Yes. The name is snarky on purpose. With the drive to using phishing-resistant MFA something on the mind of many organizations, I’ve been taking a look at the Usage & […] The post Entra Useless Insights Report appeared first on Eric on Identity.| Eric on Identity
Hello - Here is the new HTMD Blog Article for you. Enjoy reading it. Subscribe to YouTube Channel https://www.youtube.com/c/AnoopCNairSCCM?sub_confirmation=1 and LinkedIn page for latest updates https://www.linkedin.com/company/how-to-manage-devices/ The post How to Export Privileged Identity Management Role Assignments in Entra ID using PowerShell appeared first on HTMD Community Modern Device Management News & Guides by Sujin Nelladath.| HTMD Community Modern Device Management News & Guides
Check out this article via web browser: Managing PIM-enabled groups with Entra ID Governance Access Packages just got better! Just a quick heads-up for those working a lot with Entra ID Governance: Access Packages now supports eligible membership and ownership of PIM-enabled groups. This might sound a bit confusing, as many moving parts and features are involved. Let me explain the new improvement. PIM for Groups is excellent for just-in-time ownership or membership for… Read More »Manag...| JanBakker.tech
Check out this article via web browser: Poor man’s IGA: Monitor and clean up stale guest accounts Today’s challenge Today, we are dealing with inactive or stale guest users in a tenant. Entra ID Governance has several ways to solve this, but if you had those licenses, you wouldn’t be here. For today’s challenge, I built two Dynamic Groups and two Logic Apps. Process 1 The first process involves a Dynamic Group… Read More »Poor man’s IGA: Monitor and clean up stale guest account...| JanBakker.tech
This is a knowledge base item. Hope it will help you someday. Issue When you register a new passkey to Entra ID or Microsoft 365, an error is thrown: We detected that this particular key type has been blocked by your organization. Contact your administrator for more details and try registering a different type of… Read More »KB – We detected that this particular key type has been blocked by your organization| JanBakker.tech
This post looks at implementing an OpenID Connect client in ASP.NET Core and require a level of authentication (LoA) implemented using Keycloak. The applications are hosted using Aspire. The LoA is…| Software Engineering
Microsoft Azure is probably the most widely used cloud platform in Switzerland, powering businesses of all sizes, from startups to multinational companies. According the the official Microsoft page over 95% of Fortune 500 companies rely on Microsoft Azure in one form or another. With this industry-wide adoption, it has become a critical component of modern-day IT infrastructure. However, as more and more companies migrate to cloud or cloud-local hybrid infrastructure, the security risks that ...| blog.compass-security.com
Check out this article via web browser: Poor man’s IGA: Generate Temporary Access Pass for joiners Today’s challenge Today, we look at a joiner scenario, where you want to trigger a time-based workflow to send a Temporary Access Pass 7 days before the employee’s start date. This is a built-in capability from Entra ID Lifecycle Workflow, and you have a lot of options to configure: In this blogpost, I will try… Read More »Poor man’s IGA: Generate Temporary Access Pass for joiners T...| JanBakker.tech
Today’s challenge Today, we look at Microsoft Entra ID Lifecycle Workflows. Microsoft has recently introduced a new task that revokes a user’s refresh token. Consider scenarios where the account is disabled and you also want to revoke all tokens, so the resources can no longer be accessed, or in cases where you need to terminate… Read More »Poor man’s IGA: Revoke all refresh tokens for user| JanBakker.tech
Disclaimer: The main structure of this blog post is created by Claude 3.7 Sonnet. Together with Lokka, I figured out all the supported operators by testing all examples against my demo tenant. Here’s a snippet from my adventures: With that out of the way, on with the show! Introduction Microsoft Entra ID’s dynamic groups provide… Read More »Unlocking the Power of employeeHireDate in Entra ID Dynamic Groups| JanBakker.tech
This blog post shows how an ASP.NET Core Identity application can integrate and implement multiple external identity providers. An OIDC client UI uses the solution and is implemented using Duende IdentityServer. The same scheme is used for all the external providers and mapped to the identity for the client UI and the application. Using OpenID […]| Software Engineering
Check out this article via web browser: Register Yubikeys on behalf of your users with YubiEnroll In an earlier post, I showed several ways to (bulk) provision Yubikeys (or keys from other vendors) in Microsoft Entra using the provisioning APIs. In this post, we look at another gem from Yubico, YubiEnroll. This (CLI) tool is designed to delegate enrollment of Yubikeys to administrators or helpdesk staff. The good part is that… Read More »Register Yubikeys on behalf of your users with Yub...| JanBakker.tech
For good reasons, device code flow in Entra ID is getting a lot of attention. Attackers heavily use it to get access to Microsoft 365 accounts and data. Device code phishing is very effective, as phishing-resistant MFA, like passkeys, are not helping here. The victim will simply hand over an access token to the attacker.… Read More »How to restrict Device Code Flow in Entra ID| JanBakker.tech
TL;DR: PowerShell tool to enumerate Entra ID objects, assignments and identify highly privileged objects or risky configurations.| blog.compass-security.com
When using the built-in SSO (Single Sign-On) in NetBox with Entra ID, the Active Directory (AD) group or role information for the users is not available out of the box. Based on the discussions in NetBox repo I tested and wrote down a short memo of getting the users’ groups usable in NetBox. In this […]| Majornetwork
For what? There is no arguing that Microsoft has a firm grip on infrastructures inside many corporations, at least when it comes to IDPs and other cloud infrastructures. One of the systems they use is “Privileged Identity Management.” I will not attempt to describe it here. Just know that many admins need to use it very, very often to work. The UI/UX on the Entra/Azure portal is, however, very infuriating in many ways. If you know, you know.| macOS & (open-source) Software
For both modes, users who have previously registered a method that can be used for Microsoft Entra multifactor authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods. Desktop vs. Mobile app If you want to roll out passkeys… Read More »You shall not pass(key)!| JanBakker.tech
Evilginx is known for capturing user cookies, even if they are secured by MFA methods like SMS, TOTP, push notifications or passwordless phone sign-in. In bootstrap and recovery scenario’s, the account will most likely have a Temporary Access Pass enabled, so the user can enroll for strong authentication. I wanted to point out that Evilginx… Read More »Evilginx loves Temporary Access Passes too| JanBakker.tech
As passkeys get more traction in Microsoft 365, more and more companies are looking to strengthen their identity posture by enrolling passkeys for their workforce. Most of the time, starting with IT pros/DevOps workers, but also for their Information and Frontline Workers. Microsoft even has specific guidance for each persona: Considerations for specific personas in… Read More »Things you should know before rolling out device-bound passkeys in Microsoft Authenticator App| JanBakker.tech
Update I called the 888 number this morning and it does indeed go to a scam call center. I played along with the person on the other end, who ultimately […] The post An interesting M365 billing scam appeared first on Eric on Identity.| Eric on Identity
Microsoft Entra ID Protection and Microsoft Entra Conditional Access work well together. If your organization owns an Entra Premium P2 license, you likely have risk-based policies configured. Good. As a consultant, I have the privilege of lurking in many IT kitchens, and one mistake I often see is that Conditional Access policies are designed too… Read More »Conditional Access risk policies. Don’t get fooled!| JanBakker.tech
This is a part of my series on AI Foundry: AI Foundry – The Basics AI Foundry – Credential vs Identity Data Stores AI Foundry – Identity, Authentication, and Authorization Yes, I’m goin…| Journey Of The Geek
Microsoft, and the general identity industry, has recommended that applications use certificates over secrets when it comes to credentials for things like applications. This recommendation has existed for about as […] The post Spying on your ISVs credential choices appeared first on Eric on Identity.| Eric on Identity
Organizations face increasing challenges in securing internet traffic and enforcing web access policies in today’s hybrid work environment. Two key tools from Microsoft, Microsoft Entra Internet Access (Global Secure Access) and Microsoft Defender for Endpoint (MDE), offer robust capabilities for managing security and productivity on the endpoint. This article provides an in-depth comparison between the... The post Comparing Web Filtering and Security: Microsoft Entra Internet Access (Globa...| Modern Workplace Blog
With the introduction of a converged policy combining settings from the legacy MFA portal and SSPR configuration, separating the use of SMS for password resets from its use as an MFA method has become challenging. This guide explains how to configure authentication policies effectively using authentication strengths in Microsoft Entra to address this issue. Table... The post Navigating New Authentication Methods: SMS for Password Reset, Not for MFA appeared first on Modern Workplace Blog.| Modern Workplace Blog
Today’s post is about a new feature in Entra ID’s Identity Governance: Show suggested access packages in My Access. This feature provides users with a tailored list of suggested access packages. Instead of browsing through all available options, users can now quickly view the most relevant access packages based on their peers’ choices and their… Read More »Microsoft Entra ID Governance: Show suggested access packages in My Access| JanBakker.tech
In case you didn’t get the latest memo, Microsoft is tightening the security around the Azure and Microsoft 365 admin portals by enforcing multifactor authentication for all interactive sign-ins. In this post, I will try to answer all the questions about this change, as there seem to be a lot of questions on social media… Read More »All you need to know about the mandatory multifactor authentication for Azure and other administration portals| JanBakker.tech
Sometimes we need to grant temporary access to Entra ID users for specific purposes, like onboarding. As you might know, Microsoft Entra ID provides a feature called Temporary Access Pass (TAP) tha…| Daniel Chronlund Cloud Security Blog
Bypassing Conditional Access is easy. That’s because most Conditional Access policies rely on Entra ID Security Groups. Since Entra ID is very “flat” by default, every admin with group management permissions can add or remove members to ANY group. That’s why we want to handle our include and exclude groups carefully. This idea does not… Read More »Prevent Conditional Access bypass with Restricted Management Administrative Units in Entra ID| JanBakker.tech
In this article I will be showing you how you can automatically have Microsoft Teams set its presence to Do Not Disturb, or any other presence, based on events in your Outlook Calendar. I also looked into leveraging Power Automate but it began to require premium connectors and at that cost, going the serverless automation| The Lazy Administrator
According to the Microsoft Digital Defense Report 2022, weak identity controls are listed as a top three contributing factors found during ransomware incident response. One particularly troubling finding within identity […] The post Protect your privilege with PAW appeared first on Eric on Identity.| Eric on Identity
If you haven’t followed the news recently, Descope released an article diving into how their security researchers were able to abuse OpenID Connect (OIDC) ID token claims to spoof the […] The post The nOAuth “flaw” is a symptom of industry anti-patterns appeared first on Eric on Identity.| Eric on Identity
According to Wikipedia, Toshkent (or Tashkent) is the largest city in, as well as the capital of, Uzbekistan, a country located in Central Asia. The city sports a population of […] The post March 23rd, 2023: The Day Everyone Came From Uzbekistan appeared first on Eric on Identity.| Eric on Identity
This is part of my series on Azure Authorization. Azure Authorization – The Basics Azure Authorization – Azure RBAC Basics Azure Authorization – actions and notActions Azure Autho…| Journey Of The Geek
Scenario You want to allow an application the permission to add and remove members in an Entra Group with the least possible permissions used. Solution You can of course solve this by giving your application one of the following Application … Continue reading →| Microsoft Security Solutions
Audit logs can provide all sorts of wonderful points of data. In the interest of identity security, we have historically seen that we can glean rich sets of information around […] The post Dude, Where’s My Audit Logs? appeared first on Eric on Identity.| Eric on Identity
Background A developer at a customer recently asked me: “I have a custom API protected by Entra ID. Can you allow me to grant admin consent to my own APIs, without needing to contact an Entra ID ad…| Microsoft Security Solutions
2/11/2025 Update – This action is now captured in the Entra ID Audit Logs! I’d recommend putting an alert in ASAP to track this moving forward. Hello fellow geek! Today I’m going …| Journey Of The Geek
