Add filters/ grouping to microsoft authenticator app accounts
Hello! Hope you are all well! I would like to see filters of personal/ Work and school accounts or by domain. Or even the ability to organise accounts manually into groups. Currently have a long list of personal accounts and work account.
Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC
Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in originated from. Until the end of 2019, all IP addresses were expected, either being that of the office, the Vodafone mobile network or the home addresses of the sales guys. In 2020, I have started getting log in alerts, which according to https://whatismyipaddress.com/ are from Microsoft Datacentres in Ireland, Holland and Austria, all with "Microsoft Corporation" as the ISP and sometimes with the same for the Organisation and sometimes with "Microsoft Azure". e.g 40.101.88.221 (Amsterdam), 40.101.102.149 (Dublin). Worried about potential breaches, I contacted Microsoft Support (who by the way are always ON IT, thank you) who helped me find info in the audit log to say the User Agent is BAV2ROPC, which lead me to this page https://www.reddit.com/r/Office365/comments/bl90gw/bav2ropc_user_agent_in_logs/ where someone's found it means "Business Apps v2 Resource Owner Password Credential", which is apparently the User Agent for an updated version of Outlook Mobile. I have a couple of questions / observations and wondered if anyone could shed any light on this. 1) My users don't know their passwords so it's highly unlikely they've been phished, so I don't think these are breaches. 2) My email account has triggered log ins from Microsoft IP addresses, and I have 2 factor authentication turned on where I received a text message code to my mobile. I have not received texts in relation to these logins, so again I don't think it's a breach. 3) I don't use Microsoft Outlook on my mobile, so don't think I'd be generating this BAV2ROPC user agent (but I am on the Activity Alerts). 4) If it was a device I was using causing this user agent, why aren't the Activity Alerts logging my IP address from my device's location? 5) My account is used to sign in programatically in a piece of software I wrote, so that could explain it for my account, but I'm also getting alerts for users who only access their email on their android phone on the built in email app. 6) The frequency I'm receiving Activity Alerts from Microsoft IP addresses is increasing. I get a few a day now. In summary, I don't think there's anything untoward goin on, but as a responsible admin, I'ld like to understand exactly what's occuring. Many thanks, DavePreview of Azure AD Conditional Access Policies for devices, users and applications
The folks at Microsoft identity division have just released the preview of Azure AD Conditional Access Policies for devicesm, users and applications in protecting the resource - this includes Office 365! More details on this new feature in the link below. https://techchirag.com/2016/08/10/preview-of-azuread-conditional-access-policies-for-devices-users-and-applications-office365/Do you have to buy Premium P2 for every licensed user to use Privileged Identity Management
Do you have to buy Active Directory Premium P2 for every licensed user in your tenant to use Privileged Identity Management or can you just purchase it for the admin accounts you want to manage? $8 a month for every user is steep if you just want to control admin access but not too bad if we just had it on our admin users.Changes to authentication requirements for the Office 365 home page
Hi All, we're making some changes to the authentication flow for the Office 365 home page. Beginning August 9, accessing the authenticated Office 365 home page (either through https://portal.office.com or https://www.office.com) will require that your users satisfy the Azure Active Directory Premium Conditional Access policies that you have applied to either Exchange Online or SharePoint Online. After this change, users who do not satisfy your policies will be unable to authenticate to the Office 365 home page. Other web links on the portal.office.com domain, but with a different URL path, will be unaffected. If you have users who don’t satisfy these policies but still need to install the desktop Office apps from the home page, they will need to install the Office apps directly from http://aka.ms/office-install. Otherwise, no immediate action is required. For more information visit Office 365 Support. + David Annesley-DeWinter
Enforce MFA to external users
Is there any news on enforcing MFA to O365 external users when they will access externally shared SPO sites? Right now the challenge is we cannot enforce MFA on external users and MFA can be enabled only for licensed users. Azure B2B is in public preview but I am assuming that this capability will be available as part of Azure B2B GA as mentioned in current limitiation here. So question mark is if it will be enabled then will it also be applicable for normal external sharing scenario (with Azure B2B)?
Office 365 MFA with Azure AD Sync Tool Service Account
We have recently started looking at the security state of our O365 tenant with the Secure Score tool (https://securescore.office.com). One of the suggestions to raise the score is to enable MFA for all Global Admin accounts. However, the Azure AD sycn tool has a user/service account that requires the Global Admin role to be assigned to it (as noted in the first referenced link below). Additionally, other Office365 admin roles are not permitted the directory sync access (as noted in the second link below). Seeing as how the sync is an automated process, there is no way that I know of to build approving a login with MFA. I have been unable to locate any articles around the Azure AD sync tool, nor a way to add an exception to the Secure Score portal for this user account. Has anyone come across a solution for either adding MFA to a service account or creating an exception for a service account to the Secure Score? AAD Connect Permissions AAD Administrator RolesPoll: Multi-Factor Authentication Usage
Hi folks, I'm running a quick 2-question poll on MFA usage for Office 365. If you can spare a minute to contribute your answers that would be very much appreciated. https://www.surveymonkey.com/r/DPQDKHB If I get a good response I'll share the results in the near future as well, as I'm sure it will be of interest to many people.
Exclude Microsoft first party applications in Azure conditional access policy
We have app built on Microsoft Graph resource and we have a conditional access policy that targets all cloud apps. when users sign into this app using Chrome browser on iOS they get error and prompt to use Edge. We do not want users to change the browser and tried to exclude Microsoft Graph from CA policy using all options including API but fails with the below error. Policy contains invalid applications: unsupported firstpartyapplication. Is there a way to exclude Microsoft Graph from the policy?
