New blog post | 2023 State of Cloud Permissions Risks report now published
As organizations are embracing and adopting multicloud infrastructures, identity permissions have increased across three leading cloud platforms: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GPC). Although this shift brings new opportunities for innovation, it presents new permission challenges organizations have never faced before. 2023 State of Cloud Permissions Risks report now published - Microsoft Community HubPre-Register and/or ONLY force registration of Azure MFA for users without enable MFA on the account
I'm often been asked by customers if it is possible to pre-register (even bulk) users for MFA but don't enable it directly for the whole account, because they want to use it in Conditional Access. So I did a blog post on that recently: (Bulk) pre-register MFA for users without enable MFA on the account Another thing that is often been asked is, if it is possible to only force the registration for Azure MFA but also don't activate it on the account, mostly because MFA should be used in Conditional Access. Currently you need an AAD P2 license for that and set the MFA registration policy, but I found a NEW way to do that without this license. See my blog post about that here: Force Azure MFA registration without enabling MFA on the user Hope that is valuable for you. Feel free to comment or share updates, additions, corrections to what I wrote. /Peterbulk Pre-registration for Azure MFA for more Seamless Single Sign on and smooth for MFA roll out
We’ve been asked many times to do a bulk pre-registration for Azure Active Directory MFA to provide our customers’ users more Seamless Single Sign on and smooth for MFA rolling out. This script helping you to: Configure MFA Strong Authentication Methods Set a default MFA authentication method for all users or number of users. Update Mobile Number for a List of users. Update Strong Authentication Methods for List of users Get MFA Strong Authentication Details for all users. Get MFA Authentication contact info where the phone number is Null Update Mobile Number Only If user Mobile is not exist NOTE : Before we proceed with MFA and SSPR Enablement and configuration, Users will be able to change their Authentication mobile phone number whenever they need to, Admins won’t have a control on Authentication mobile phone number however they can pre-define them but still users will be able to change it. Keep in mind: If you have provided a value for Mobile phone or Alternate email, users can immediately use those values to reset their passwords, even if they haven't registered for the service. In addition, users see those values when they register for the first time, and they can modify them if they want to. After they register successfully, these values are persisted in the Authentication Phone and Authentication Email fields, respectively. If the Phonefield is populated and Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow. The Alternate phonefield isn't used for password reset. If the Emailfield is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow. If the Alternate emailfield is populated and Email is enabled in the SSPR policy, the user won't see that email on the password reset registration page, but they see it during the password reset workflow. Download here. Script In details. Parameters $UsersCSV = "<Users CSV File Path>" # Example C:\Temp\UsersMFA.csv $OutPutFolder = "C:\Temp" # Example C:\Temp If User Mobile is exist (AD users with specific AD attribute NOT null) Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -ne $null } If User Mobile is exist (AD users with specific AD attribute is null) Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -eq $null } #Get All Users Details Get-AzureADUser | select DisplayName, UserPrincipalName, otherMails, Mobile, TelephoneNumber | Format-Table List users "Authentication contact info" attributes from AzureAD Get-MsolUser -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder"\StrongAuthenticationUserDetails.csv" -Verbose List users "Authentication contact info where Phone number is Null" attributes from AzureAD Get-Msol User -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | Where-Object { $_.PhoneNumber -eq $null } | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder"\StrongAuthenticationUserPhoneNumberNull.csv" -Verbose StrongAuthenticationUserPhoneNumber File Details List users "Strong Authentication Methods" attributes from AzureAD Get-MsolUser -All | select DisplayName, UserPrincipalName -ExpandProperty StrongAuthenticationMethods | select UserPrincipalName, IsDefault, MethodType All users who have signed up for SSPR. (get-msoluser -All | Where { $_.StrongAuthenticationUserDetails -ne $null }) All users who have not signed up for SSPR (get-msoluser -All | Where { $_.StrongAuthenticationUserDetails -eq $null }) Update Mobile Number for List of users Import-CSV -Path $UsersCSV | ForEach-Object { Set-AzureADUser -ObjectId $_.UserPrincipalName -Mobile $_.Mobile -ErrorAction SilentlyContinue} Microsoft StrongAuthenticationMethod Parameters $OneWaySMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $OneWaySMS.IsDefault = $false $OneWaySMS.MethodType = "OneWaySMS" $TwoWayVoiceMobile = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $TwoWayVoiceMobile.IsDefault = $true $TwoWayVoiceMobile.MethodType = "TwoWayVoiceMobile" $PhoneAppNotification = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $PhoneAppNotification.IsDefault = $false $PhoneAppNotification.MethodType = "PhoneAppNotification" $PhoneAppOTP = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $PhoneAppOTP.IsDefault = $false $PhoneAppOTP.MethodType = "PhoneAppOTP" $methods = @($OneWaySMS, $TwoWayVoiceMobile, $PhoneAppNotification, $PhoneAppOTP) Set Default Strong Authentication Methods for List of users Import-CSV -Path $UsersCSV | Foreach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationMethods $methods} -ErrorAction SilentlyContinue Pre-register authentication Info for List of users. Import-CSV -Path $UsersCSV | ForEach-Object { Set-AzureADUser -ObjectId $_.UserPrincipalName -OtherMails $_.OtherMails -Mobile $_.Mobile -TelephoneNumber $_.TelephoneNumber -ErrorAction SilentlyContinue}
MFA IP whitelist not working after enabling Conditional Access policy
A new requirement for CSP partners is enabling conditional access policies "Baseline policy: Require MFA for admins" and "Baseline policy: End user protection". We already have MFA enabled/enforced for all end users and admins, with IP whitelist for main office and soho. That worked fine. But after enabling those CA policies our IP whitelist stopped working. End users at the office are asked for MFA, and our O365 backup running with global admin credentials can no longer login. I tried to create our main office public IP as a trusted location, but no luck. As a quick fix i disabled the policies while digging into this. Can anybody explain why this is happening?
Global Administrator MFA recovery not possible
Since Microsoft automatically enforced MFA on administrator role in Azure you can end up in the situation where it is no longer possible to recover your tenant. If your only account on that tenant is with Global Administrator role and you accidentally loose your MFA, the only way is to call Microsoft support. Support on the phone is automated where any question regarding Azure is redirected to visit Azure portal. If your only user cannot login then Azure portal is not accessible.
Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?Authenticator Settings Target vs. Conditional Access
I recently saw that Microsoft has enabled some number matching functionality for Microsoft Authenticator to reduce the ability for users to be spammed into just accepting an MFA push notification that they didn't trigger. To enable this, however, we need to navigate to AAD>Security>Authentication methods>Policies>Microsoft Authenticator and then enable this option and move on to the Configure tab. When enabling Authenticator from this section you're required to define the TARGET list of users: We, however, have enabled MFA for the organization using Conditional Access policies and are enforcing and adding exceptions to that policy as necessary. If we're to trial and use this new feature, however, I need to enable this Microsoft Authenticator settings option and it's unclear how the target user selection set will interact with the Conditional Access policy. Can anyone offer clarity on how these two sections would interact? Do I need to define the same criteria for user selection within the Authenticator settings that are defined within the Conditional Access policy? Or is there a simpler or more straightforward way to handle this?
MFA on Windows desktop and RDP logins
We run local AD with Azure AD Connect to sync to AAD. We do not utilize any MFA solution on local domain joined Windows desktop logins or RDP logins to local domain joined RDP servers. We do have NAC in place and MFA in place for M365/Azure AD logins and SSL VPN logins. Are you using MFA on Windows desktop and RDP logins? What solution/setup? Looking for guidance or input on using MFA solution for Windows desktop and RDP logins. Do use Duo with some high sensitivity servers. Also, have Windows Hello configured on fleet of Surface devices and HP desktops where we have the Logitech BRIO 4K Pro Webcam installed.
MFA for On-prem and Azure Applications
Hello How can we implement MFA on both on-prem environment and Azure. Right now I have MFA configured for our Azure tenant but it only supports Cloud apps. We are using the same O365 accounts for our on-prem applications as well, but MFA is not prompting when are trying to access them. Is there any way we can configure it for on-prem apps as well. Currently, we have his Azure AD Premium P1 license.
