes I know you can filter based on extenstionattribute1-15 however i have noted that accounts create in Entra don't appear to have the option to view extension attributes plus these come from an on prem created account. So the questions are: Can I create a dynamic group using a custom security attribute and if so how because the custom attributes don't show up in the Property options when creating the dynamic group query How can I add to the extension attributes for non on prem sync accounts (accounts created in Entra)
Microsoft Authenticator Passkeys for Entra ID on unmanaged devices
Hello, has anyone successfully registered passkeys on an unmanaged phone in an organisation with device compliance policies? Use case is to provide a phishing-resistant MFA option via Authenticator app for logging into apps on their desktop. Users already have authenticator app on their phone and do number matching MFA. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS When I select "Create a passkey" - I need to log into my account. However I'm blocked from successful authentication because I have conditional access policies to require compliant devices. As my mobile phone is not enrolled into Intune, I never get to the step where the passkey is created and registered. Based on the constraints - it seems like passkeys cannot be used for unmanaged/BYOD devices for organisations that have device compliance policies. It can only be used for users who have enrolled their mobile phone. Looking to see if anyone has tips or different experience using passkeys on unmanaged mobile phones to log into Entra?
Cannot sign into my M365 Account
I have a M365 Business Basic account. I am the only admin and only user in the system. I have MFA set up. I had to get a new phone about a month ago and unfortunately lost access to my only MFA device. I have my account in my authenticator app on my new phone, but the account needs to be refreshed and it's asking me to scan the QR code - in other words, MFA is not set up on my new device. Because I cannot sign into anything Microsoft, I am unable to reset my MFA, unable to open a support ticket, and pretty much unable to do anything. I called the MSFT support line and spoke to someone who transferred me to the Data Security team. I have been on hold for over 5 hours. Is there any alternative course of action I can take to open a support ticket or get help?
