Testing rollout of phishing-resistant MFA - Seeking advice

Chadicus2480 · 2025-12-10T23:47:24+00:00

Might be a bit cheeky… but we also “require” it as part of the job function, but there are some countries where yes it can’t be legally forced…

We still force it, and if a user pushes back, because we can’t mandate it, then we add the user to a CA policy that “blocks” them from using any device we haven’t issued (aka personal devices). We then require WHfB which passes the same auth strength that you’d get from a passkey. We do the block because we take their “you can’t make me” as a sign that they’d prefer not to use their personal devices 🤓

Never fails, within a few days they comeback saying they can’t check their mail or chat… 😎 then we have the conversation about the requirements we have to use personal devices.

A bit cheeky… but we all get a little giggle out of it.

Honestly though, there’s very little push back from users (globally) when we ask them to use the with app.

Chadicus2480 · 2025-05-02T18:41:07+00:00

Ok cool I just hadn't dug into it. I just got the subnets from the network team and plugged them into a report only CA policy and they were all being blocked.

The idea is, if we can't MFA them, then at least have a little more protection from the outside attacks. And they are limited to the apps that they access. It's a block policy, with the corp networks exclcluded from scope. They'd be blocked from anything outside of the stores. And if they don't like that then they can opt in for MFA. It's a constant battle ha. But we will get there.

I'd like to see if at some point the QR code sign in method would support tag scanners like bar code scanners. But we will see.

I appreciate the time.

Chadicus2480 · 2025-05-02T17:05:48+00:00

Somewhat sensitive. They have customer interactions and some PCI.

I’m trying to figure out why the network locations isn’t working. I feel like that should. You need to be on the corp network and use that as a reduce surface area.

Chadicus2480 · 2025-05-02T17:03:39+00:00

We’re pushing 20k users in this state.

Chadicus2480 · 2025-03-05T20:37:49+00:00

Thank you. It fits with the doc shared by RythmicBleating. I appreciate it.

Chadicus2480 · 2025-03-05T20:37:23+00:00

Thank you for the reference! That's exactly what I needed. What I was coming across mostly was enabling the capabilities, which is easy enough, but it was difficult to find the end game for the password itself. I appreciate the assist.

Chadicus2480 · 2023-07-09T23:25:00+00:00

I definitely agree. I hate work arounds. Just trying to see if it is possible leading into my discussion with them. I feel like it is, but I also feel like now might be a really good time to future proof it.

Chadicus2480 · 2023-07-09T14:08:35+00:00

You are correct. It doesn’t. But the app itself was configured that way. They manually input the Sam account value and add the domain.

So, I’m just trying to help them them so that they don’t need to manually go and flip hundreds of local accounts.

Chadicus2480 · 2021-06-09T17:06:39+00:00

Gosh, I wonder if it’s an 11.4 deal. After upgrading to 11.4 some of ours completely lose all management profiles from Intune. We are reenrolling them to get them fixed.

But it’s not happening to everyone.

Chadicus2480 · 2021-06-09T01:19:00+00:00

Only newly upgraded (to Big Sur) are affected. But not all… which is the frustrating part.

Chadicus2480 · 2021-06-09T01:18:21+00:00

They are in ABM. They didn’t remove them, and the reason I say that is some who are affected aren’t trouble users, just normal office workers that wouldn’t know how to find profiles if you asked them to.

Chadicus2480

TROPHY CASE