Stop using per-user MFA for #AzureAD MFA. "Don't enable or enforce per-user Azure AD Multi-Factor Authentication if you use Conditional Access policies." learn.microsoft.com/en-us/azure/ac…
If you are still using per-user MFA, and can deploy conditional access policies, deploy the template to require MFA for all users and disable per user MFA. Conversion script here learn.microsoft.com/en-us/azure/ac… (we need to update this to use MS Graph SDK PowerShell and not MSOL) @merill
If you are using a free tenant or you have not enabled conditional access you have enabled the tenant security defaults right? You should go check your tenant right now if you don't know. learn.microsoft.com/en-us/microsof…
Also if you have not enabled Azure MFA number matching for Microsoft Authenticator push notifications, you really should learn.microsoft.com/en-us/azure/ac… it is already on for #passwordless phone sign in so enable it for MFA notifications too.
#azuread has had the usage and insights dashboard for MFA registration and usage since 2019! Have you reviewed your organization lately? How much of your authentication is still only using single factor auth? It lets you know actions you need to take. techcommunity.microsoft.com/t5/microsoft-e…
Deploying strong authentication credentials as #MFA and #passwordless are only effective when you actually use them
❓are you not requiring MFA all the time?
🔥Trusted networks (intranet) are a policy scoping clause NOT a control. No network is safe enough to use just a password
❓are you not requiring MFA all the time?
🔥Trusted networks (intranet) are a policy scoping clause NOT a control. No network is safe enough to use just a password
Reduce the # of MFA Prompts NOT the requirement of MFA for accessing resources. They are very different outcomes.
🔥Require MFA for All Users, All The time via CA policy
🎁 Improve user experience, deploy #Passwordless to use strong auth all the time instead of prompting them.
🔥Require MFA for All Users, All The time via CA policy
🎁 Improve user experience, deploy #Passwordless to use strong auth all the time instead of prompting them.
For Windows users I usually recommend WHFB AND Microsoft Authenticator Phone Sign in - learn.microsoft.com/en-us/windows/… learn.microsoft.com/en-us/azure/ac…
Check out aka.ms/whfb for more on deploying it. Deploy Cloud Trust if your OS supports it, and while you upgrade OS deploy Key Trust if you have pre-reqs already in place.
And if you are on Linux/MacOS/Android,IOS, today I would use Authenticator and deploy the SSO Extensions token brokers as we talked about on Twitter Spaces show last week 425show.com/spaces
• • •
Missing some Tweet in this thread? You can try to
force a refresh
