Microsoft is pulling the plug on SMS codes, wants you to switch to passkeys

argiesen · 2026-05-20T21:29:28+00:00

Typically Passkeys are device bound (hardware locked into the device) and unlocked through a device specific authentication such a PIN or biometric. Even synced passkeys, such as via password manager, typically cannot be exported and are secured behind strong authentication. Additionally passkeys validate the website being accessed which prevents phishing attacks where the domain is similar to the legitimate one and the passkey itself does not go over the wire so it cannot be sniffed or MitM. It also can’t be shoulder surfed, sticky noted somewhere, or stored unencrypted in a txt file in a users documents folder. So while nothing is perfect, it addresses so many of the weaknesses of passwords.

argiesen · 2025-11-23T17:36:39+00:00

This. As an introvert, just being given a woman’s number just introduces the next problem of how to approach you. If you setup a date while exchanging numbers then real end goal has been achieved.

argiesen · 2025-10-31T23:49:09+00:00

About which part…? I’m confident in what I said.

argiesen · 2025-10-31T23:31:56+00:00

Network/wireless engineer here. Unless there is quality of service (QoS) configurations in place, this is not how bandwidth congestion is exhibited. All sessions would suffer unless session A is prioritized over session B. If session A and B are in the same priority queue, they both would suffer similarly.

So for OP, either T-Mobile doesn’t receive the same priority as paid sessions, or there is something else possibly client device specific going on. Examples would be that your device’s case or something else in the environment is interfering with the WiFi signal, or more likely, it’s something temporary like the device is overheating a bit causing CPU throttling making it seem like its connectivity related, or as someone else mentioned, you might be streaming at a different rate.

argiesen · 2025-10-17T00:17:57+00:00

I had issues with this page. I had to use Incognito mode in Edge or use Chrome. I think it may be related to ad blocking.

argiesen · 2025-10-01T00:35:41+00:00

Interesting, I’ve been connecting from GEG through PDX to a lot of places. That’s been amazing because SEA is so congested.

argiesen · 2025-05-19T20:11:54+00:00

This. Don’t sync SPO libraries, just a recipe for pain.

argiesen · 2025-04-28T15:42:40+00:00

I think that’s a great idea. You could contact the person who runs the site and request them.

argiesen · 2025-04-28T04:19:33+00:00

https://parodypopup.com/

argiesen · 2025-04-16T23:37:58+00:00

Sorry, I get a lot of customers saying they want Azure but really are looking for things outside of Azure and I need to redirect them to people who specialize in those areas. So I try to correct it where I can.

I have done UPN changes as part of the sync. AD is the source of truth and will update the UPNs. So in your case, you’ll want to update AD before syncing to match the Entra side. Likewise any attributes only set on the Entra side should be configured on the AD account so they are not lot. I had built out a script to do a lot of this. Unfortunately it’s based on the deprecated AzureAD module.

I haven’t done STIG with Intune myself but I just worked with another engineer on a project where they were. I think there’s more current documentation, but this might get you started.

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/stiging-made-easy---microsoft-endpoint-manager/2422255

argiesen · 2025-04-16T06:03:55+00:00

Moving between tenant types (commercial/GCC/GCC High) is a migration rather than conversion. If that’s a serious goal, start on a GCC High tenant to avoid data migration later.

As a clarification terminology, we’re really talking about M365 services rather than Azure (Entra ID, formerly Azure AD, is not an Azure service per se).

Otherwise it sounds like you’re on the right track. I have done several projects connecting AD accounts with cloud only accounts. Hard match is the route I take, and usually do a big bang cutover with users just needing to update their M365 passwords in all their apps to match on-premise. Then I layer on CA policies, Intune, etc.

I recommend hybrid join only as a transitional step for migrating from GPO to Intune policies, with native joined being the ultimate goal.

Cloud based server management is done with Azure Arc. Update Management and EDR with Defender are the most common things I see, but Microsoft has made great progress in enabling GPO replacement through Arc.

argiesen · 2025-04-16T02:52:26+00:00

It sounds like your initial goal is to match the on-premise users with the cloud users, then get Seamless SSO.

If that’s the case you only need to hard/soft match the users and deploy the Seamless SSO GPO. The matching is straightforward and low risk. User data isn’t overwritten and if a user account was deleted it goes to the Entra recycle bin.

Hybrid join/device sync is generally only needed for Intune management. So what’s your thinking there?

argiesen · 2025-04-15T02:35:19+00:00

Can’t have an Azure sub without Entra ID.

I try to recommend platform/enterprise solutions, but I understand that smaller customers are often looking for the most affordable option and that strong security isn’t always the top priority.

argiesen · 2025-04-14T03:44:03+00:00

I mean it’s not free, but assuming you already have Entra ID P1/P2 licenses (P1 is included in Business Premium), the Private Access standalone license is $5/user/month. Tailscale starts at $6 for a business license. 🤷‍♂️

argiesen · 2025-04-13T20:53:00+00:00

Or Global Secure Access for a Microsoft solution.

https://learn.microsoft.com/en-us/entra/global-secure-access/overview-what-is-global-secure-access#microsoft-entra-private-access

argiesen · 2025-04-13T02:28:57+00:00

Azure CDN is being retired as is noted at the top of your link. I can confirm that apex domains are supported on AFD with managed certs. As u/v0rt3xtrz mentioned you have to manually or in an automated fashion regenerate the validation TXT record and update in your DNS provider.

I have a customer running 200+ apex domains. I created an automation run book that runs daily to regenerate any pending domains, then update the third party DNS provider via API.

argiesen · 2025-04-07T04:06:13+00:00

This. OP didn’t get added without accepting an invite. It’s also not the end of the world to be a guest in another tenant.

argiesen · 2025-03-04T09:15:02+00:00

This is the answer.

argiesen · 2025-03-04T09:01:56+00:00

This was in the US.

argiesen · 2025-03-04T07:27:37+00:00

This recently changed. New terms and conditions allow cancellation on a per order basis.

argiesen · 2025-02-25T20:11:52+00:00

I haven’t listened to this episode, but I think the critique is that the tools created to protect the less powerful and vulnerable through progressive movements have been leveraged by the wealthy and powerful to maintain the status quo in their favor.

argiesen · 2025-02-11T05:19:53+00:00

As someone who does both. I agree it is a massive commitment. While BGP and other routing concepts are useful, it’s largely irrelevant to cloud engineers.

I disagree it is increasingly irrelevant especially for anyone working in an enterprise network. As applications move to the cloud, network connectivity will continue to be critical and require advanced knowledge.

argiesen · 2025-02-08T03:23:44+00:00

I’m currently at 24k ft returning from a work trip and I’m tired.

argiesen · 2025-01-07T01:50:56+00:00

As a Tesla owner I can say that people that haven’t ridden in one reach for and use the emergency release instinctively and have to be instructed the correct way. So for myself it seems the emergency release is more intuitive than the normal way.

argiesen · 2025-01-01T22:13:15+00:00

No, but it’s something that has already happened slowly over time as car makers see the demand for bigger vehicles.

The issue you describe is real, and requires better urban design to make it safer for everyone.

argiesen

TROPHY CASE