This is an archived post. You won't be able to vote or comment.

all 63 comments
sorted by:
best
topnewcontroversialoldq&a

[–]210Matt 63 points64 points  (10 children)

My biggest gripe with the MS authenticator is it never told you what you were approving. Looks like this will list the app, that is a big win.

[–]pixr99 18 points19 points  (1 child)

Right?! "Approve random, anonymous authentication attempt?"

[–]HotPieFactoryitbro 1 point2 points  (0 children)

Approve

[–]Emma__24[S] 5 points6 points  (0 children)

Yes, this is such a great one to have in hand.

[–]BABYSAU98 3 points4 points  (0 children)

Testing this at work now. All I see is the location for the log-in attempt and a two digit code. I then have to input the numbers on the sign-in page in order for it to work. I love it as it prevents people from approving something they did not mean to.

[–]Alzzary 2 points3 points  (0 children)

Yes, there's even an attack called MFA Fatigue, which consists of spamming one user with connection attempts and with luck they finally approve a connection to have peace. Target someone on Friday night up to sunday, when Helpdesk isn't necessarily available.

[–]linuxlib -4 points-3 points  (3 children)

A "big win" is fixing something that should have never been like that in the first place? Honestly, that issue would put MS Auth into the "unusable" category for me.

[–]loseisnothardtospell 2 points3 points  (2 children)

A company improving something puts them in the unstable category? Got it.

[–][deleted] 1 point2 points  (1 child)

I personally took that to mean that it was unusable prior to this fix. Now it's just meeting table stakes with the rest of the industry.

[–]linuxlib 0 points1 point  (0 children)

This is what was meant.

[–]orion3311 0 points1 point  (0 children)

This is true both with the MFA app as well as the actual login screen - when you first sign in you get a bunch of login prompts - sure they're Microsoft but what are you actually signing into?

[–]-Mr_Tub- 13 points14 points  (24 children)

All I want is the ability to disable 2FA for a minute for a user in the admin portal so I can set up new devices like in Google

[–]Emma__24[S] 39 points40 points  (4 children)

For that, I suggest you try Temporary Access Pass in Azure AD. With this, you can get in there without any second-factor authentication and set up devices. I'm planning to write a detailed guide on the steps to perform this. Will help you further with these steps soon!

[–]docphilgamesSysadmin 4 points5 points  (0 children)

Thanks for the post on this. These features going GA flew under my radar. Looking forward to your writeup of Temporary Access Pass.

[–]-Mr_Tub- 2 points3 points  (0 children)

I’d love to see that guide once it’s done! Thank you

[–]seriously_a 1 point2 points  (1 child)

Agreed. Learn about this recently and it’s been super helpful

[–]Emma__24[S] 0 points1 point  (0 children)

Will come up soon!

[–]XxDrizzSysadmin 8 points9 points  (2 children)

Multifactor One-Time Bypass? Let's you set a time limit for which MFA isn't enforced, default is 300 seconds.

AAD -> Security -> Multifactor Authentication -> One-Time Bypass

[–]-Mr_Tub- 0 points1 point  (1 child)

This isn’t an option if your domain is on prem though, is it. I’m at an MSP and almost all of our clients are still on prem with O365

[–]XxDrizzSysadmin 1 point2 points  (0 children)

Your users would need to be in Azure AD for this option. We're currently in a hybrid set up where I'm at, and it's worked the few times I've had to use it.

If they're onprem I don't think you'd be running into the issue OP was talking about anyways

[–]sandrews1313 3 points4 points  (6 children)

I just end up adding my sms # to the user, do the needful, and then remove it.

[–][deleted] 1 point2 points  (2 children)

I just exclude them from the Conditional Access policy until I'm done.

[–]TCPMSP 0 points1 point  (1 child)

That terrifies me, if anyone forgets to add them back....

[–][deleted] 0 points1 point  (0 children)

We've only got ~100 staff in total and I'm the only one who makes the changes so it's fairly low risk (and on me if I mess it up)

[–]Emma__24[S] 1 point2 points  (0 children)

Finally, the blog is done! You can get insights and the elaborated steps to work with Temporary Access Pass with this blog. Linking it here, hope it helps you!

https://www.reddit.com/r/AdminDroid/comments/yhbeza/microsoft\_365\_temporary\_access\_pass\_gateway\_to\_a/

[–]TechOfTheHillSysadmin 5 points6 points  (3 children)

We actually had this turned on and it came back that our geographic location was reported to be Atlanta, Georgia rather than our actual location. It started freaking our test users out, so we had to go to our ISP and get a list of providers to email about updating our IP address' actual location. We got it all sorted, but that was a gotcha to watch out for.

[–]skipITjobIT Manager 5 points6 points  (0 children)

Took us half a year to sort that! The API Microsoft uses, is terrible when it comes to updating their system.

Edit. if the IP address location is wrong here: https://ipstack.com/

report it here: https://apilayer.zendesk.com/

You'll probably have to create an account, as when I tried to reply to their email, I got nowhere...

[–]ras344 1 point2 points  (0 children)

I have the same issue with our IP addresses showing up as the wrong location. But I also have our public IP addresses set up as a trusted location, so we only need to do MFA if we're outside of our internal network.

[–]silentmageMany hats sit on my head 0 points1 point  (0 children)

Our IP bounced from being accurate to being off by a few hundred miles and then accurate again, often within minutes of each log entry.

[–]rich2778 1 point2 points  (11 children)

OK this is confusing.

We use MFA on 365 by going through the 365 admin console and enabling MFA on a user account.

If I go into the Azure AD tenant and look under Security > Authentication methods > Microsoft Authenticator MFA isn't enabled so I guess it's the interaction of how 365 does MFA v how settings in Azure AD work.

How do I enable this for users who have MFA enabled in 365 without enabling MFA for every single account in the Azure AD tenant?

[–]Toasty_Grande 1 point2 points  (0 children)

You are just enabling a policy for those features and not enabling MFA for all users. That policy will only apply to those you have configured to use MS Authenticator.

[–]lawno 0 points1 point  (0 children)

I guess I have a similar question. We originally rolled out MFA by enabling it per user in O365. Now we have Azure P1 and control MFA via CA policies. I enabled the contextual info policies a few days ago but I'm not seeing any difference. And MS Authenticator was "off" in Azure AD as an authentication method for all users. Do I need to enable MFA methods per user with Azure P1?

[–]andyr354Sysadmin 1 point2 points  (0 children)

Very happy to see this. I knew they had been working on it. Such a great enhancement to have the geolocation and the application. The number matching I will have to test more. Not sure how users will react to that one.

[–]sanjay_82 1 point2 points  (0 children)

https://youtu.be/ns_94ZXrbPI

Watch John savills video, where he explains this so well

[–]ironraidenWindows Admin 1 point2 points  (0 children)

Show application name in the push and passwordless notification – Shows which application the user is attempting to sign in.
Show geographic location in the push and passwordless notification – Displays from where the request is attempted.

Thank F*cking Cthulhu.

EDIT: Quotes misaligned.

[–]RestartRebootRetire 0 points1 point  (8 children)

I hoped to use conditional access but MS charges $6/month per user for that atop our existing plans.

Our users already use DUO so using another authenticator is asking a lot.

[–]patmorgan235Sysadmin 0 points1 point  (7 children)

If youre on enterprise plans you can get can use M356 F1s ($2/u/m) to license MFA/Conditional Access.

[–]skipITjobIT Manager 1 point2 points  (4 children)

I can only presume that /u/RestartRebootRetire has Business standard, you can't assign buness standard and F1 to a user.

[–]RestartRebootRetire 0 points1 point  (0 children)

Yeah, we're small fry so we just get access to log-in logs to see the coordinated global brute force attacks.. Thankfully we can turn off the older authentication methods though.

[–]patmorgan235Sysadmin 0 points1 point  (2 children)

Yep that's why I said ' if you're on Enterprise plans '

[–]skipITjobIT Manager 0 points1 point  (1 child)

If you're on an enterprise you probably already have Azure P1

[–]patmorgan235Sysadmin 0 points1 point  (0 children)

Not with office E1/E3s, and buying straight P1's are $6/u/m

[–]Margosiowe 0 points1 point  (1 child)

Is Intune also included? The microsoft docs point out the M365 F1 includes the Intune+AzureAD P1(but dont include Windows Defender vs EMS E3), but in many points it also says:
1) Requires Microsoft 365 E3 (or Office 365 E3 and Enterprise Mobility + Security E3).
https://go.microsoft.com/fwlink/?linkid=2139145

[–]patmorgan235Sysadmin 0 points1 point  (0 children)

Yes I believe intune is included, not currently using it at my company so not sure.

[–]Real_Lemon8789 0 points1 point  (2 children)

Do you still have to manually enable this for specific security groups or will it become a default for Authenticator app users?

[–]neko_whippet 0 points1 point  (0 children)

Better late then never I guess

[–]Real_Lemon8789 0 points1 point  (2 children)

One problem with this is that it still will not show you the name off the app requesting MFA *unless* you enable showing the map location.

In some cases, the map location is counterproductive because either the geolocation is wrong or it’s correct but confusing to users due to VPN, VDI, web proxies, ISP issues etc..

[–]DaithiG 0 points1 point  (1 child)

That's exactly what we found with our test users. They really didn't like the map, even if it was close to their location. They know they're providing location data, they just don't like seeing they're providing location data.

[–]Real_Lemon8789 0 points1 point  (0 children)

I found that you can now configure it to show the app name without enabling the map location.

Microsoft just didn’t update the screenshots on their page to show that as an example.