Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
@merill
Nov 14, 2022 10 tweets 6 min read Read on X
Scrolly
Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?

Here's are short thread about the feature.

PS. There is a bonus if you read all the way to the end 😉👇 Screenshot from the Authent...
This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.

I shared more about this in a previous thread Illustration showing the ri...
Moving away from Voice and SMS is in fact called out by NIST who classify PSTN based auth like SMS and Voice as RESTRICTED.

They explain in more detail in this FAQ.
pages.nist.gov/800-63-FAQ/#q-… 5.1.3.3 Authentication usin...
That's all well and good but moving our users off Voice/SMS is going to take some time.

Now this is where Authentication Strength comes into play. Before this feature was released, the only way to remove phone MFA was to turn it off at the tenant level at adlegacymfa.cmd.ms Screenshot of MFA options p...
As you can imagine it's going to be total chaos if you unchecked the Phone and SMS options for all your users.

Instead what you really want is to gradually improve the auth strength in your org.

An ideal place to start could be to remove Phone/SMS for privileged admin users.
Applying Auth Strengths is a two step process.

#1 Decide/ define the Authentication Strength

You can use one of the built-in strengths or create your own.

Here I'm following NIST guidelines and creating a custom auth strength that excludes SMS & Voice. Screenshot of auth strength...
#2 Enforce the Auth Strength using a Conditional Policy

Next we head over to adca.cmd.ms and define a CA policy that requires this new auth strength.

Since this is in CA you get to use all the various filters to scope the where and when this strength is enforced. Screenshot showing CA polic...
All set!

Now the most important part. What is the user's experience?

If their original MFA doesn't meet the requirement the user is prompted with a step up experience to the stronger auth.

For this user we applied a policy that excluded Voice. User seeing the step up exp...
Interested in learning more about this feature?

Click Set Reminder below and you get to chat with the folks that built this feature including @inbarck and @YusukeKodama85 as they join @JefTek, @BaileyBercik and myself in spaces this week.
twitter.com/i/spaces/1ynJO…
Did you like this? Please retweet this thread and share.

Plus, feel free to follow me, I try to post at least one new topic each week.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ˗ˏˋ Merill Fernando ˎˊ˗

˗ˏˋ Merill Fernando ˎˊ˗ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @merill

˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
Feb 28
The ability to block Device Code Flow just became available in Microsoft Entra ID Conditional Access.

Here's a quick walkthrough of how attackers use device code flow to get access to your tenant and what you can do to protect yourself. Attn M365 admins & security teams Create this CA policy NOW and protect your users from Device Code Flow phishing & social engineering attacks!
❇️ Why does device code flow exist?

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices.

Unfortunately, attackers frequently use this mechanism to target your users. The new Conditional Access feature Authentication Flows, lets you target Device Code Flow + Authentication Transfer and BLOCK them from your tenant
🪟 Microsoft's recommendation

Microsoft's recommendation is to block device code flow wherever possible and only allow device code flow where necessary.

Learn more




→ How-to article: learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
Here’s how the new CA policy works to block Device Code Flow and protect your users! Illustration showing how the block access policy will prevent user from signing in
Read 5 tweets
˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
Feb 8
So your Microsoft 365 tenant has been compromised by a malicious app!

Here's a step by step guide to block access to the app and remove it from your tenant -Bkmk this!

1️⃣ Go to Microsoft Entra → Enterprise Apps
2️⃣ Select the compromised app
3️⃣ Permissions → Review Permissions Image
Select 'This app is malicious and I'm compromised' Image
Follow the recommendations to
✅ Disable the app

Then run the PowerShell scripts that is generated to
✅ Require user assignment
✅ Revoke all permissions
✅ Invalidate refresh tokens of users with access to the app Image
Read 4 tweets
˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
Oct 24, 2023
Windows LAPS just went GA today!

Here's a refresher and quick walkthrough on what it is and how you can start using it.

🧵⬇️ What is Windows LAPS with Microsoft Entra ID and why is everyone so excited about today's GA announcement?
2/8 Local Administrator Password Solution Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. LAPS is a Windows feature that automatically manages and backs up the password of the local admin account.
3/8 Windows LAPS is available for both Entra joined and hybrid Entra joined devices! Windows LAPS is now built-in into Windows! 🎯 Windows 10 20H2 and later 🎯 Windows 11 21H2 and later 🎯 Windows Server 2019 and later
Read 9 tweets
˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
Oct 23, 2023
What are HAR files?
A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.

Admins usually share these files with customer support when troubleshooting issues.

Here's a thread on how you can handle .har files safely.

🧵⬇️
Exporting HAR files
There are a few ways to record your session to create HAR files. You might need to use different tools depending on what you are recording.

→ Browser
Every modern browser lets you export an HAR file of the current tab's session from the Network tab. Export HAR file from browser session
→ Desktop
Sometimes you might need to troubleshoot a non-browser-based app, for example a desktop app like Outlook or a CLI or PowerShell script.

Your admins are usually asked to use an app like Fiddler that adds a system proxy to capture all the web traffic on the desktop. Screenshot of exporting HAR using Fiddler for desktop apps
Read 18 tweets
˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
Aug 8, 2023
It's 2023 and your IT team is still forcing the entire company to change their passwords every few months 🤦

PS. I work at Microsoft, and we stopped doing this nearly four years ago.

Send the link below to your IT team 👇 Image of Margot from Barbie movie crying
💠

The recommendation now is to only force a user to change their password if a compromise has been detected.

If your org is using Microsoft 365, you can set it up to force a password change when a user's password is compromised.

If you are not licensed… https://t.co/Ipo25zfUa9zdnet.com/article/micros…
twitter.com/i/web/status/1…
To those asking about audits & PCI requirements.

How many of your users have access to your customer's credit card data❓️
Why not apply the forced expiry to the subset of users that actually handle credit card data?

📢 Plus, it's now 1 year expiry ⬇️

https://t.co/pWDAnMEiHKbleepingcomputer.com/news/security/…
Five new requirements for PCI 4.0 PCI version 4.0 requires multifactor authentication to be more widely used. Whereas multifactor authentication had previously been required for administrators who needed to access systems related to card holder data or processing, the new requirement mandates that multifactor authentication must be used for any account that has access to card holder data. The new standards also require user’s passwords to be changed every 12 months. Additionally, user’s passwords must be changed any time that an account is suspected to have been compromised
Read 4 tweets
˗ˏˋ Merill Fernando ˎˊ˗ Profile picture
Aug 3, 2023
🎯 Tip for Microsoft 365, Microsoft Entra and infosec admins

As promised here is a quick breakdown of one way you can set up a process to either force users to change passwords or force an MFA prompt.

🔵 Screenshot with illustration of setting up a password change flow. Need to reset user passwords after a compromise? Set up this process for one-off and bulk resets of user passwords or to force prompt for MFA. Step 1: Create Risky User CA Policy Step 2: Mark user as High Risk User prompted to change password
Start by creating a CA policy.

You can either scope it to all users or use a custom group to isolate this from your other risk-based CA policies.

For detailed steps see https://t.co/XII9cpMg2Klearn.microsoft.com/en-us/azure/ac…
Screenshot of CA policy
Next, we set the user as high risky by calling Graph API. You can automate this using PowerShell, CLI, Logic Apps or your choice of DevOps tool.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(