Phishing Resistant MFA for New Users in Microsoft 365

Рет қаралды 8,501

Күн бұрын

Пікірлер: 42

@DilipBalsaraf Күн бұрын

I feel You should have shown a few more things. How does Minnie re-login next time she reboots or logs off. How she would experience Phish resistant MFA in action during the next login process would have been lovely to see. Also if she forgets her PIN, and never setup facial recognition; or if her phone is lost, how would she get in. etc.

@bearded365guy Күн бұрын

@@DilipBalsaraf the next login to the PC will be Windows Hello for Business, so either PIN or Biometrics. The next login to her web apps would be passkey.

@DilipBalsaraf Күн бұрын

⁠@@bearded365guygotcha, thanks! I presume the web apps will just sent a push to her MS authenticator? Since this is not a yubikey, I presume MS authenticator will ensure that the URL user is logging is correct. Thus making it phishing resistant. I think this bit would have been good to demo. It would give people the whole picture about how phishing resistant MFA works. Love your videos! Cheers!

@stormlight1553 Күн бұрын

⁠@@DilipBalsarafno push. The web apps will show a QR code you have to scan with you camera.

@DilipBalsaraf Күн бұрын

@@stormlight1553 Ah, thanks thats good to know! Appreciate the help!

@ojurongbelanre 10 сағат бұрын

@@bearded365guy awesome 👌

@andrewlachica8672 9 сағат бұрын

I tested this and although it works with M365, it does have compatibility issue with Entra ID Registered Apps (3rd party) with those apps only supporting sso and mfa. It is good if all industries supports this method.

@bearded365guy 8 сағат бұрын

Yes, fair point. Which apps in particular did you have problems with?

@regferreira5863 Күн бұрын

Good explanation of the different elements, however the portion regarding conditional access policies, requires a note that Microsoft Entra ID P1 or P2 licensing is required.

@RobFahndrich1 6 сағат бұрын

Great video. Dumb question, will this still work if our organization still uses on premise Windows AD that is synced to Azure? We are unable to retire Windows AD at this time. Thoughts? Thanks again for great videos.

@robertneal1973 5 сағат бұрын

Yep, same question. We also don't generally tell people to login with their email address, instead using the samaccountname convention. I guess that's just a training/behavioral solution, but I too wonder if this will work if they're logging into on-prem "first."

@ojurongbelanre 13 сағат бұрын

Brilliant as always!!!😎well done Mr Edwards!!!

@dj_paultuk7052 Күн бұрын

Excellent video, thank you. We have been thinking about implementing this for some time now, your video definitely makes it clearer.

@Timmy-Hi5 Сағат бұрын

...That is all great :) BUT what is OOBE if we already set Win device (HP Lap) delivered to end-user based in France (head office UK ) > We then use the steps from your vid > What would be the end-user experience ;)😁🤩😁

@tony6626 Күн бұрын

Great video Jon, thanks. Have you run through cert based authentication? Would be great to see that in action in future.

@bearded365guy Күн бұрын

@@tony6626 I’ll do something on it soon!

@aranbillen5954 Күн бұрын

Great video! I have a few questions: Is there a way to bulk-create temporary access keys and assign them to users, especially when there are many new starters? Can these be created for existing staff and students as well? Additionally, if users don’t have mobile devices or are unwilling to use personal or company phones, and if FIDO keys aren’t an option, could Windows Hello serve as an alternative to the authenticator for user authentication?

@solarpunk_ Күн бұрын

Looking strong on this video thumbnail Jonathan. (Tim)

@SonnyTheITguy Күн бұрын

Awesome video 💯 🔥 Enhanced security 🔒

@andrewenglish3810 Күн бұрын

@bearded365guy The MFA Legacy Migration and Windows Hello vidoes you mention. You whould add a link in the video to those videos at the point when you mention them, this way people don't have to go searching through your massive collection! :) I already migrated from Legacy MFA ages ago, and now need to watch your Windows Hello video which I am looking forward to!

@bearded365guy Күн бұрын

@@andrewenglish3810 Guess what? I published this video in the wrong order 😩 - so next week I talk about Legacy MFA in that video, sorry about that.

@bearded365guy Күн бұрын

@@andrewenglish3810 Windows Hello - kzbin.info/www/bejne/d2nJknuFYsehY5Isi=T2oFesFzG34mknJ7

@gbb8873 7 сағат бұрын

What is your opinion about windows hello PIN? I think it's a weak point and can't be disabled. Password + fingerprint should work alone.

@patrick__007 10 сағат бұрын

Thanks for sharing! One thing; When I try the same steps on an Android it prompts me to download the Microsoft Intune portal? And I should use Microsoft Edge to follow the steps.

@extremepcs2807 Күн бұрын

What about legacy hybrid orgs that have on-premise active directory and desktops with no biometric readers? Are Yubikeys the only option for signing in to the desktops?

@maximusthor2390 Күн бұрын

Thanks but this dont work for MacOs users? Have you a solution for them as well?

@bearded365guy Күн бұрын

@@maximusthor2390 Yes, use this for Macs - kzbin.info/www/bejne/mKbRn5Wmib-tl7csi=LIVAR7naG38kcqvl

@TheStevenWhiting Күн бұрын

We've disabled Windows Hello as its so insecure. This whole setup is pretty pointless if you need to use SSO with other sites. Those sites WILL need a password first.

@bearded365guy 20 сағат бұрын

@@TheStevenWhiting Why do you think that Windows Hello isn’t secure?

@MultiHotmax 16 сағат бұрын

we are hybrid im assuming that dont work for us. is that right?

@ggoben Күн бұрын

This isn’t for hybrid tenant setups right? If you sync users from an on-prem AD this wouldn’t work, right? Password is still needed for all on-prem resources etc so I’m thinking it would confuse users to have 2 different type of logins even if it was setup.

@TiNmyJ Күн бұрын

I guess you could have a on-prem login password (really long one) set that never expires and then use a temp password + windows hello.

@DruDubay 22 сағат бұрын

This is the way

@andywright3107 Күн бұрын

Am I the only one that thinks PINs are a really bad idea? I get that they're tied to a machine, but someone looking over a user's shoulder can watch them enter the pin (which will often be shorter than an old-style password), steal the laptop, and log in. All the apps - Word, Outlook, Onedrive, Teams , Edge etc. will SSO in to 365 and they've got all your data! Yes, passwords are really bad, but I think PINs can be even worse and that neither should be used. I've just set up a tenant using only Hardware keys for Windows login; Temporary Password is used for setting the key up. PIN setup is disabled on new PCs' first-run, and they use the key (and its PIN) to log in. Same for adding email to iPhones - key only. (Yes, they have spare keys!)

@bearded365guy Күн бұрын

@@andywright3107 I don’t mind PINs, but prefer biometrics with Windows Hello.

@HanSDevX Күн бұрын

I am of the same opinion. Someone who knows what year their mom or first child was born can just log into it

@ggates5859 Күн бұрын

On the surface, PINs seems weak. Of course, they can be shoulder surfed. But think about it: Banks allow 4 character numeric plus a card to secure their customers accounts.

@bearded365guy Күн бұрын

@@andywright3107 Remember, the PIN is tied to that device - so the attacker would need both the device and the PIN. The PIN is not synced in any way to 365.