Challenges with New MFA and SSPR Policies: Need Guidance
I am currently transitioning our Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA) to the new Authentication Methods policy, moving away from legacy policies. However, the lack of clarity on which methods are compatible with both scenarios is quite frustrating, and I wonder if I might be missing something. Our goal is to exclusively use the Authenticator app and security keys for both MFA and SSPR, eliminating all other methods. Additionally, we want to maintain the requirement of two methods (Authenticator app and security key) for password changes. We are in the process of distributing security keys to all staff. The issue I’m encountering is that while Microsoft promotes this new portal as a unified solution for both MFA and SSPR, not all methods are supported across both. Specifically, the security key does not currently work for SSPR. If I am unable to use the security key for SSPR and must resort to a less secure second method, I would at least like to disable that less secure method for MFA. However, it seems there is no way to configure this in the policy. Am I on the right track here? I am aware that Authentication Strengths can be configured—perhaps this is where I should focus? Any advice or discussion would be greatly appreciated.Problem z zalogowaniem się no nowym telefonie z maila firmowego
Dzień dobry , Mam problem , ponieważ wymieniłem swojego starego Iphona na nowszy model , i po przeniesieniu wszystkich danych na nowy telefon , ze starego Iphona usunąłem wszystkie dane i wyzerowałem go, jednak gdy chciałem zalogować się na nowym telefonie do aplikacji mailowej Outlook wyskoczyła mi informacja o zatwierdzeniu żądania logowania z numer "33". Nie mam możliwości potwierdzić tego numeru na starym telefonie ponieważ na starym telefonie już nic nie ma. Proszę o odpowiedź co w tej sytuacji mam zrobić ? P.S Próbowałem przez aplikacje Authenticator , logując się do aplikacji swoim prywatnym mailem i po zalogowaniu chciałem dodać konto służbowe jednak po raz kolejny wyskakuje informacja odnoście potwierdzenia logowania na urządeniu przenośnym ...
Password-less authentication with using One-time passcode from Microsoft Authenticator App.
Recently one of my users was in Internet restricted zone and when he tried to sign-in with Password less method, He didn't get the code due to no internet in mobile and in addition to this, he forgot the user sign-in password. Is there any method or way to setup that we can be able to sign-in with using the 6-digit Microsoft Authenticator App Code instead of the push notification and password.Windows Hello for Business Configuration Issue with multiple Devices
Hello everyone, We are currently facing an issue with our Windows Hello for Business configuration for Multiple Users/Devices, and I'd like to seek your assistance and insights on this matter. We've implemented Windows Hello for Business through Group Policy (User Configuration) and deployed it within our User Organizational Unit (OU). Initially, everything seemed to be working seamlessly. Users were able to log in to their devices, set up Windows Hello for Business, and use it without any problems. However, a problem arises when the same user attempts to log in from another device. Ideally, we expect the same behavior, where the user gets the Windows Hello configuration, successfully sets up their PIN, and can use it for subsequent logins. However, after a reboot, the user is prompted to log in with their password only, and the Windows Hello Sign-in option does not appear. What's even more concerning is that this issue has now started affecting the user's ability to log in with a PIN on their initial device as well. We would greatly appreciate your insights and suggestions on how to troubleshoot and resolve this issue. If anyone has encountered a similar situation or has any guidance on resolving Windows Hello for Business configuration problems, please share your expertise. Thank you in advance for your assistance. Best regards, Rashad Bakirov
Self Service Password Reset for trusted domain
Hi, I manage a self-contained Forest/Domain in Geo1 which has a two way AD trust with our parent company in Geo2. The Geo1 domain sits in the Geo2 owned and maintained Azure/M365 tenant. SSPR is selectively enabled in Azure by way of Domain Local AD group into which all required AD groups from other business units within the organisation are nested and this works fine for users in Geo1 (all users in Geo1 are in domains which are in the same AD forest as the parent organisation). A Domain Global AD group from Geo2 has also been nested in Geo1's Domain Local Group so, in theory, SSPR should be available to Geo2 users but it isn't working (we see a message on the SSPR page stating that SSPR 'isn't available for this user'). The Geo2 forest syncs to the Geo1 managed Azure AD via AAD connectors located in Geo1's data centres. I can see our users in the Azure Portal and have access to all permitted M365 apps such as Exchange Online, SharePoint et al. All users are have either E3 or E5 licenses. Can anyone suggest a reason why SSPR isn't working for the Geo1 users or maybe point me to any documentation which might deal with this particular scenario? Regards PaulAzureAD Joined Device and onprem w/ PIN
I am working on a scenario where we want to move to Azure ADDS, we still have some need for LDAP/S, Unix, etc but want on prem to go away. Endpoints are already azure AD Joined to the 365 Tenant. Tenant is insync with onprem w/ Azure AD Connect w/ password hash as well... here is where it gets fun...endpoint with password login has no problem accessing onprem file server, but as you know Azure Join Devices force pin enrollment and default to it. When user logs in with PIN, I get cred prompt...eventually this box will goto azure, but I suspect this will occur when it gets out there also... I have attempted AzureAdKerberosServer, oneway trust with AADDS/Local and domain certificate avenue, no love...has anyone gone down this rabbit hole?
Outlook 365 constantly asking for password authentication
All, For the last month or more, Outlook constantly asks me for my email password for 2 different email providers. This is not happening on my iPhone nor MacBook. I have read dozens of posts to resolve this issue and nothing works. I deleted Office365 and re-installed. Still problems. This is really frustrating. Does anyone have a REAL solution?
Frequent Account lockouts
We are having passthrough authentication setup and we see lot of errors recently with the below process Process Information: Caller Process ID: 0x8e4 Caller Process Name: C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe Users are getting locked out too frequently. The auditing software points to the server where AD connect is installed. I am not sure why this is happening but need your advice and suggestions please. Thank you all.
Generate 2 part / split password for break-glass account
Am planning to configure break-glass / emergency accounts for Azure AD. However, need some help in order to create / generate split passwords ( 2 ) for one emergency account which can further be sent to the custodians. So, scenario is: There will be a break-glass account whose password should be split in 2 parts. Each part is sent to each custodian. Now, is there any tool or script which can do this so that the person executing the script is also unaware of the split password. Thanks.
