Check out this article via web browser: Poor man’s IGA: Generate Temporary Access Pass for joiners Today’s challenge Today, we look at a joiner scenario, where you want to trigger a time-based workflow to send a Temporary Access Pass 7 days before the employee’s start date. This is a built-in capability from Entra ID Lifecycle Workflow, and you have a lot of options to configure: In this blogpost, I will try… Read More »Poor man’s IGA: Generate Temporary Access Pass for joiners T...| JanBakker.tech
Today’s challenge Today, we look at Microsoft Entra ID Lifecycle Workflows. Microsoft has recently introduced a new task that revokes a user’s refresh token. Consider scenarios where the account is disabled and you also want to revoke all tokens, so the resources can no longer be accessed, or in cases where you need to terminate… Read More »Poor man’s IGA: Revoke all refresh tokens for user| JanBakker.tech
Disclaimer: The main structure of this blog post is created by Claude 3.7 Sonnet. Together with Lokka, I figured out all the supported operators by testing all examples against my demo tenant. Here’s a snippet from my adventures: With that out of the way, on with the show! Introduction Microsoft Entra ID’s dynamic groups provide… Read More »Unlocking the Power of employeeHireDate in Entra ID Dynamic Groups| JanBakker.tech
Check out this article via web browser: Register Yubikeys on behalf of your users with YubiEnroll In an earlier post, I showed several ways to (bulk) provision Yubikeys (or keys from other vendors) in Microsoft Entra using the provisioning APIs. In this post, we look at another gem from Yubico, YubiEnroll. This (CLI) tool is designed to delegate enrollment of Yubikeys to administrators or helpdesk staff. The good part is that… Read More »Register Yubikeys on behalf of your users with Yub...| JanBakker.tech
For good reasons, device code flow in Entra ID is getting a lot of attention. Attackers heavily use it to get access to Microsoft 365 accounts and data. Device code phishing is very effective, as phishing-resistant MFA, like passkeys, are not helping here. The victim will simply hand over an access token to the attacker.… Read More »How to restrict Device Code Flow in Entra ID| JanBakker.tech
For both modes, users who have previously registered a method that can be used for Microsoft Entra multifactor authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods. Desktop vs. Mobile app If you want to roll out passkeys… Read More »You shall not pass(key)!| JanBakker.tech
Evilginx is known for capturing user cookies, even if they are secured by MFA methods like SMS, TOTP, push notifications or passwordless phone sign-in. In bootstrap and recovery scenario’s, the account will most likely have a Temporary Access Pass enabled, so the user can enroll for strong authentication. I wanted to point out that Evilginx… Read More »Evilginx loves Temporary Access Passes too| JanBakker.tech
As passkeys get more traction in Microsoft 365, more and more companies are looking to strengthen their identity posture by enrolling passkeys for their workforce. Most of the time, starting with IT pros/DevOps workers, but also for their Information and Frontline Workers. Microsoft even has specific guidance for each persona: Considerations for specific personas in… Read More »Things you should know before rolling out device-bound passkeys in Microsoft Authenticator App| JanBakker.tech
Microsoft Entra ID Protection and Microsoft Entra Conditional Access work well together. If your organization owns an Entra Premium P2 license, you likely have risk-based policies configured. Good. As a consultant, I have the privilege of lurking in many IT kitchens, and one mistake I often see is that Conditional Access policies are designed too… Read More »Conditional Access risk policies. Don’t get fooled!| JanBakker.tech
Today’s post is about a new feature in Entra ID’s Identity Governance: Show suggested access packages in My Access. This feature provides users with a tailored list of suggested access packages. Instead of browsing through all available options, users can now quickly view the most relevant access packages based on their peers’ choices and their… Read More »Microsoft Entra ID Governance: Show suggested access packages in My Access| JanBakker.tech
