Searching for the right documentation on topics related to Azure Active Directory ?
Just check out the new Azure Active Directory Documentation Homepage
To stay up-to-date with new announcements related to identity management don’t forget that the Identity Blog has moved to a new location at TechCommunity.
When you go to the Azure Portal (https://portal.azure.com) and navigate to Azure Active Directory you will see a new menu called “Identity Secure Score (preview)“.
You may already know the Office 365 secure score but the new Identity Score is scoped to identity related aspects only.
The Identity Score give you an overview of your current identity security and make suggestions on how to improve security for your Azure AD tenant while showing the user impact and implementation costs.
Documentation is available here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
This is how it looks like:
At my tenant some of the improvements are show in German, while my portal setting are English. Think that will be fixed shortly.
While Azure MFA has many good capabilities there is currently one thing you cannot do, which in may be important for some customers, and in fact I already heard that from them.
The missing part is to ONLY force the user to register for Azure MFA without enable it on the whole account on any login.
Ok, ok, it’s not 100% true, as you can purchase a Azure AD Premium P2 license and use Identity Protection to force registration only, but for sure, no customer want to buy a P2 only for that particular feature as is might be very expensive depending on the amount of users you have.
But now, or in the near future, to be correctly, there is an new way to do so. And the solution is the new converged experience for Azure MFA and SSPR (Self Service Password Reset) currently in an opt-in public preview.
Continue reading “Force Azure MFA registration without enabling MFA on the user”
One of the security challenges when using Azure MFA in combination with Conditional Access is the fact that the MFA registration will occur when the user accesses the particular application that is protected the first time.
But sometime that might not be the case for days or even month, for example if MFA is only required by conditional access if the users is outside the corporate network or the application is only used very rarely.
In the meantime when the credentials of that users are leaked it is possible for an attacker to do the MFA setup instead of the intended user.
However some companies prefer to pre-enroll or pre-register their users when their account is created in Azure AD. But what not should happen is that we enable Azure MFA for the account of the user we just want to pre-populate one or two authentication methods (mobile phone in fact).
But how can we do that:
Continue reading “(Bulk) pre-register MFA for users without enable MFA on the account”
Maybe you did not notice the changes that comes with one of the latest Azure AD Connect Version 1.1.819.0 (like I did), but it makes configure the hybrid device join (aka DJ++) much easier for environments that are managed or federated.
Beginning with that version you can configure the hybrid device join straightly from the AAD Connect Wizard using the “Configure device options”.
Continue reading “Configure hybrid Azure AD device join the easy way”
I was quite busy the last weeks and month to migrate a lot of customers from ADFS to mostly Password Hash Sync (PHS) combined with Seamless SSO for Azure AD authentication.
While documenting all that projects on my own, I recently find pre-written deployment guides for authentication from the Deployment Plan Team at Microsoft.
The new deployment guides covering the following scenarios: Continue reading “Note-to-self: New deployment guides for AAD authentication”
JustIDM 