Great video as usual! Would certainly be handy to have a deep dive in to CA policies, not so much the functionality (though could include that if the video was long enough), but the naming conventions I've seen you use in some videos. It's all to easy to end up with dozens of policies that have an unclear function, particularly when coming in to a new tenant that hasn't been well documented.
Great video! I'd add #6 - enforcing higher Auth method before being ready... the number of times I've seen tenants being blocked because someone (def. never me) enforced Phishing resistant methods before the tenant was ready!
I have come across an issue in the past with the last mistake. If you're trusting MFA from other tenants and they have a type of authentication method used that you do not allow in your own tenant this will fail, or at least has failed for us in the past. It will show in the audit logs that the MFA was a success but that the user failed to authenticate so we ended up removing this option and forcing users to register the auth app when accessing our application.
Great video!🎉 Can you please help me with the following? We have some users having complaints about the fact the Microsoft Teams, Outlook apps etc on their smartphones are randomly logged out. I have seen some errorcodes in Entra like 70045, 500121 and 70044. I think my users shouldn't get prompted to use MFA when opening these apps on their devices. Its just that when not authenticating the devices aren't syncing new mail, messages etc. What is best practise? We are not enforcing app protection policies (yet)
Hi Ru, awesome as always! I have a couple of questions though if I may on number 5. When you say Guests can only register phishing resistant MFA in their home tenant and not a target tenant, what is the mechanism that enforces this? Is is UserType = Member? If so what about External Members? Or put another way is it any user that isn't an Internal Member? Following on from that, what is the expected behaviour for a Guest user, who is challenged for Phishing Resistant MFA by a Target tenant who does trust MFA form other tenants, but the user has not registered any PR-MFA in their home tenant, is it just a straight block? Or do they get redirected to the home tenant to register some?
Have an upcoming video explaining each in detail. But if we’re talking auth methods, cert based auth, WHfB, and passkeys (FIDO2) all rank highest, as they are cryptographically enforced, with some nuance and things to consider between them.
@rucam365 thanks sounds good and look forward to upcoming vids. Always looking for new ways to make our azure 365 environments more secure with latest stuff
Honestly thought single user MFA was being sacked off.
Great video! Thanks for sharing
Yes please to a conditional access design video. We are just planning out a persona based approach as I have seen you use this in other videos
Working on it!
@ nice one!
Great video as usual! Would certainly be handy to have a deep dive in to CA policies, not so much the functionality (though could include that if the video was long enough), but the naming conventions I've seen you use in some videos. It's all to easy to end up with dozens of policies that have an unclear function, particularly when coming in to a new tenant that hasn't been well documented.
Second this^
Thanks! ACK on the CA video; will do this in the new year.
Always good to hear another perspective on things. Great vid. Cheers!!
Great video!
I'd add #6 - enforcing higher Auth method before being ready... the number of times I've seen tenants being blocked because someone (def. never me) enforced Phishing resistant methods before the tenant was ready!
I have come across an issue in the past with the last mistake. If you're trusting MFA from other tenants and they have a type of authentication method used that you do not allow in your own tenant this will fail, or at least has failed for us in the past. It will show in the audit logs that the MFA was a success but that the user failed to authenticate so we ended up removing this option and forcing users to register the auth app when accessing our application.
Great video!🎉
Can you please help me with the following?
We have some users having complaints about the fact the Microsoft Teams, Outlook apps etc on their smartphones are randomly logged out. I have seen some errorcodes in Entra like 70045, 500121 and 70044.
I think my users shouldn't get prompted to use MFA when opening these apps on their devices. Its just that when not authenticating the devices aren't syncing new mail, messages etc.
What is best practise? We are not enforcing app protection policies (yet)
Thinking out loud - what are the Sign In Frequency settings in CA?
@rucam365 Yep, that seemed to be the issue.. thanks
Hi Ru, awesome as always! I have a couple of questions though if I may on number 5. When you say Guests can only register phishing resistant MFA in their home tenant and not a target tenant, what is the mechanism that enforces this? Is is UserType = Member? If so what about External Members? Or put another way is it any user that isn't an Internal Member?
Following on from that, what is the expected behaviour for a Guest user, who is challenged for Phishing Resistant MFA by a Target tenant who does trust MFA form other tenants, but the user has not registered any PR-MFA in their home tenant, is it just a straight block? Or do they get redirected to the home tenant to register some?
Great questions. Let me get a video out that deep dives into these.
what auth policies are the safest?
Have an upcoming video explaining each in detail. But if we’re talking auth methods, cert based auth, WHfB, and passkeys (FIDO2) all rank highest, as they are cryptographically enforced, with some nuance and things to consider between them.
@rucam365 thanks sounds good and look forward to upcoming vids. Always looking for new ways to make our azure 365 environments more secure with latest stuff