Allow Use of Microsoft Authenticator OTP in Azure AD
Hi All, We wanted to enabled number matching and Passwordless with Microsoft Authenticator app and when I go to there I could see the below setting under configurations. But I wanted to make sure what that setting is and what it the recommended configurations for this "Allow Use of Microsoft Authenticator OTP" before configure in production environment. appreciate if anyone could help me on this. Thanks, DilanPre-Register and/or ONLY force registration of Azure MFA for users without enable MFA on the account
I'm often been asked by customers if it is possible to pre-register (even bulk) users for MFA but don't enable it directly for the whole account, because they want to use it in Conditional Access. So I did a blog post on that recently: (Bulk) pre-register MFA for users without enable MFA on the account Another thing that is often been asked is, if it is possible to only force the registration for Azure MFA but also don't activate it on the account, mostly because MFA should be used in Conditional Access. Currently you need an AAD P2 license for that and set the MFA registration policy, but I found a NEW way to do that without this license. See my blog post about that here: Force Azure MFA registration without enabling MFA on the user Hope that is valuable for you. Feel free to comment or share updates, additions, corrections to what I wrote. /Peterbulk Pre-registration for Azure MFA for more Seamless Single Sign on and smooth for MFA roll out
We’ve been asked many times to do a bulk pre-registration for Azure Active Directory MFA to provide our customers’ users more Seamless Single Sign on and smooth for MFA rolling out. This script helping you to: Configure MFA Strong Authentication Methods Set a default MFA authentication method for all users or number of users. Update Mobile Number for a List of users. Update Strong Authentication Methods for List of users Get MFA Strong Authentication Details for all users. Get MFA Authentication contact info where the phone number is Null Update Mobile Number Only If user Mobile is not exist NOTE : Before we proceed with MFA and SSPR Enablement and configuration, Users will be able to change their Authentication mobile phone number whenever they need to, Admins won’t have a control on Authentication mobile phone number however they can pre-define them but still users will be able to change it. Keep in mind: If you have provided a value for Mobile phone or Alternate email, users can immediately use those values to reset their passwords, even if they haven't registered for the service. In addition, users see those values when they register for the first time, and they can modify them if they want to. After they register successfully, these values are persisted in the Authentication Phone and Authentication Email fields, respectively. If the Phonefield is populated and Mobile phone is enabled in the SSPR policy, the user sees that number on the password reset registration page and during the password reset workflow. The Alternate phonefield isn't used for password reset. If the Emailfield is populated and Email is enabled in the SSPR policy, the user sees that email on the password reset registration page and during the password reset workflow. If the Alternate emailfield is populated and Email is enabled in the SSPR policy, the user won't see that email on the password reset registration page, but they see it during the password reset workflow. Download here. Script In details. Parameters $UsersCSV = "<Users CSV File Path>" # Example C:\Temp\UsersMFA.csv $OutPutFolder = "C:\Temp" # Example C:\Temp If User Mobile is exist (AD users with specific AD attribute NOT null) Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -ne $null } If User Mobile is exist (AD users with specific AD attribute is null) Get-AzureADUser | select UserPrincipalName, Mobile | Where-Object { $_.Mobile -eq $null } #Get All Users Details Get-AzureADUser | select DisplayName, UserPrincipalName, otherMails, Mobile, TelephoneNumber | Format-Table List users "Authentication contact info" attributes from AzureAD Get-MsolUser -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder"\StrongAuthenticationUserDetails.csv" -Verbose List users "Authentication contact info where Phone number is Null" attributes from AzureAD Get-Msol User -All | select DisplayName -ExpandProperty StrongAuthenticationUserDetails | Where-Object { $_.PhoneNumber -eq $null } | ft DisplayName, PhoneNumber, Email | Out-File $OutPutFolder"\StrongAuthenticationUserPhoneNumberNull.csv" -Verbose StrongAuthenticationUserPhoneNumber File Details List users "Strong Authentication Methods" attributes from AzureAD Get-MsolUser -All | select DisplayName, UserPrincipalName -ExpandProperty StrongAuthenticationMethods | select UserPrincipalName, IsDefault, MethodType All users who have signed up for SSPR. (get-msoluser -All | Where { $_.StrongAuthenticationUserDetails -ne $null }) All users who have not signed up for SSPR (get-msoluser -All | Where { $_.StrongAuthenticationUserDetails -eq $null }) Update Mobile Number for List of users Import-CSV -Path $UsersCSV | ForEach-Object { Set-AzureADUser -ObjectId $_.UserPrincipalName -Mobile $_.Mobile -ErrorAction SilentlyContinue} Microsoft StrongAuthenticationMethod Parameters $OneWaySMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $OneWaySMS.IsDefault = $false $OneWaySMS.MethodType = "OneWaySMS" $TwoWayVoiceMobile = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $TwoWayVoiceMobile.IsDefault = $true $TwoWayVoiceMobile.MethodType = "TwoWayVoiceMobile" $PhoneAppNotification = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $PhoneAppNotification.IsDefault = $false $PhoneAppNotification.MethodType = "PhoneAppNotification" $PhoneAppOTP = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod $PhoneAppOTP.IsDefault = $false $PhoneAppOTP.MethodType = "PhoneAppOTP" $methods = @($OneWaySMS, $TwoWayVoiceMobile, $PhoneAppNotification, $PhoneAppOTP) Set Default Strong Authentication Methods for List of users Import-CSV -Path $UsersCSV | Foreach-Object { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationMethods $methods} -ErrorAction SilentlyContinue Pre-register authentication Info for List of users. Import-CSV -Path $UsersCSV | ForEach-Object { Set-AzureADUser -ObjectId $_.UserPrincipalName -OtherMails $_.OtherMails -Mobile $_.Mobile -TelephoneNumber $_.TelephoneNumber -ErrorAction SilentlyContinue}
Don't lose access to your account!
Hi, I'm a global admin for our tenant and keep getting this when I'm logging in: If I'm trying to enter anything other than my personal email address I will get this error message: "Don't use your work or school email address, because you won't have access to it if you forget your password. " Is there a way to edit the options? I think shoudn't have to give my personal email address here.
Does Azure MFA server (on-premise) work with Azure conditional access?
If we wanted to leverage Microsoft conditional access and require MFA for certain conditions are we required to use the Cloud version of Azure MFA? We currently have Azure MFA server on premise though haven't deployed it yet. We put it on prem because we want to use it for our VPN as well as we use ADFS 3.0- Thank you
Restrict Global Admin MFA Methods
Is it possible to change the mfa methods specifically for Global Admins that is different from the normal user base? What we are looking to do is the following: User base - Can register MFA by use of SMS, Phone Call, Mobile App, Software/Hardware token (note I understand that sms is not a good thing, but at this point in time we are stuck where we are) Users with Global Admin - Must register and use Authenticator App as well as Hardware token to authenticate. Please let me know if it is even possible to do such a thing or any recommendations you may have.Azure Active Directory Premium P1 - Windows 7 - Group Policy
Azure Active Directory Premium P1 - Windows 7 - Group Policy Want to roll out a domain customer has Office365 currently but has mostly Windows 7 Pro machines with some Windows 10 Pro. Does Azure Active Directory Premium P1 support Windows 7 and does it work well for Group Policy, Roaming Profiles etc? Or do i require 2 x Virtual machines 8Gb Ram 256 SSD 4x Cores 1x vNet 1x VPN Bandwidth for vNet Bandwidth for VPN VPN Tier 1 for more than 10 sites and 650Gb bandwidth? Then build VPN tunnels from sites to Azure VPN Then setup the servers to be domain controllers. Would like Azure Active Directory Premium P1 if possible with it offering self service password resets, MFA etc but cannot find anything clear on managing the GPOs, Roaming profiles and Windows 7. Thanks in advance for any advise.
Azure Active Directory Domain Services + Azure Multi-Factor Authentication (MFA) ??
Hi! my scenario: “Azure Active Directory Domain Services” is ready setup in Azure. A VM is added to Azure and added to the Azure AD. On this VM is running a website on IIS that is public facing (443). User can logon to this with his Azure AD user accounts. All user has “Azure Multi-Factor Authentication” (MFA) enabled in Azure. Now: How I can configure the IIS site to use “Azure Multi-Factor Authentication”? Regards, Pawel
