Sharing is Caring!| JanBakker.tech
Check out this article via web browser: No, your NHIs can’t use passwords either! For human identities, going passwordless is becoming pretty standard these days. It looks like passkeys are getting some good traction, and more and more organisations are moving towards passwordless solutions for their workforce. But with the rise of NHI (non-human identities), it’s time to fight the battle of passwords in this corner of the field.… Read More »No, your NHIs can’t use passwords either...| JanBakker.tech
For both modes, users who have previously registered a method that can be used for Microsoft Entra multifactor authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods. Desktop vs. Mobile app If you want to roll out passkeys… Read More »You shall not pass(key)! (updated)| JanBakker.tech
The (long) title pretty much reveals the purpose of this blog post. This one was on my to-do list for a while now, and now the combined registration portal is General Available, the time was there. In my previous MFA-related blogs, I always encouraged my readers to turn on the combined registration portal, even when… Read More »What admins should know about the combined registration portal for Azure MFA and Self Service Password Reset| JanBakker.tech
This blog post needs a brief introduction. Bear with me. Five years ago, I spent a significant amount of time creating a blog post about the Combined Registration Wizard in Entra ID. It took many hours to capture the screenshots, as every change in the settings took 20 minutes to take effect. However, I’m glad… Read More »Security Info Registration. Entra ID’s rabbit hole.| JanBakker.tech
Microsoft Entra ID Governance Entitlement Management supports various static and dynamic approvers for access packages, such as users, groups, managers, and second-level managers. The approver configurations are all stored in the assignment policy of the Access Package, and already provide great flexibility. But what if you require even more flexibility and need to connect with… Read More »Dynamic approval in Entra ID access packages using custom extensions| JanBakker.tech
Check out this article via web browser: Managing PIM-enabled groups with Entra ID Governance Access Packages just got better! Just a quick heads-up for those working a lot with Entra ID Governance: Access Packages now supports eligible membership and ownership of PIM-enabled groups. This might sound a bit confusing, as many moving parts and features are involved. Let me explain the new improvement. PIM for Groups is excellent for just-in-time ownership or membership for… Read More »Manag...| JanBakker.tech
Check out this article via web browser: Poor man’s IGA: Monitor and clean up stale guest accounts Today’s challenge Today, we are dealing with inactive or stale guest users in a tenant. Entra ID Governance has several ways to solve this, but if you had those licenses, you wouldn’t be here. For today’s challenge, I built two Dynamic Groups and two Logic Apps. Process 1 The first process involves a Dynamic Group… Read More »Poor man’s IGA: Monitor and clean up stale guest account...| JanBakker.tech
This is a knowledge base item. Hope it will help you someday. Issue When you register a new passkey to Entra ID or Microsoft 365, an error is thrown: We detected that this particular key type has been blocked by your organization. Contact your administrator for more details and try registering a different type of… Read More »KB – We detected that this particular key type has been blocked by your organization| JanBakker.tech
Check out this article via web browser: Poor man’s IGA: Generate Temporary Access Pass for joiners Today’s challenge Today, we look at a joiner scenario, where you want to trigger a time-based workflow to send a Temporary Access Pass 7 days before the employee’s start date. This is a built-in capability from Entra ID Lifecycle Workflow, and you have a lot of options to configure: In this blogpost, I will try… Read More »Poor man’s IGA: Generate Temporary Access Pass for joiners T...| JanBakker.tech
Today’s challenge Today, we look at Microsoft Entra ID Lifecycle Workflows. Microsoft has recently introduced a new task that revokes a user’s refresh token. Consider scenarios where the account is disabled and you also want to revoke all tokens, so the resources can no longer be accessed, or in cases where you need to terminate… Read More »Poor man’s IGA: Revoke all refresh tokens for user| JanBakker.tech
Disclaimer: The main structure of this blog post is created by Claude 3.7 Sonnet. Together with Lokka, I figured out all the supported operators by testing all examples against my demo tenant. Here’s a snippet from my adventures: With that out of the way, on with the show! Introduction Microsoft Entra ID’s dynamic groups provide… Read More »Unlocking the Power of employeeHireDate in Entra ID Dynamic Groups| JanBakker.tech
For both modes, users who have previously registered a method that can be used for Microsoft Entra multifactor authentication need to perform multifactor authentication before they can access their security info. Users must confirm their information before continuing to use their previously registered methods. Desktop vs. Mobile app If you want to roll out passkeys… Read More »You shall not pass(key)!| JanBakker.tech
Evilginx is known for capturing user cookies, even if they are secured by MFA methods like SMS, TOTP, push notifications or passwordless phone sign-in. In bootstrap and recovery scenario’s, the account will most likely have a Temporary Access Pass enabled, so the user can enroll for strong authentication. I wanted to point out that Evilginx… Read More »Evilginx loves Temporary Access Passes too| JanBakker.tech
As passkeys get more traction in Microsoft 365, more and more companies are looking to strengthen their identity posture by enrolling passkeys for their workforce. Most of the time, starting with IT pros/DevOps workers, but also for their Information and Frontline Workers. Microsoft even has specific guidance for each persona: Considerations for specific personas in… Read More »Things you should know before rolling out device-bound passkeys in Microsoft Authenticator App| JanBakker.tech
Microsoft Entra ID Protection and Microsoft Entra Conditional Access work well together. If your organization owns an Entra Premium P2 license, you likely have risk-based policies configured. Good. As a consultant, I have the privilege of lurking in many IT kitchens, and one mistake I often see is that Conditional Access policies are designed too… Read More »Conditional Access risk policies. Don’t get fooled!| JanBakker.tech
Today’s post is about a new feature in Entra ID’s Identity Governance: Show suggested access packages in My Access. This feature provides users with a tailored list of suggested access packages. Instead of browsing through all available options, users can now quickly view the most relevant access packages based on their peers’ choices and their… Read More »Microsoft Entra ID Governance: Show suggested access packages in My Access| JanBakker.tech
Update: Evilginx 3 is here! This post is based on Evilginx 2 and still works, as I forked the old repository to my personal Github, and did some tweaks to make it work. I recently created a newer version of the phishlet that only works for Evilginx 3. Read all about it here: Running Evilginx… Read More »How to set up Evilginx to phish Office 365 credentials| JanBakker.tech
In case you didn’t get the latest memo, Microsoft is tightening the security around the Azure and Microsoft 365 admin portals by enforcing multifactor authentication for all interactive sign-ins. In this post, I will try to answer all the questions about this change, as there seem to be a lot of questions on social media… Read More »All you need to know about the mandatory multifactor authentication for Azure and other administration portals| JanBakker.tech
Bypassing Conditional Access is easy. That’s because most Conditional Access policies rely on Entra ID Security Groups. Since Entra ID is very “flat” by default, every admin with group management permissions can add or remove members to ANY group. That’s why we want to handle our include and exclude groups carefully. This idea does not… Read More »Prevent Conditional Access bypass with Restricted Management Administrative Units in Entra ID| JanBakker.tech