Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Merill Fernando Profile picture
@merill
Nov 14, 2022 10 tweets 6 min read Read on X
Scrolly
Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?

Here's are short thread about the feature.

PS. There is a bonus if you read all the way to the end 😉👇 Screenshot from the Authent...
This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.

I shared more about this in a previous thread Illustration showing the ri...
Moving away from Voice and SMS is in fact called out by NIST who classify PSTN based auth like SMS and Voice as RESTRICTED.

They explain in more detail in this FAQ.
pages.nist.gov/800-63-FAQ/#q-… 5.1.3.3 Authentication usin...
That's all well and good but moving our users off Voice/SMS is going to take some time.

Now this is where Authentication Strength comes into play. Before this feature was released, the only way to remove phone MFA was to turn it off at the tenant level at adlegacymfa.cmd.ms Screenshot of MFA options p...
As you can imagine it's going to be total chaos if you unchecked the Phone and SMS options for all your users.

Instead what you really want is to gradually improve the auth strength in your org.

An ideal place to start could be to remove Phone/SMS for privileged admin users.
Applying Auth Strengths is a two step process.

#1 Decide/ define the Authentication Strength

You can use one of the built-in strengths or create your own.

Here I'm following NIST guidelines and creating a custom auth strength that excludes SMS & Voice. Screenshot of auth strength...
#2 Enforce the Auth Strength using a Conditional Policy

Next we head over to adca.cmd.ms and define a CA policy that requires this new auth strength.

Since this is in CA you get to use all the various filters to scope the where and when this strength is enforced. Screenshot showing CA polic...
All set!

Now the most important part. What is the user's experience?

If their original MFA doesn't meet the requirement the user is prompted with a step up experience to the stronger auth.

For this user we applied a policy that excluded Voice. User seeing the step up exp...
Interested in learning more about this feature?

Click Set Reminder below and you get to chat with the folks that built this feature including @inbarck and @YusukeKodama85 as they join @JefTek, @BaileyBercik and myself in spaces this week.
twitter.com/i/spaces/1ynJO…
Did you like this? Please retweet this thread and share.

Plus, feel free to follow me, I try to post at least one new topic each week.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Merill Fernando

Merill Fernando Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @merill

Merill Fernando Profile picture
May 28
Entra Hardening Tip #9 🔐

Don’t use client secrets for app authentication.

Use this decision tree when a developer or vendor asks for an app registration to be created in your tenant. 👇
1/14 Image
Client secrets are convenient.

That’s also the problem.

They end up in config files, scripts, pipelines, wikis, screenshots, logs, and sometimes places no one remembers until it’s too late.

Once leaked, they are very easy for attackers to abuse.
2/14
Searching for client secrets is the first thing the nation state actor Midnight Blizzard did after they got access to Microsoft internal emails in 2024.



Do you know what your devs, PMs & vendors have been doing with your long lived client secrets?
3/14 microsoft.com/en-us/msrc/blo…Image
Read 14 tweets
Merill Fernando Profile picture
Nov 21, 2025
Agent ID is going to be a big part of your life if you are an IAM admin, cybersec, architect, or enterprise ai/agent dev.

There is a lot new to learn and understand. We'll be sharing more in this area over the coming months.

Tip for those attending Experts Live Denmark in Feb next year, sign up for the Identity masterclass.

We will be covering Agent ID

eldk26.expertslive.dk
Read 5 tweets
Merill Fernando Profile picture
Nov 19, 2025
Get ready, folks. 🌟

You’re about to witness ONE. BIG. BEAUTIFUL. ABSURDLY. EPIC. THREAD. 🧵🔥

Some say this might be the MOST EPIC and MOST RIDICULOUSLY LONG identity thread ever written

📗 Bookmark this

Honestly… the cover image alone deserves a like + retweet

DO IT 😂 Image
Who doesn't like Free!

If you have E5 and the required number of users you can now start running the Conditional Access Optimization Agent which only consumes one SCU per day (you can even run it weekly if you want)

Want a deep dive into the agents?

Queue up these podcast episodes I recorded with the Microsoft PMs for these agents

🎧 Conditional Access Optimization Agent → entra.news/p/jordans-visi…

🎧 Access Review Agent → entra.news/p/ai-is-coming…Image
Don't sleep on synced passkeys Image
Read 22 tweets
Merill Fernando Profile picture
Mar 4, 2025
This doesn't happen everyday folks!!

Entra ID application management policies no longer require a Workload ID Premium license! 👏🎁🍾🥳🎊

This change happened back in October last year and I somehow missed it.

Here's a complete walkthrough 🧵👇

✳️ Bookmark this. App Management Policies are now in the Entra ID FREE Tier!! So what are app management policies? How can they be used to secure your tenant?
Threat actors love apps.

They can find long lived app secrets in text files on servers, code repos and even email archives. Why do we need app management policies? Unlike user passwords, apps can have more than one credential Even worse → Devs (and threat actors) can set very long expiry dates
You might fall into a false sense of security, since the admin portal only allows a max 2 year expiry for secret.

Devs (like me) are lazy and we use the API to create long lived secrets to make life easier for us 😎 🤯 While Entra ID prevents setting long lived expiry in the admin portal You can use APIs to create credentials with long expiry
Read 14 tweets
Merill Fernando Profile picture
Sep 24, 2024
Microsoft just published their SFI progress report. Here's the TLDR; version.

There is a lot that CISOs, M365/Entra admins and cybersecurity teams can learn from what Microsoft is doing and apply to their own organizations.

🧵👇 Image
How far along is your org in this journey? Image
Managing the number of tenants (including dev tenants) and securing ALL of them is becoming important Image
Read 6 tweets
Merill Fernando Profile picture
Feb 28, 2024
The ability to block Device Code Flow just became available in Microsoft Entra ID Conditional Access.

Here's a quick walkthrough of how attackers use device code flow to get access to your tenant and what you can do to protect yourself. Attn M365 admins & security teams Create this CA policy NOW and protect your users from Device Code Flow phishing & social engineering attacks!
❇️ Why does device code flow exist?

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices.

Unfortunately, attackers frequently use this mechanism to target your users. The new Conditional Access feature Authentication Flows, lets you target Device Code Flow + Authentication Transfer and BLOCK them from your tenant
🪟 Microsoft's recommendation

Microsoft's recommendation is to block device code flow wherever possible and only allow device code flow where necessary.

Learn more




→ How-to article: learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
Here’s how the new CA policy works to block Device Code Flow and protect your users! Illustration showing how the block access policy will prevent user from signing in
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(