Why Your Entra ID MFA Is Failing You [5 Major Pitfalls]

Поділитися
Вставка
  • Опубліковано 23 гру 2024

КОМЕНТАРІ • 18

  • @danpowell7421
    @danpowell7421 18 днів тому +2

    Honestly thought single user MFA was being sacked off.
    Great video! Thanks for sharing

  • @davidthornton2788
    @davidthornton2788 16 днів тому +3

    Yes please to a conditional access design video. We are just planning out a persona based approach as I have seen you use this in other videos

  • @RichardAdams-l5d
    @RichardAdams-l5d 19 днів тому +4

    Great video as usual! Would certainly be handy to have a deep dive in to CA policies, not so much the functionality (though could include that if the video was long enough), but the naming conventions I've seen you use in some videos. It's all to easy to end up with dozens of policies that have an unclear function, particularly when coming in to a new tenant that hasn't been well documented.

    • @ifbootfitz
      @ifbootfitz 18 днів тому

      Second this^

    • @rucam365
      @rucam365 10 днів тому +1

      Thanks! ACK on the CA video; will do this in the new year.

  • @davidlewis4546
    @davidlewis4546 18 днів тому +1

    Always good to hear another perspective on things. Great vid. Cheers!!

  • @SebastianMarkdanner
    @SebastianMarkdanner 19 днів тому +2

    Great video!
    I'd add #6 - enforcing higher Auth method before being ready... the number of times I've seen tenants being blocked because someone (def. never me) enforced Phishing resistant methods before the tenant was ready!

  • @SamCrome-n6m
    @SamCrome-n6m 16 днів тому +1

    I have come across an issue in the past with the last mistake. If you're trusting MFA from other tenants and they have a type of authentication method used that you do not allow in your own tenant this will fail, or at least has failed for us in the past. It will show in the audit logs that the MFA was a success but that the user failed to authenticate so we ended up removing this option and forcing users to register the auth app when accessing our application.

  • @patrick__007
    @patrick__007 18 днів тому +1

    Great video!🎉
    Can you please help me with the following?
    We have some users having complaints about the fact the Microsoft Teams, Outlook apps etc on their smartphones are randomly logged out. I have seen some errorcodes in Entra like 70045, 500121 and 70044.
    I think my users shouldn't get prompted to use MFA when opening these apps on their devices. Its just that when not authenticating the devices aren't syncing new mail, messages etc.
    What is best practise? We are not enforcing app protection policies (yet)

    • @rucam365
      @rucam365 10 днів тому

      Thinking out loud - what are the Sign In Frequency settings in CA?

    • @patrick__007
      @patrick__007 10 днів тому +1

      @rucam365 Yep, that seemed to be the issue.. thanks

  • @patrickhorne3045
    @patrickhorne3045 19 днів тому +1

    Hi Ru, awesome as always! I have a couple of questions though if I may on number 5. When you say Guests can only register phishing resistant MFA in their home tenant and not a target tenant, what is the mechanism that enforces this? Is is UserType = Member? If so what about External Members? Or put another way is it any user that isn't an Internal Member?
    Following on from that, what is the expected behaviour for a Guest user, who is challenged for Phishing Resistant MFA by a Target tenant who does trust MFA form other tenants, but the user has not registered any PR-MFA in their home tenant, is it just a straight block? Or do they get redirected to the home tenant to register some?

    • @rucam365
      @rucam365 10 днів тому +1

      Great questions. Let me get a video out that deep dives into these.

  • @sunnykgaming2541
    @sunnykgaming2541 19 днів тому +1

    what auth policies are the safest?

    • @rucam365
      @rucam365 10 днів тому

      Have an upcoming video explaining each in detail. But if we’re talking auth methods, cert based auth, WHfB, and passkeys (FIDO2) all rank highest, as they are cryptographically enforced, with some nuance and things to consider between them.

    • @sunnykgaming2541
      @sunnykgaming2541 9 днів тому

      @rucam365 thanks sounds good and look forward to upcoming vids. Always looking for new ways to make our azure 365 environments more secure with latest stuff