Improving Security For MFA Approvals – Number Matching

Rolling out in November 2021 is a new feature – that of requiring the user to enter a number rather than just click approve on the MFA prompt. This update to Azure AD requires the use of Push Notifications and therefore requires the use of the Microsoft Authenticator app. It also requires that MFA is… Continue reading Improving Security For MFA Approvals – Number Matching

Adding Location To Azure AD MFA

This Azure AD feature is something that a number of other Multi-Factor Authentication providers have already implemented – that of showing the location of the user login (and the app in use) on the MFA prompt. This feature rolled out to Azure AD in mid November 2021 in preview – so use in non-production tenants… Continue reading Adding Location To Azure AD MFA

Azure AD Consent For Zoom App Not Applying

This is a issue where you enabled Admin Approved Consent in Azure AD (as you should) and you require apps that have high data access rights to be approved. The Zoom add-in/desktop app falls into this category as it requires write access to your calendar and your contacts in Exchange Online. But if you set… Continue reading Azure AD Consent For Zoom App Not Applying

Why Do Comments In Microsoft 365 Planner Disappear?

So first you need an Exchange Online mailbox for comments to work. Comments to the tasks of Plans are stored in the Microsoft 365 Group mailbox, and you need an Exchange Online mailbox to access the M365 Group mailbox. Behind the scenes, or actually not that behind the scenes, the process for comments is as… Continue reading Why Do Comments In Microsoft 365 Planner Disappear?

MFA, Admin Roles and AADConnect Sync Failures

Come Feb 29th 2020 and Microsoft are turning off the baseline security policies. If you used these policies to do MFA for all admins (as that was an easy way to achieve this), then a replacement Conditional Access rule might cause errors with AADConnect. The reason being is that you could create a new Conditional… Continue reading MFA, Admin Roles and AADConnect Sync Failures

Baseline Policy Replacements: Conditional Access MFA for Administrators

From Feb 29th 2020 Microsoft will remove the “baseline policies” from Azure AD. These were very useful in the past to enable blanket settings like MFA for all admin accounts (well, selected admin roles) and to disable legacy auth for the same admin roles. With the removal of the baseline policies you need to ensure… Continue reading Baseline Policy Replacements: Conditional Access MFA for Administrators

MFA and End User Impacts

This article will look at the various different MFA settings found in Azure AD (which controls MFA for Office 365 and other SaaS services) and how those decisions impact users. There is lots on the internet on enabling MFA, and lots on what that looks like for the user – but nothing I could see… Continue reading MFA and End User Impacts

Getting Rid of Passwords in Azure AD / Office 365

This article is based on the public preview of the use of hardware tokens/Microsoft Authenticator to do sign-in without passwords released in July 2019 Using Microsoft Authenticator for Passwordless Sign-in You used to be able to do this by running the following in PowerShell for the last few years New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition ‘{“AuthenticatorAppSignInPolicy”:{“Enabled”:true}}’ -isOrganizationDefault… Continue reading Getting Rid of Passwords in Azure AD / Office 365

Decommission ADFS When Moving To Azure AD Based Authentication

I am doing a number of ADFS to Azure AD based authentication projects, where authentication is moved to Password Hash Sync + SSO or Pass Through Auth + SSO. Once that part of the project is complete it is time to decommission the ADFS and WAP servers. This guide is for Windows 2012 R2 installations… Continue reading Decommission ADFS When Moving To Azure AD Based Authentication

Hardware Tokens for Office 365 and Azure AD Services Without Azure AD P1 Licences

A recent update to Azure AD Premium 1 (P1) licence has been the use of hardware tokens for multi-factor authentication (MFA). This is excellent news if your MFA deployment is stuck because users cannot use phones on the shop floor or work environment or they do not want to use personal devices for work activities.… Continue reading Hardware Tokens for Office 365 and Azure AD Services Without Azure AD P1 Licences

Token2 Hardware OAuth Tokens and Azure AD Access

This blog post walks through the process of logging into Azure AD resources (Office 365, other SaaS applications registered in Azure AD and on-premises applications that utilise Azure AD App Proxy). First step is to order your desired hardware. For this article we are looking at the devices manufactured by Token2 (www.token2.com). These include credit… Continue reading Token2 Hardware OAuth Tokens and Azure AD Access

Improving Password Security In the Cloud and On-Premises

Passwords are well known to be generally insecure the way users create them. They don’t like “complex” passwords such as p9Y8Li!uk%al and so if they are forced to create a “complex” password due to a policy in say Active Directory, or because their password has expired and they need to generate a new one, they… Continue reading Improving Password Security In the Cloud and On-Premises

Azure AD Single Sign-On Basic Auth Popup

When configuring Azure AD SSO as part of Pass-Through Authentication (PTA) or with Password Hash Authentication (PHA) you need now (since March 2018) to only configure a single URL in the Intranet Zone in Windows. That URL is https://autologon.microsoftazuread-sso.com and this can be rolled out as a registry preference via Group Policy. Before March 2018… Continue reading Azure AD Single Sign-On Basic Auth Popup

Configuring Hybrid Device Join On Active Directory with SSO

The instructions from Microsoft at https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup are missing some of the steps on setting up hybrid device join to Azure AD. This is a complete list of steps when Pass-Thru auth with SSO is enabled on the domain. Enable SSO – this is covered elsewhere. You can also do hybrid device join on a federated… Continue reading Configuring Hybrid Device Join On Active Directory with SSO

OWA and Conditional Access: Inconsistent Error Reports

Here is a good error message. Its good, because I could not find any references to it on Google and the fault was nothing to do with the error message: The error says “something went wrong” and “Ref A: a long string of Hex Ref B: AMSEDGE0319 Ref C: Date Time”. The server name in… Continue reading OWA and Conditional Access: Inconsistent Error Reports