Tag: #AzureAD

Microsoft Authenticator Number Matching enabled by default at the end of February 2023

Upgrades to how your Microsoft Authenticator works to include number matching by default are coming at end of February 2023. That is today’s #MicrosoftCloudQuickFix !

With so many alerts on our phones these days from text messages, email messages, stock price alerts, Amazon reorder messages, new Spotify release notifications, Elon’s Tweets, and LinkedIn post alerts from me, its easy to get fatigued and just hit whatever to dismiss the alert (except this one of course 😎) and move on.

The increasing adoption of strong authentication and use of multi-factor authentication on corporate and personal accounts has added to this fatigue and spawned a technique called ‘MFA spamming’. These attacks rely simply on the users alert fatigue to approve a notification without any context to gain access.

To combat this for users using Microsoft Authenticator #Microsoft365 administrators can require users enter a number displayed on the sign-in screen when approving an MFA request in the #Microsoft Authenticator app. This feature is critical to protecting against MFA spamming attacks.

Note: If you are using ADFS/NPS there may be are some additional steps so please consult the full documentation below.

Microsoft will begin enabling this security feature for all users of the #MicrosoftAuthenticator App starting at the end of February 2023. Feature rollout controls will also be removed and as such it is recommended to begin testing and create training / change management documentation now.

For guidance on how to enable this security feature now and target users for testing and documentation see this link on Microsoft Doc – Enable number matching in the portal – Microsoft Entra

For more information please see:

#Microsoft #Microsoft365 #AzureAD #MultifactorAuthentication #MicrosoftAuthenticator #NumberMatching #MicrosoftCloudSecurity #MicrosoftCloudQuickFix

Upgrade to the latest version of Azure AD Connect before August 31, 2022

Today’s #MicrosoftCloudQuickFix is that Microsoft is retiring all V1.x versions of Azure Active Directory (Azure AD) Connect on August 31, 2022. To remain supported you must upgrade to the most recent version of Azure AD Connect V2!

Azure AD Connect was released several years ago. Since that time, several of the components that Azure AD Connect uses have been scheduled for deprecation and updated to newer versions. #Microsoft has bundled the newer components into a single release so you only have to update once. This release is Azure AD Connect V2.

If you continue with a retired version of Azure AD Connect after August 31, 2022 it might unexpectedly stop working, not have the latest security fixes, lack performance improvements and service enhancements, or if you require support #Microsoft you may be turned away!

Note: Azure AD Connect V2 requires Windows Server 2016 and above since it contains SQL Server 2019 components which are not supported on older versions of Windows Server.

Upgrading from V1.x is fully supported and for complete Azure AD Connect Upgrade V2 instructions see Azure AD Connect: Upgrade from a previous version – Microsoft Entra | Microsoft Docs

#Microsoft365 #AzureActiveDirectory #AzureADConnect #MicrosoftCloudQuickFix

Continuous access evaluation on by default!

You may have seen an email this week from #Microsoft advising that beginning on June 15th 2021 they will enable Continuous Access Evaluation on Premium Azure AD tenants by default. Your #MicrosoftCloudQuickFix today is that this is a GOOD thing and you will want this capability!

Continuous Access Evaluation will only be active in sessions between clients and services that support it which for now are Exchange, Teams, and SharePoint Online. When enabled in your tenant critical events, such as disabling users and resetting passwords, and critical policies like location policy, will take effect within minutes!

You can disable this feature before June 15th 2021 if you don’t want to use it but the best example why you want this enabled is:

When a user is terminated and their mailbox is in Exchange Online they will still have access to their mailbox on their devices for some time after unless there are specific steps taken by the Exchange Admin because the access token on the device is still valid. Continuous Access Evaluation would notice that the user has be disabled and nearly synchronously disable the access by rejecting the token even though it is still valid.

More information for Continuous Access Evaluation can found on #Microsoft Docs.