Share this page!

Maybe Scrolly?
Merill Fernando Profile picture
Twitter logo
Nov 14 10 tweets 6 min read
Why is everyone so excited about the new #azuread Authentication Strength feature in Conditional Access that was announced at Ignite last month?

Here's are short thread about the feature.

PS. There is a bonus if you read all the way to the end 😉👇 Screenshot from the Authent...
This illustration from @Yubico shows that not all MFA is of equal strength when protecting your users. Some like Phone number and email are very weak compared to others.

I shared more about this in a previous thread Illustration showing the ri...
Moving away from Voice and SMS is in fact called out by NIST who classify PSTN based auth like SMS and Voice as RESTRICTED.

They explain in more detail in this FAQ.
pages.nist.gov/800-63-FAQ/#q-… 5.1.3.3 Authentication usin...
That's all well and good but moving our users off Voice/SMS is going to take some time.

Now this is where Authentication Strength comes into play. Before this feature was released, the only way to remove phone MFA was to turn it off at the tenant level at adlegacymfa.cmd.ms Screenshot of MFA options p...
As you can imagine it's going to be total chaos if you unchecked the Phone and SMS options for all your users.

Instead what you really want is to gradually improve the auth strength in your org.

An ideal place to start could be to remove Phone/SMS for privileged admin users.
Applying Auth Strengths is a two step process.

#1 Decide/ define the Authentication Strength

You can use one of the built-in strengths or create your own.

Here I'm following NIST guidelines and creating a custom auth strength that excludes SMS & Voice. Screenshot of auth strength...
#2 Enforce the Auth Strength using a Conditional Policy

Next we head over to adca.cmd.ms and define a CA policy that requires this new auth strength.

Since this is in CA you get to use all the various filters to scope the where and when this strength is enforced. Screenshot showing CA polic...
All set!

Now the most important part. What is the user's experience?

If their original MFA doesn't meet the requirement the user is prompted with a step up experience to the stronger auth.

For this user we applied a policy that excluded Voice. User seeing the step up exp...
Interested in learning more about this feature?

Click Set Reminder below and you get to chat with the folks that built this feature including @inbarck and @YusukeKodama85 as they join @JefTek, @BaileyBercik and myself in spaces this week.
twitter.com/i/spaces/1ynJO…
Did you like this? Please retweet this thread and share.

Plus, feel free to follow me, I try to post at least one new topic each week.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Merill Fernando

Merill Fernando Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @merill

Merill Fernando Profile picture
Oct 31
Why is MFA over SMS/Voice not considered safe vs other MFA methods like TOTP & Authenticator apps?

I'll break down a blog post by Microsoft's VP of Identity Security @Alex_T_Weinert on why he considers SMS to be the least secure of MFA methods.

👇
Not all MFA authentication methods are equal. Some are stronger than others.

SMS and voice based MFA mechanisms are based on publicly switched telephone networks (PSTN).

💡Before we begin a quick reminder that any MFA is better than no MFA.
#1 Every mechanism to exploit a credential can be used on SMS/Voice!

🎣 Phish? ✅️
💬 Social? ✅️
👤 Account takeover? ✅️
🤳 Device theft? ✅️

SMS/Voice has all the vulnerabilities of every other authenticator and a host of other issues specific to SMS/Voice.
Read 14 tweets
Merill Fernando Profile picture
Oct 26
Are you tired of clicking around in Microsoft portals to get to a blade?

Introducing cmd.ms your Microsoft cloud command line for the browser!

Use the power of your keyboard and your memory to get to your favourite Microsoft portal or blade in seconds. Screenshot of cmd.ms
Try it out. Open a new tab and type {command}.cmd.ms using any of the available commands (see the full list at cmd.ms)

For those who like autocomplete from the address bar you can get the browser extensions from cmd.ms/docs/tips
The best part is that you can contribute your own commands to this open-source project by simply adding a line at github.com/merill/cmd/blo…
Read 6 tweets
Merill Fernando Profile picture
Oct 26
Public Preview: Conditional Access filters for apps ift.tt/Hk3WQaY
This is an exciting feature! You no longer need to keep updating your CA policy to add new apps.

Instead you can tag each app. e.g.

Sensitivity = Business Critical / Medium / Low

Then create a CA policy for each sensitivity level (eg. Business Critical = Require security key)
Have questions about the new CA filter for apps feature and want to learn more?

Click Set Reminder below and join us live with @Caleb_B in a couple of hours as we dig deeper into this.

@markmorow @BaileyBercik @JefTek
Read 5 tweets
Merill Fernando Profile picture
Oct 25
Advanced Microsoft Authenticator security features are now generally available! techcommunity.microsoft.com/t5/microsoft-e…
If your org was prevented from enabling public preview features, that goes away today.

Number matching is GA today! Number matching
Go to Authentication Methods, select Authenticator app and turn on 'Number Matching' today!!

Protect your users from MFA fatigue. Number matching config
Read 6 tweets
Merill Fernando Profile picture
Oct 24
Did you know that CA policies now provide granular control over the types of external users you want to apply the policy to?

External users are categorized based on how they authenticate (internally or externally) and their relationship to your org (guest or member). CA policy blade with new se...
The 'B2B direct connect' checkbox now let's you target Teams Connect shared channel users even though these users don't exist in your tenant.

To learn more about what each checkbox means see learn.microsoft.com/en-us/azure/ac…
You can now also target specific orgs without having to resort to hacky solutions like creating dynamic groups based on the domain of the user's UPN

A word of warning, keep in mind that you can only create 195 policies in a tenant so don't go crazy with a policy for each org 🙂 CA blade with ability to se...Image
Read 4 tweets
Merill Fernando Profile picture
Oct 7
I’m a command line guy and hate having to click to get to various Azure AD pages.

Overtime I created these shortcuts and thought you might find them helpful.

Here is how it works, open a new tab and type
aka.ms/ad/{command}

e.g. aka.ms/ad/users
I’ve published the full list over at aka.ms/ad/list

aka.ms/azad - Azure AD Portal
aka.ms/ad/ca - Conditional Access
aka.ms/ad/pim -Privileged Identity Management
aka.ms/ad/users - Users
aka.ms/ad/groups - Groups
aka.ms/ad/apps - Enterprise Applications
aka.ms/ad/appreg - Application Registrations
aka.ms/ad/auth - Authentication Methods Policies
aka.ms/ad/legacymfa - Legacy MFA
aka.ms/ad/guests - Guest Access Settings
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(