Being the very green admin in my own small company, this was exactly what I was looking for. I’ve spent over a day looking at 20+ Microsoft KB articles that have sent me round and round in circles, yet you’ve just nailed in 30 minutes. Thank you - subscribed!
@@bearded365guy So this is just about management of MFA for users and the availability of the various type of MFA rather than making any changes to each MFA type?
2 місяці тому
Great videos mate - i just subscribed - learning heaps, especially with the security side of things :)
@@eointhomas2914 Exactly we are using them for scan 2 mail purposes. Do you have any proper guide for implementing this apart from the MS documentation?
Hi Jonathan, awesome video! Thanks a lot! Quick question, if the Break Glass account should be protected with MFA ( in this case using the YUBIKEY), what will trigger it if we are excluding it in all the conditional access policies? Thanks
Interesting question! MFA authentication method policies do not in and of themselves mandate MFA-based authentication, they simply offer MFA options to the targeted group. If a breakglass account was excluded from policies mandating MFA for access, I suspect they wouldn't even be challenged for MFA, meaning that privileged access accounts would be left unprotected i.e. username and password only. Once the tenant has fully migrated to 'new MFA', the old 'per-user MFA' would be defunct. The only other method would be to enable 'security defaults' but this is not recommended for tenants using conditional access. I guess you would have to create a conditional access policy specifically targeted to the breakglass accounts mandating the phishing resistant authentication strength.
This seems to be something that is not really documented well. The migration process won’t complete unless you uncheck all methods in SSPR. This doesn’t disable SSPR as the enablement scoping is on a different page. From what I can tell, once this is done, you can no longer require two methods to reset or unlock your account. It will only use your primary method and not enforce a second method. MS should be more clear on this as companies have two methods set in the legacy settings.
This migration is just about: (1) Having one set of MFA requirements, instead of two (authentication & password reset) and (2) Enabling modern authentication methods e.g. passkeys. If SSPR is enabled , it will still be enabled - no change.
Johnathan thank you very much for such a needed video. My biggest problem after this is configuring legacy MFC printers to do scan to email and unattended remote support of clients who have enabled MFA. I need to be interactively with the client so that he provides either the SMS code or approves it with is authenticator app. I can't figure out how to do unattended remote support IE after hours to install apps, run diagnostics etc. All my client don't want to pay for Microsoft 365 business Premium they only use Microsoft 365 Business Standard. Thanks and regards. Alfred
Scan-to-email - use an Exchange Connector instead of SMTP to effectively bypass MFA, the connector immediately accepts the incoming email based on its IP or certificate. There's a Microsoft learn article all about this. Out-of-hours sign-in - enable Web Sign-In and use Temporary Access Pass's. If you don't have the ability to deploy configuration policies, you'll have to manually enable Web Sign In e.g. local GPO or Registry. Once enabled, create a TAP in Entra for the user, next time that user tries to sign-in i.e. you, after hours, they'll (you'll) be asked for the TAP. TAP is considered by Microsoft to be an MFA sign-in method. Note: TAPs can also be used during Windows Setup i.e. you can pre-configure a user's laptop.
Thanks Jonathan, finger on the pulse as always. Our Global Admin accounts for all customers are all Software OATH tokens. I read that this is not accepted as a first factor authentication method. Not sure if we need to change anything?
OATH tokens are not 1st factor authentication methods, before you can enter an OATH token, you must first enter your username and password (1st factor), then the token (2nd factor) (something you know, something you have) and if you have multiple 2nd factor authentication methods available, this is multi-factor authentication. AFAIK, OATH tokens are still an acceptable modern security standard.
I'm loving this. One question. What's the difference between when the authenticator gives you two numbers to select on your phone and the other one where you have to type in 6 numbers on your PC? What is the official name for each and which is better?
The former is know as 'Push Notification Authentication' e.g. Microsoft Authenticator, the latter is known as OATH TOTP (Initiative for Open Authentication Time-based One-Time Passcode) e.g. Google Authenticator. s
Agreed, @14:36, Ian is definitely the problem. Have you considered other options for Ian? Like a visit from Joe Pesci, to help understand what it is he does here?
For anybody confused, you will not have most of these options if you do not have the correct licensing.
2 місяці тому
nice video as always - for windows there is "Windows For Hello" for Mac there is " Platform SSO" what about for Linux? does anyone know there are similar solutions like this in Linux?
Hi Jonathan. i created an exclusion group for admins and added to the conditional access policy Require multifactor authentication for admins . but it does not apply, i do not get any mfa prompt. if i remove the group and sign in as an individual admin I do get prompted for mfa. if I do a what if, it shows the policy will not apply and shows users and groups as the reason why Policy Name Reasons why this policy will not apply State Require multifactor authentication for admins Users and groups On Any help would be appreciated
Being the very green admin in my own small company, this was exactly what I was looking for. I’ve spent over a day looking at 20+ Microsoft KB articles that have sent me round and round in circles, yet you’ve just nailed in 30 minutes.
Thank you - subscribed!
I appreciate that you do these videos in such a clear and concise manner. Without your explanations and examples, I would be lost! Thank You!!!
You're very welcome!
Epic! Another quality video. Not all heroes wear capes.
Always great to consume your thorough and impeccably produced vids. Thanks!
Yet another rocking one from the Bearded guy! Thanks and appreciated!
Nice one Jonathan, thanks for sharing!
One of your best videos hands down. We implement Yubi for all our clients admin/break accounts and FIN employees. It's the way to go.
@@justepic7029 Thanks, I am pleased you found value!
Pssst, Jonathan, it’s “deprecated”, not “depreciated.” Subtle difference in spelling but quite different meanings.
@@thesimpsoid This is true.
Useful and very information, thanks Jonathan.
As usual. Great Video!!! Thanks Bro.
Hey, What happened to existing methods from Legacy, Do users need to register with MFA again, any prompts to users?
@@DaysofIresh Users won’t have to do anything if you enable the right settings in the new policy.
@@bearded365guy So this is just about management of MFA for users and the availability of the various type of MFA rather than making any changes to each MFA type?
Great videos mate - i just subscribed - learning heaps, especially with the security side of things :)
Hello Jonathan, I do not see your Enable Authenticator MFA youtube video anywhere, did you remove it?
Hey, what about App Passwords? I need those for my printers. Cannot find anything in the migration documentation.
App passwords are getting deprecated.
If it’s for scan to email purposes most places have moved to smtp relay providers
@@eointhomas2914 Exactly we are using them for scan 2 mail purposes. Do you have any proper guide for implementing this apart from the MS documentation?
@@eointhomas2914 Any guide to implement smtp relay for scan to mail purposed would be appreciated. Thanks
@@eointhomas2914 Or you can use an Exchange Connector.
Brilliant!
Awesome
So you disabled SSPR -- so that means users can't reset their own password now?
@@iamweave No, they can. It’s all done with MFA registration……
Hi Jonathan, awesome video! Thanks a lot! Quick question, if the Break Glass account should be protected with MFA ( in this case using the YUBIKEY), what will trigger it if we are excluding it in all the conditional access policies? Thanks
Interesting question! MFA authentication method policies do not in and of themselves mandate MFA-based authentication, they simply offer MFA options to the targeted group. If a breakglass account was excluded from policies mandating MFA for access, I suspect they wouldn't even be challenged for MFA, meaning that privileged access accounts would be left unprotected i.e. username and password only. Once the tenant has fully migrated to 'new MFA', the old 'per-user MFA' would be defunct. The only other method would be to enable 'security defaults' but this is not recommended for tenants using conditional access. I guess you would have to create a conditional access policy specifically targeted to the breakglass accounts mandating the phishing resistant authentication strength.
@@davidadams421 Thank you for taking the time to answer my question. Happy new year!
Thank you!
Hi, my question is why did you have to disable SSPR? Can I follow the guide skipping the SSPR part? Would it still work well?
This seems to be something that is not really documented well. The migration process won’t complete unless you uncheck all methods in SSPR. This doesn’t disable SSPR as the enablement scoping is on a different page. From what I can tell, once this is done, you can no longer require two methods to reset or unlock your account. It will only use your primary method and not enforce a second method. MS should be more clear on this as companies have two methods set in the legacy settings.
This migration is just about: (1) Having one set of MFA requirements, instead of two (authentication & password reset) and (2) Enabling modern authentication methods e.g. passkeys. If SSPR is enabled , it will still be enabled - no change.
Johnathan thank you very much for such a needed video. My biggest problem after this is configuring legacy MFC printers to do scan to email and unattended remote support of clients who have enabled MFA. I need to be interactively with the client so that he provides either the SMS code or approves it with is authenticator app. I can't figure out how to do unattended remote support IE after hours to install apps, run diagnostics etc. All my client don't want to pay for Microsoft 365 business Premium they only use Microsoft 365 Business Standard. Thanks and regards. Alfred
Scan-to-email - use an Exchange Connector instead of SMTP to effectively bypass MFA, the connector immediately accepts the incoming email based on its IP or certificate. There's a Microsoft learn article all about this. Out-of-hours sign-in - enable Web Sign-In and use Temporary Access Pass's. If you don't have the ability to deploy configuration policies, you'll have to manually enable Web Sign In e.g. local GPO or Registry. Once enabled, create a TAP in Entra for the user, next time that user tries to sign-in i.e. you, after hours, they'll (you'll) be asked for the TAP. TAP is considered by Microsoft to be an MFA sign-in method. Note: TAPs can also be used during Windows Setup i.e. you can pre-configure a user's laptop.
Thank you so much !!!!!!!!!!
Thanks Jonathan, finger on the pulse as always. Our Global Admin accounts for all customers are all Software OATH tokens. I read that this is not accepted as a first factor authentication method. Not sure if we need to change anything?
OATH tokens are not 1st factor authentication methods, before you can enter an OATH token, you must first enter your username and password (1st factor), then the token (2nd factor) (something you know, something you have) and if you have multiple 2nd factor authentication methods available, this is multi-factor authentication. AFAIK, OATH tokens are still an acceptable modern security standard.
I'm loving this. One question. What's the difference between when the authenticator gives you two numbers to select on your phone and the other one where you have to type in 6 numbers on your PC? What is the official name for each and which is better?
The former is know as 'Push Notification Authentication' e.g. Microsoft Authenticator, the latter is known as OATH TOTP (Initiative for Open Authentication Time-based One-Time Passcode) e.g. Google Authenticator. s
Agreed, @14:36, Ian is definitely the problem. Have you considered other options for Ian? Like a visit from Joe Pesci, to help understand what it is he does here?
@@lee161a We’ve got a problem with Ian. It’s not going to end well for Ian.
For anybody confused, you will not have most of these options if you do not have the correct licensing.
nice video as always - for windows there is "Windows For Hello" for Mac there is " Platform SSO" what about for Linux? does anyone know there are similar solutions like this in Linux?
Hi Jonathan. i created an exclusion group for admins and added to the conditional access policy Require multifactor authentication for admins . but it does not apply, i do not get any mfa prompt. if i remove the group and sign in as an individual admin I do get prompted for mfa. if I do a what if, it shows the policy will not apply and shows users and groups as the reason why
Policy Name Reasons why this policy will not apply State
Require multifactor authentication for admins Users and groups On
Any help would be appreciated
extremely early
@@martiniproductions185 It’s never too early.
😂🎉