Pages

Thursday, June 5, 2025

Restricting the devices for passkeys or FIDO2

In this tenant, I have Yubikey and Microsoft Authenticator passkey registered. The FIDO2 authentication policy by default allows all types, in this post I tested limiting those devices.

https://winsa2.blogspot.com/p/restricting-passkeysfido2-devices.html

More info on FIDO2 attestation

https://winsa2.blogspot.com/p/dig-little-deeper-onto-passkeyfido.html
Posted by at No comments:

Wednesday, June 4, 2025

Taking stock of the different user authentication methods in your tenant

Like any start of a project or task, it helps to get a baseline of where you are before you proceed, this helps check our progress too. With the ever increasing need to protect the identities of your users, this simple script will get all the Entra ID users and the authentication methods they have registered.

It runs at a pace of about 2 accounts per second, hence if your tenant has a lot of accounts, you can either filter it first or simply wait it out.

Below is a sample output:

#microsoft.graph.emailAuthenticationMethod: 21 #microsoft.graph.fido2AuthenticationMethod: 4 #microsoft.graph.microsoftAuthenticatorAuthenticationMethod: 50 #microsoft.graph.passwordAuthenticationMethod: 657 #microsoft.graph.phoneAuthenticationMethod: 83 #microsoft.graph.softwareOathAuthenticationMethod: 1 #microsoft.graph.temporaryAccessPassAuthenticationMethod: 1 #microsoft.graph.windowsHelloForBusinessAuthenticationMethod: 5 Authentication methods saved to authentication-methods.csv

Link here: https://github.com/panoy86/sysadmin/blob/main/graphAPI/get-mfa.ps1

Aside from the console output, it saves the results in a CSV file with the auth-methods in a comma-separated string.

Posted by at No comments:

Notes on implementing PIM and JIT

Simple steps to implement Privileged Identity Management and Just In Time roles

https://winsa2.blogspot.com/p/simple-pim-implementation.html
Posted by at No comments:

Testing the Temporary Access Pass

Tested a scenario where a new user account is created, and a passkey/FIDO2 was created directly without ever using the account's password.

https://winsa2.blogspot.com/p/testing-out-temporary-access-pass-tap.html
Posted by at No comments:

Tuesday, June 3, 2025

Please use CAP for your service principals

I am guily of it too, most M365 admins after they switched employers do keep their PowerShell scripts for typical re-use. For instance, a script to expand an Exchange Distribution List (that can contain hundreds of child DLs) is handy for all organizations. Unfortunately some of them may contain credentials of service principals.

https://winsa2.blogspot.com/p/cap-for-security-principals.html
Posted by at No comments:

Cloud authentication in Entra ID

My thoughts on moving from federated identity to Entra ID

https://winsa2.blogspot.com/p/cloud-user-authentication-in-entra-id.html
Posted by at No comments:

Setting up a phishing-resistant MFA in Entra ID

https://winsa2.blogspot.com/p/setting-up-phishing-resistant-mfa-in.html
Posted by at No comments:
Subscribe to: Posts (Atom)