Skip to main content

Understanding and governing reauthentication settings in Azure Active Directory

Governing when users receive authentication prompts when authenticating to Azure Active Directory (Azure AD) is depending on more than one setting, on which functionalities are in use and also in which scenario you authenticate (Browser, Modern clients or other). Reauthentication can take place by asking for a single factor, like password, FIDO,  the password less option in the Microsoft Authenticator app or by using Multi Factor Authentication (MFA)

So you might understand that how reauthentication must be configured really depends per company and per scenario, so luckily Microsoft provides options which you can configure.

Some examples:

  • You want users to reauthenticate more often when they come from a non-managed or non-registered device
  • You want users to reauthenticate more often when using a certain cloud application which you make available via Azure AD single sign on
  • You might want some users in your organization to authenticate more often than others based on their risk profile

In this article I’m going to explain the different options available and where to configure what setting so that you can govern your own reauthentication settings.

Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of October 21, 2020. Functionality may change, even right after this post has been published.

Read More

Announcing #WMUG_NL Tuesdays Webinar 13 on October 27th featuring Erik Loef and Kenneth van Surksum

For Tuesday, October 27th we are proud to announce that Erik Loef, CTO and Microsoft MVP at Proxsys, and Kenneth van Surksum, Modern Workplace consultant at Insight24 will host a session about: “What is this Modern Authentication everyone is talking about, and why you should phase out Legacy authentication?”

Read More

Mobile Application Management for Mobile Devices with Microsoft Endpoint Manager/Intune deep dive

With Microsoft Intune, there is a lot of focus on the Mobile Device Management (MDM) aspects of the product. This is logical because from a management perspective, if you manage a device using MDM, you can configure almost all settings remotely, something we as System Administrators have been doing for many years.

In many situations, just managing the Apps which you use to access your company data hosted in Office 365 is a more suitable solution, there are a couple of reasons for that.

  • Many companies who want to implement measures to protect their company data, already allow access to company data via email, apps but now want to manage that. End users, even the ones provided with a device owned by the company, use the device for personal usage as well.
  • Implementing a MDM solution for mobile devices, is far more complex and more intensive from a system management point of view, in many cases the MDM solution provides way more functionality than what’s really required (protect the company data)

Mobile Application Management (MAM) in some cases is a perfect way to let your end-users use their device the way they are used to, but also implement security measures which protect your company’s most valuable asset: The data.

In this article I will go into more detail of the MAM without enrollment (MAM-WE) functionality provided by Microsoft Intune/Microsoft Endpoint Manager.

Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of October 10, 2020. Functionality may change, even right after this post has been published.

Read More

Azure AD Continuous access evaluation (CAE), a first look

In April 2020 Alex Weinert, Director of Identity Security at Microsoft announced that Microsoft was working on moving towards real time policy and security enforcement. The first implementation for this move is now available as an option you can enabled within Azure AD, called Continuous access evaluation (CAE). The functionality released in April was only applicable for customers using the Azure AD Security defaults, on which I wrote a blogpost in January this year. Yesterday (October 9th 2020) though, Alex Simons announced that the CAE functionality is now also available for customers using Conditional Access policies. Keep in mind though that at time of writing this functionality is still in preview, and works with Exchange Online, SharePoint Online and Teams for now.

Continuous access evaluation allows for a quicker response by forcing an access token refresh in case of a certain events taking place. In this version of the preview the following events will be supported:

  • User Account is deleted or disabled
  • Password for a user is changed or reset
  • MFA is enabled for the user
  • Admin explicitly revokes all Refresh Tokens for a user
  • Elevated user risk detected by Azure AD Identity Protection
Read More

Announcing #WMUG_NL Tuesdays Webinar 12 featuring Thijs Lecomte

Due to the COVID-19 crisis, we (the Windows Management User Group Netherlands) were forced to move our activities to virtual events, which we call WMUG_NL Tuesdays Webinars.

For Tuesday, October 13th we are proud to announce that Thijs Lecomte, senior Microsoft 365 consultant at The Collective Consulting and technical editor for the Microsoft 365 Security for IT Pros ebook will host a session about: “Managing Enterprise Applications in Azure AD”

Read More

Enabling Plus Addressing in Office 365 Exchange Online

In December 2019 Microsoft included support for Plus Addressing in their roadmap (ID 59441) for Office 365. In the meantime this feature is released but needs to be enabled before it can be used.

Roadmap item 59441

What is Plus Addressing?

Plus addressing has been available for a while now in other email services like Google Gmail. It allows you to extend your email address in front of the @ sign with a + and a tag of your choice. By doing so, you can easily distinct between where you used that email address and use the tagging to handle the message once it arrives in your mailbox.

Read More

Announcing #WMUG_NL Tuesdays Webinar 11 featuring Tim Hermie & Jasper Bernaers on Tuesday September 29th

Due to the COVID-19 crisis, we (the Windows Management User Group Netherlands) were forced to move our activities to virtual events, which we call WMUG_NL Tuesdays Webinars.

For next week Tuesday, September 29th we are proud to announce that Tim Hermie, senior Modern Workplace architect at Synergics and Enterprise Mobility MVP & Jasper Bernaers, Modern Workplace lead at Synergics will host a session titled: “MDATP & Chocolatey! We Belgians love our Chocolate(y)’s”

Session abstract:

Avoid exploits in Microsoft Defender Advanced Threat Protection by setting up an auto-updating framework for your standard apps with Chocolatey & Intune. This will keep your software vulnerabilities low. Session full of tips & tricks

The webinar will start at 16:00 CEST (Amsterdam time zone), please click here to find out how late the webinar will start in your time zone. You can join the webinar by signing up at our Meetup page, where after registration you will find the link for the webinar.

Announcing #WMUG_NL Tuesdays Webinar 10 featuring Ronny de Jong on Tuesday September 15th

Due to the COVID-19 crisis, we (the Windows Management User Group Netherlands) were forced to move our activities to virtual events, which we call WMUG_NL Tuesdays Webinars.

We hope you enjoyed your holiday even in these strange times, we from the WMUG_NL did and are looking forward to organize meetings again for our still growing community.

For tomorrow, September 15th we are proud to announce that Ronny de Jong, lead consultant and Enterprise Mobility & Security MVP at InSpark will host a session about: “Improve the user experience of your workplace with “Insight-driven IT” Endpoint Analytics, a first impression!”

Session abstract:

Read More

Are you already synchronizing your Message Center messages to Planner? Here is why you should

Microsoft 365 changes regularly, changes are implemented almost on a daily basis and as an Admin responsible for the service you must be aware of which changes are coming to your tenant.

In order to inform administrators Microsoft uses the Message Center. From within the message center administrative users are also automatically subscribed to weekly digest and major update emails. Within the message center message are categorized in the following categories:

Read More

Microsoft is making changes related to automatic email forwarding for ATP customers, here is what you need to know

In February this year I blogged about Stopping automatic email forwarding in your Exchange Online environment in a controlled way providing a structural way to disable automatic email forwarding within your organization, while still allowing exceptions.

This week Microsoft announced through the message center (MC220853) they are rolling out the External Email Forwarding Controls functionality for customers with Office 365 Advanced Threat Protection (ATP) licensed.

Update August 31, 2020: Microsoft has now communicated the following in the message center: For organizations that have some users externally forwarding prior to September 1st 2020 the setting “Automatic” will default to “On” and we will contact you separately when this will change for your tenant. The setting in my own tenant is still set to automatic though, perhaps it will change tomorrow (September 1). I’m for sure will test whether this has impact.

Read More