An Azure MFA Management Agent for User MFA Reporting using Microsoft Identity Manager

Microsoft as part of the uplift in Authentication Methods capability have extended the Graph API to contain User Azure MFA information. My customers have been requesting MFA User Reporting data for some time. How many users are registered for Azure MFA? What and how many methods are they registered with? The new Graph API functions provide this information and we no longer have to use the legacy MSOLUser PowerShell cmdlet to obtain the strongAuthenticationMethods information. The new API’s provide;

Azure MFA User Reporting Management Agent

With this new functionality exposed, I’ve built an Azure MFA Management Agent for Microsoft Identity Manager to consume information from the credentialRegistrationDetails API, which can then be used in Identity Workflows to trigger notifications to users that don’t have enough registered methods (e.g.… [Keep reading] “An Azure MFA Management Agent for User MFA Reporting using Microsoft Identity Manager”

Azure AD/Active Directory User Security Evaluation Reporter

During December 2018 – February 2019 Microsoft have run an online Microsoft Graph Security Hackathon on Devpost.

The criteria of the hackathon was;

  • Build or update a functioning Microsoft Graph-powered solution that leverages the Microsoft Graph Security API

Following the announcement of the Hackathon I was encouraged by Kloud management to enter. During the busy month of December I started to formulate a concept for entry in the Hackathon taking learnings from the hackathon I entered in 2018.… [Keep reading] “Azure AD/Active Directory User Security Evaluation Reporter”

Enrolling and using both Microsoft Authenticator and a YubiKey Physical Token with Azure MFA

Microsoft have just announced the Public Preview for Hardware OATH Tokens such as the Yubico YubiKey with Azure MFA. In this very long and graphic heavy post I show the end-to-end setup and use of a YubiKey physical token from Yubico as a Multi-Factor Authentication (MFA) second factor authentication method to Azure AD/Office 365.

Specifically I detail;

  • the user experience using a YubiKey Hardware Token with Azure MFA
  • the administrator configuration process for admin enabled YubiKey physical tokens for use with Azure MFA
  • a user enrolling a YubiKey physical token as an additional method for use with Azure MFA
  • switching second-factor authentication methods when authenticating to Azure AD / Office 365

For the process I show here;

  • the Admin account I’m using to do the configuration is a Global Admin
  • the user I’m enabling the token for
    • is assigned an Enterprise Mobility + Security E3 license
    • is enabled for MFA
    • was enrolled in MFA using the Microsoft Authenticator App.
[Keep reading] “Enrolling and using both Microsoft Authenticator and a YubiKey Physical Token with Azure MFA”

Windows 10 Domain Join + AAD and MFA Trusted IPs

Background

Those who have rolled out Azure MFA (in the cloud) to non-administrative users are probably well aware of the nifty Trusted IPs feature.   For those that are new to this, the short version is that this capability is designed to make it a little easier on the end user experience by allowing you to define a set of ‘trusted locations’ (e.g. your corporate network) in which MFA is not required.
This capability works via two methods:

  • Defining a set of ‘Trusted” IP addresses.
[Keep reading] “Windows 10 Domain Join + AAD and MFA Trusted IPs”

MfaSettings.xml updates not taking effect

First published at https://nivleshc.wordpress.com
Last week, I was at a client site, extending their Microsoft Identity Manager (MIM) 2016 Self Service Password Reset Solution so that it could use Azure MultiFactor Authentication (MFA). This is an elegant solution since instead of using Questions and Answers to authenticate yourself when trying to reset your password, you can use One Time Passwords (OTP), sent as a security code via a text message to your registered mobile device.
I followed the steps as outlined in https://github.com/Microsoft/MIMDocs/blob/master/MIMDocs/DeployUse/working-with-self-service-password-reset.md to enable Azure MFA, and everything went smoothly.… [Keep reading] “MfaSettings.xml updates not taking effect”