M365 Passwordless MFA at Windows Login with Windows Hello for Business

Рет қаралды 7,325

Күн бұрын

Пікірлер: 36

@ajmaddox1540 19 күн бұрын

first, great video, very comprehensive, understandable, and relatable. Bravo, sir. Now, copilot for security 20:16 - small and medium sized businesses might find that challenging, since you have to purchase at least one SCU (security compute unit) every hour of every day, and they're $4 last i checked, so the quick math on that is $4 x 24 hours x 365 days = $35,040 / year minimum spend. Dunno about the rest of ya, but my small and medium business customers are struggling with that number, since they're already paying for business premium, security E5, and other microsoft licensing.

@Xerillion 19 күн бұрын

Thanks @ajmaddox1540! 100% agree about Copilot for Security. The video previous to this one was exactly raising the same cost concern about it. It's a great value for large IT departments, but in the world Xerillion operates, 30-200 dedicated computer users in a company, we'll have to wait for Microsoft to come out with a version suitable for a $25/user/month M365 Business Premium license...I'd say, or maybe $2,000/year. Another idea I have been thinking to play with is to create daily security data dumps from Microsoft Defender XDR and "chat" with the dump through a standard $360/year M365 Copilot license. It will be a while before I can play with that concept.

@TechTails 25 күн бұрын

Kinda wild I read all the intense documentation on PRT and WHFB authentication pathflow and you explained it really well.

@RobFahndrich1 4 ай бұрын

I am so glad you put this video out. I have missed your content! Great video!

@c016smith52 4 ай бұрын

Excellent video, I hope all the IT Pros see this (and take your advice)! Thanks

@ggates5859 3 ай бұрын

I know Mr. Chapin is selling his MSP services in all his videos, but these videos are so much more than that. Each one of his videos-and I've watched several-is a mini masterclass in MS technologies. IMHO, he's in the same echelon as Johan Arwidmark or John Savill. He's that good.

@Xerillion 3 ай бұрын

Wow, @ggates5859, thank you so much for those words. I really mean it. You made my day!

@row3nMUSIC 3 ай бұрын

Hi Wayne, I've been thinking about this a lot within my own mind. This video has confirmed all my thoughts. Brilliant video (+like)

@lillilblurkin Ай бұрын

Would love to use this but when we tested it, We found issues in the medical field. A lot of times multiple users use the same computer meaning they go room to room and sign in on multiple computers. Then the next user comes in and it’s locked to the first where duo allows allows you to send a push to any user who is enrolled. How would we work around this issue?

@aa-hj2fd 4 ай бұрын

Always sounds good, but because no one knows that they have been compromised until they discover they have been compromised.

@mikevalencia5977 3 ай бұрын

Excellent explanation and video

@ibenidze 4 ай бұрын

I have a feeling that some important aspects were left out intentionally or unintentionally. What happens when you change a computer or forgot a computer at home and want to use your coworkers computer? Does windows hello work out of the box or you need a password that you don’t know?

@Xerillion 4 ай бұрын

When you change a computer you'd enroll that computer under your Entra ID account in Windows Hello for Business and create a new passkey for that device. If you want to provide support for users that forgot their computers at home, then you'd have a spare that you can let them log into with their password, or login to a co-worker's company computer. Passwords will still always work. Enrolling a computer in Windows Hello for Business is not mandatory. If they forgot their password, you'd have self-service password reset (SSPR) configured in Entra ID. Or, you can allow them to chew up your time with a tedious manual admin password reset. Windows Hello for Business is part of Entra ID and does not work out of the box and it needs to be configured. And, an IT manager has to be open to learn new modern security skills. This requires taking training courses, practicing on a demo M365 tenant to get hand-on experience outside of your production tenant, and ideally certifying on this technology. By doing this, an IT manager will learn how these systems are meant to be configured and how to make them work smoothly and securely. Is the process of re-skilling easy? No. Is it rewarding? For sure. It's also more interesting IT work. There will always be these "what if this or that" scenarios that come up. Once you know the tech well, the answers will come to you quickly and confidently. If you don't have the opportunity to reskill, then find a Microsoft cloud partner. It doesn't have to be Xerillion, but find one that can help you get ramped up quickly.

@dj_paultuk7052 4 ай бұрын

Windows Hello on the local client is in effect using "Cached credentials" ?. We had to disable it within our Azure hybrid estate as it was causing so many issues with access to mapped network drives. Since cached login info was being used. If the user opted to use a pwd at Login there was no issue. So we disabled it for now. Any other sys admins seen the same type of problem ?.

@lefrinj 2 ай бұрын

We also had to disable it in hybrid, yes, we've been moving away from hybrid AD to just Entra/AAD devices but the remaining hybrid ones are in an exclusion group to turn off Hello PIN, from memory for the same reason you describe.

@dexter56nl 2 ай бұрын

That's because Windows Hello authentication is by default not accepted by your AD environment. You will have to implement Key Trust, Certificate Trust, or, way easier, Kerberos Cloud Trust to authenticate to On-Premises resources using Windows Hello

@networkn 4 ай бұрын

So, I am not sure I agree with everything, however, in principle I think there is a fair amount of fact here. One question. Passkey access to 365 Accounts is a thing now, and I have enabled it and I can login from my personal computer, but I came to work, tried to login, and it is asking me to insert my security key. Is Passkey limited to people with a single computer they use? This feels like a frustrating limitation. Or have I misunderstood things?

@Xerillion 4 ай бұрын

Passkeys don't move with your Entra ID account from computer to computer. Each computer will have it's own unique passkey generated when you enroll the device into Windows Hello for Business.

@networkn 4 ай бұрын

@@Xerillion well, the passkey is stored in authenticator on my phone. I was expecting to be offered a QR code. Seems to happen some computers and not others.

@daleweaver777 4 ай бұрын

what about organizations that have iOS, Android, Mac, and PC?

@Xerillion 4 ай бұрын

Passwordless there as well. I have an iPhone. I don't enter a password to login to it, or my M365 mobile apps that run on it.

@fbifido2 4 ай бұрын

@14:16 - Why can't they do this for secure email ?

@floydfarms1578 4 ай бұрын

What stinks is that Entra ID signin logs show WHfB logins as single factor authentication 😢

@gogosst 4 ай бұрын

What happened when office 365 ask you to change the password every 90days

@frankmerino2970 4 ай бұрын

That’s you hybrid policy at work. This is not a Microsoft best practice

@fbifido2 4 ай бұрын

@14:16 - Can that token be used on another device?

@Xerillion 4 ай бұрын

No. Another device would need to establish it's own session/token.

@oskarsvedman1363 4 ай бұрын

How do you handle it when you need your password if you dont know it? For exampel when you get a new phone or computer. I really like passwordless but when users use biometric they forget their passwords and it creates support tickets. Any solution for this?

@Xerillion 4 ай бұрын

Hi! When going to full passwordless sign-in with a properly configured M365 tenant, password changes should be very rare. I bet I have done it once in the past 3 years and it was a very odd situation where I was on a cruise ship wifi and trying to login to my laptop for the first time in 6 months. As an IT manager you can get out of the business of doing tedious user password resets. This is what SSPR (self service password reset) with Entra ID (Azure AD) is for. We configure this as part of our standard M365 tenant setup. And in our practice, getting as many tedious things off the plate of IT managers is an ongoing refinement process. And as I mention in the video, it's really tough on internal IT managers to learn on these new systems, understand what is important, what isn't, while maintaining the existing system. Anyway, SSPR enablement/configuration, and politely pushing back on users (within reason) when they ask you to manually reset is the way to go. IT admin manual password resets should be very very rare.

@oskarsvedman1363 4 ай бұрын

@@Xerillion Hi and thanks for reply. SSRP is of course something to teach users better. A problem that I notice is also that when users have PIN codes, they think that the PIN code is their password and do not understand the difference, and that also creates problems when they really need their password. For example, when they have to enroll a phone or computer. Is there a way to enroll new devices without a password? Maybe to approve it on their current device?

@ggates5859 3 ай бұрын

@@oskarsvedman1363 That's good point: A PIN superficially resembles a password and is therefore confusing to folks. I like Wayne's analogy of the ATM 2FA process (a card+PIN) because it is such a familiar one. Although with direct deposit+Apple Pay, that analogy is losing relevancy.

@mrZerg00s 4 ай бұрын

What about the companies that print very realistic 3d face masks that can bypass the Windows hello and IPhone locks? Companies print these masks simply from a photo.

@mrZerg00s 4 ай бұрын

I see. you explained that it will only work on the machine where Windows hello is enrolled