Microsoft Entra ID Governance Entitlement Management supports various static and dynamic approvers for access packages, such as users, groups, managers, and second-level managers. The approver configurations are all stored in the assignment policy of the Access Package, and already provide great flexibility. But what if you require even more flexibility and need to connect with… Read More »Dynamic approval in Entra ID access packages using custom extensions| JanBakker.tech
Check out this article via web browser: Managing PIM-enabled groups with Entra ID Governance Access Packages just got better! Just a quick heads-up for those working a lot with Entra ID Governance: Access Packages now supports eligible membership and ownership of PIM-enabled groups. This might sound a bit confusing, as many moving parts and features are involved. Let me explain the new improvement. PIM for Groups is excellent for just-in-time ownership or membership for… Read More »Manag...| JanBakker.tech
Check out this article via web browser: Poor man’s IGA: Monitor and clean up stale guest accounts Today’s challenge Today, we are dealing with inactive or stale guest users in a tenant. Entra ID Governance has several ways to solve this, but if you had those licenses, you wouldn’t be here. For today’s challenge, I built two Dynamic Groups and two Logic Apps. Process 1 The first process involves a Dynamic Group… Read More »Poor man’s IGA: Monitor and clean up stale guest account...| JanBakker.tech
This is a knowledge base item. Hope it will help you someday. Issue When you register a new passkey to Entra ID or Microsoft 365, an error is thrown: We detected that this particular key type has been blocked by your organization. Contact your administrator for more details and try registering a different type of… Read More »KB – We detected that this particular key type has been blocked by your organization| JanBakker.tech
Did you ever want to act on a change in group membership in Azure AD, for example, when a user is added to or removed from a specific group? I have found an easy way to do this with the use of Power Automate. You can use this for a lot of use-cases. What do… Read More »Act on group membership changes in Azure Active Directory| JanBakker.tech
Check out this article via web browser: Poor man’s IGA: Generate Temporary Access Pass for joiners Today’s challenge Today, we look at a joiner scenario, where you want to trigger a time-based workflow to send a Temporary Access Pass 7 days before the employee’s start date. This is a built-in capability from Entra ID Lifecycle Workflow, and you have a lot of options to configure: In this blogpost, I will try… Read More »Poor man’s IGA: Generate Temporary Access Pass for joiners T...| JanBakker.tech
Today’s challenge Today, we look at Microsoft Entra ID Lifecycle Workflows. Microsoft has recently introduced a new task that revokes a user’s refresh token. Consider scenarios where the account is disabled and you also want to revoke all tokens, so the resources can no longer be accessed, or in cases where you need to terminate… Read More »Poor man’s IGA: Revoke all refresh tokens for user| JanBakker.tech
Disclaimer: The main structure of this blog post is created by Claude 3.7 Sonnet. Together with Lokka, I figured out all the supported operators by testing all examples against my demo tenant. Here’s a snippet from my adventures: With that out of the way, on with the show! Introduction Microsoft Entra ID’s dynamic groups provide… Read More »Unlocking the Power of employeeHireDate in Entra ID Dynamic Groups| JanBakker.tech
Check out this article via web browser: Register Yubikeys on behalf of your users with YubiEnroll In an earlier post, I showed several ways to (bulk) provision Yubikeys (or keys from other vendors) in Microsoft Entra using the provisioning APIs. In this post, we look at another gem from Yubico, YubiEnroll. This (CLI) tool is designed to delegate enrollment of Yubikeys to administrators or helpdesk staff. The good part is that… Read More »Register Yubikeys on behalf of your users with Yub...| JanBakker.tech
For good reasons, device code flow in Entra ID is getting a lot of attention. Attackers heavily use it to get access to Microsoft 365 accounts and data. Device code phishing is very effective, as phishing-resistant MFA, like passkeys, are not helping here. The victim will simply hand over an access token to the attacker.… Read More »How to restrict Device Code Flow in Entra ID| JanBakker.tech
For both modes, users who have previously registered a method that can be used for Microsoft Entra multifactor authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods. Desktop vs. Mobile app If you want to roll out passkeys… Read More »You shall not pass(key)!| JanBakker.tech
Evilginx is known for capturing user cookies, even if they are secured by MFA methods like SMS, TOTP, push notifications or passwordless phone sign-in. In bootstrap and recovery scenario’s, the account will most likely have a Temporary Access Pass enabled, so the user can enroll for strong authentication. I wanted to point out that Evilginx… Read More »Evilginx loves Temporary Access Passes too| JanBakker.tech
As passkeys get more traction in Microsoft 365, more and more companies are looking to strengthen their identity posture by enrolling passkeys for their workforce. Most of the time, starting with IT pros/DevOps workers, but also for their Information and Frontline Workers. Microsoft even has specific guidance for each persona: Considerations for specific personas in… Read More »Things you should know before rolling out device-bound passkeys in Microsoft Authenticator App| JanBakker.tech
Microsoft Entra ID Protection and Microsoft Entra Conditional Access work well together. If your organization owns an Entra Premium P2 license, you likely have risk-based policies configured. Good. As a consultant, I have the privilege of lurking in many IT kitchens, and one mistake I often see is that Conditional Access policies are designed too… Read More »Conditional Access risk policies. Don’t get fooled!| JanBakker.tech
Today’s post is about a new feature in Entra ID’s Identity Governance: Show suggested access packages in My Access. This feature provides users with a tailored list of suggested access packages. Instead of browsing through all available options, users can now quickly view the most relevant access packages based on their peers’ choices and their… Read More »Microsoft Entra ID Governance: Show suggested access packages in My Access| JanBakker.tech
Update: Evilginx 3 is here! This post is based on Evilginx 2 and still works, as I forked the old repository to my personal Github, and did some tweaks to make it work. I recently created a newer version of the phishlet that only works for Evilginx 3. Read all about it here: Running Evilginx… Read More »How to set up Evilginx to phish Office 365 credentials| JanBakker.tech
In case you didn’t get the latest memo, Microsoft is tightening the security around the Azure and Microsoft 365 admin portals by enforcing multifactor authentication for all interactive sign-ins. In this post, I will try to answer all the questions about this change, as there seem to be a lot of questions on social media… Read More »All you need to know about the mandatory multifactor authentication for Azure and other administration portals| JanBakker.tech
Bypassing Conditional Access is easy. That’s because most Conditional Access policies rely on Entra ID Security Groups. Since Entra ID is very “flat” by default, every admin with group management permissions can add or remove members to ANY group. That’s why we want to handle our include and exclude groups carefully. This idea does not… Read More »Prevent Conditional Access bypass with Restricted Management Administrative Units in Entra ID| JanBakker.tech
