This month, I'm happy to announce that we've updated the Entra passwordless guide to include instructions on how to use the new Phishing-Resistant Passwordless Workbook we just released! https://aka.ms/PasswordlessWorkbook
If you have Apple devices in your environment (you do) and Entra ID, give the #macadmin podcast a listen podcast.macadmins.org/2024/12/17/.... @michaelepping.com and I discuss how you can improve your end user experience and security. Thanks to @tombridge.com & Marcus for having us. #infosec
Got it, makes sense. This is definitely an edge case we plan to address, being able to use a passkey in the Office apps when SSO is not present.
@crh.bsky.social and seconded what Mark said, if there's something in the guide we can make clearer please let me know
@crh.bsky.social totally hear you on the need for this and its something we'll resolve. Broad FIDO coverage on clients has some interesting technical challenges. But if you're using PSSO why do you have users re-authing in Outlook anyways? Generally they should be getting an SSO experience.
If you missed JNUC, all sessions are now live. www.youtube.com/playlist?lis.... Check out @michaelepping.com session on how you can use Platform SSO with #JAMF to get that phishing resistant credential for #EntraID. Please deploy this. youtu.be/KepEeeOx99I... #MacAdmins
Today your options are use full MDM rather than MAM controls (auth app can satisfy full MDM compliance checks) or give the users temporary exemptions from the all apps policy that requires MAM
Not sure what you mean by safeguarded, that isn’t a concept we have in CA. MAM and passkeys can coexist on the same device just fine, but if you have an overly broad MAM CA policy then registration can be blocked, since you’re covering the reg endpoint with the overly broad CA policy.
@jeftek.com for visibility
This problem doesn't exist if you are using full MDM compliance as one of the checks instead, Authenticator can satisfy that grant control in CA. But if you are mandating app protection policy then you need to adjust your policy so that this scenario is not in scope.
This experience is expected if you have policies that require app protection policies for all cloud apps. Microsoft Authenticator doesn't support MAM policies, so you are getting the expected outcome, which is users cannot register due to not passing the app protection policy check
Innovative!
I have exactly this problem, always too lazy to dig into it
It’s a little rough on the west coast, but we make it work. Don’t think my wife likes it too much when I tell her we have to go to a bar at 7am though…
Correct, assuming these are device-bound passkeys. If they are synced, then the user can recover them through the sync process (on consumer devices, where Windows is adding sync support soon)
Inside the Windows Hello container, which is protected by the TPM
Excellent! That’s what we like to hear!
I am very excited for the App Discovery capabilities coming. This is a challenge many customers have, not knowing what apps exist that they need to secure! #entra #msignite
What this means is that despite the bullshit populism the media laps up, Trump is going to make sure airlines don't have to compensate passengers for hours and hours of delays and that flight attendants are worked to the bone. That's what this guy who earns $34 million a year is crying about.
Don’t love this, but I can forgive it if they’d ever release Bloodborne on PC…
I did know this!
We also recently recorded an episode of the 425 Show to talk about our new deployment guidance, so check it out to get the latest and greatest info: www.youtube.com/watch?v=5J03...
In case you missed it, back in October we published a brand new guide for deploying phishing-resistant passwordless in your organization with Entra ID: aka.ms/Passwordless... ! This is the outcome of a ton of effort across Microsoft, please use it to begin your journey!
Seems like bluesky has really been blowing up since last week, I’ve gotten hundreds of new followers. Guess I’ll have to spend some more time on here! Definitely a lot fewer bots than I’ve gotten used to see on twitter
@michaelepping.com has a great script you can find as part of Identity Tools (github.com/AzureAD/MSId...) and if you want a video walk through of it, @merill.net has you covered www.youtube.com/watch?v=vO0m.... /3
Have you watched this video from @michaelepping.com and @markmorow.com www.youtube.com/watch?v=NEoK...
Nothing quite like getting online at 745am for your dreaded 8am call and seeing it was pushed back a week. Truly blessed
