I feel You should have shown a few more things. How does Minnie re-login next time she reboots or logs off. How she would experience Phish resistant MFA in action during the next login process would have been lovely to see. Also if she forgets her PIN, and never setup facial recognition; or if her phone is lost, how would she get in. etc.
@bearded365guyКүн бұрын
@@DilipBalsaraf the next login to the PC will be Windows Hello for Business, so either PIN or Biometrics. The next login to her web apps would be passkey.
@DilipBalsarafКүн бұрын
@@bearded365guygotcha, thanks! I presume the web apps will just sent a push to her MS authenticator? Since this is not a yubikey, I presume MS authenticator will ensure that the URL user is logging is correct. Thus making it phishing resistant. I think this bit would have been good to demo. It would give people the whole picture about how phishing resistant MFA works. Love your videos! Cheers!
@stormlight1553Күн бұрын
@@DilipBalsarafno push. The web apps will show a QR code you have to scan with you camera.
@DilipBalsarafКүн бұрын
@@stormlight1553 Ah, thanks thats good to know! Appreciate the help!
@ojurongbelanre10 сағат бұрын
@@bearded365guy awesome 👌
@andrewlachica86729 сағат бұрын
I tested this and although it works with M365, it does have compatibility issue with Entra ID Registered Apps (3rd party) with those apps only supporting sso and mfa. It is good if all industries supports this method.
@bearded365guy8 сағат бұрын
Yes, fair point. Which apps in particular did you have problems with?
@regferreira5863Күн бұрын
Good explanation of the different elements, however the portion regarding conditional access policies, requires a note that Microsoft Entra ID P1 or P2 licensing is required.
@RobFahndrich16 сағат бұрын
Great video. Dumb question, will this still work if our organization still uses on premise Windows AD that is synced to Azure? We are unable to retire Windows AD at this time. Thoughts? Thanks again for great videos.
@robertneal19735 сағат бұрын
Yep, same question. We also don't generally tell people to login with their email address, instead using the samaccountname convention. I guess that's just a training/behavioral solution, but I too wonder if this will work if they're logging into on-prem "first."
@ojurongbelanre13 сағат бұрын
Brilliant as always!!!😎well done Mr Edwards!!!
@dj_paultuk7052Күн бұрын
Excellent video, thank you. We have been thinking about implementing this for some time now, your video definitely makes it clearer.
@Timmy-Hi5Сағат бұрын
...That is all great :) BUT what is OOBE if we already set Win device (HP Lap) delivered to end-user based in France (head office UK ) > We then use the steps from your vid > What would be the end-user experience ;)😁🤩😁
@tony6626Күн бұрын
Great video Jon, thanks. Have you run through cert based authentication? Would be great to see that in action in future.
@bearded365guyКүн бұрын
@@tony6626 I’ll do something on it soon!
@aranbillen5954Күн бұрын
Great video! I have a few questions: Is there a way to bulk-create temporary access keys and assign them to users, especially when there are many new starters? Can these be created for existing staff and students as well? Additionally, if users don’t have mobile devices or are unwilling to use personal or company phones, and if FIDO keys aren’t an option, could Windows Hello serve as an alternative to the authenticator for user authentication?
@solarpunk_Күн бұрын
Looking strong on this video thumbnail Jonathan. (Tim)
@SonnyTheITguyКүн бұрын
Awesome video 💯 🔥 Enhanced security 🔒
@andrewenglish3810Күн бұрын
@bearded365guy The MFA Legacy Migration and Windows Hello vidoes you mention. You whould add a link in the video to those videos at the point when you mention them, this way people don't have to go searching through your massive collection! :) I already migrated from Legacy MFA ages ago, and now need to watch your Windows Hello video which I am looking forward to!
@bearded365guyКүн бұрын
@@andrewenglish3810 Guess what? I published this video in the wrong order 😩 - so next week I talk about Legacy MFA in that video, sorry about that.
@bearded365guyКүн бұрын
@@andrewenglish3810 Windows Hello - kzbin.info/www/bejne/d2nJknuFYsehY5Isi=T2oFesFzG34mknJ7
@gbb88737 сағат бұрын
What is your opinion about windows hello PIN? I think it's a weak point and can't be disabled. Password + fingerprint should work alone.
@patrick__00710 сағат бұрын
Thanks for sharing! One thing; When I try the same steps on an Android it prompts me to download the Microsoft Intune portal? And I should use Microsoft Edge to follow the steps.
@extremepcs2807Күн бұрын
What about legacy hybrid orgs that have on-premise active directory and desktops with no biometric readers? Are Yubikeys the only option for signing in to the desktops?
@maximusthor2390Күн бұрын
Thanks but this dont work for MacOs users? Have you a solution for them as well?
@bearded365guyКүн бұрын
@@maximusthor2390 Yes, use this for Macs - kzbin.info/www/bejne/mKbRn5Wmib-tl7csi=LIVAR7naG38kcqvl
@TheStevenWhitingКүн бұрын
We've disabled Windows Hello as its so insecure. This whole setup is pretty pointless if you need to use SSO with other sites. Those sites WILL need a password first.
@bearded365guy20 сағат бұрын
@@TheStevenWhiting Why do you think that Windows Hello isn’t secure?
@MultiHotmax16 сағат бұрын
we are hybrid im assuming that dont work for us. is that right?
@ggobenКүн бұрын
This isn’t for hybrid tenant setups right? If you sync users from an on-prem AD this wouldn’t work, right? Password is still needed for all on-prem resources etc so I’m thinking it would confuse users to have 2 different type of logins even if it was setup.
@TiNmyJКүн бұрын
I guess you could have a on-prem login password (really long one) set that never expires and then use a temp password + windows hello.
@DruDubay22 сағат бұрын
This is the way
@andywright3107Күн бұрын
Am I the only one that thinks PINs are a really bad idea? I get that they're tied to a machine, but someone looking over a user's shoulder can watch them enter the pin (which will often be shorter than an old-style password), steal the laptop, and log in. All the apps - Word, Outlook, Onedrive, Teams , Edge etc. will SSO in to 365 and they've got all your data! Yes, passwords are really bad, but I think PINs can be even worse and that neither should be used. I've just set up a tenant using only Hardware keys for Windows login; Temporary Password is used for setting the key up. PIN setup is disabled on new PCs' first-run, and they use the key (and its PIN) to log in. Same for adding email to iPhones - key only. (Yes, they have spare keys!)
@bearded365guyКүн бұрын
@@andywright3107 I don’t mind PINs, but prefer biometrics with Windows Hello.
@HanSDevXКүн бұрын
I am of the same opinion. Someone who knows what year their mom or first child was born can just log into it
@ggates5859Күн бұрын
On the surface, PINs seems weak. Of course, they can be shoulder surfed. But think about it: Banks allow 4 character numeric plus a card to secure their customers accounts.
@bearded365guyКүн бұрын
@@andywright3107 Remember, the PIN is tied to that device - so the attacker would need both the device and the PIN. The PIN is not synced in any way to 365.
@davkКүн бұрын
There is no point in learning that. Microsoft will change that soon as always they do.
@HanSDevXКүн бұрын
Very nice, but seems like a lot of steps for a monkey (user) to follow.