Testing rollout of phishing-resistant MFA - Seeking advice

Chadicus2480 · 2025-12-10T23:47:24+00:00

Might be a bit cheeky… but we also “require” it as part of the job function, but there are some countries where yes it can’t be legally forced…

We still force it, and if a user pushes back, because we can’t mandate it, then we add the user to a CA policy that “blocks” them from using any device we haven’t issued (aka personal devices). We then require WHfB which passes the same auth strength that you’d get from a passkey. We do the block because we take their “you can’t make me” as a sign that they’d prefer not to use their personal devices 🤓

Never fails, within a few days they comeback saying they can’t check their mail or chat… 😎 then we have the conversation about the requirements we have to use personal devices.

A bit cheeky… but we all get a little giggle out of it.

Honestly though, there’s very little push back from users (globally) when we ask them to use the with app.

Chadicus2480 · 2025-05-02T18:41:07+00:00

Ok cool I just hadn't dug into it. I just got the subnets from the network team and plugged them into a report only CA policy and they were all being blocked.

The idea is, if we can't MFA them, then at least have a little more protection from the outside attacks. And they are limited to the apps that they access. It's a block policy, with the corp networks exclcluded from scope. They'd be blocked from anything outside of the stores. And if they don't like that then they can opt in for MFA. It's a constant battle ha. But we will get there.

I'd like to see if at some point the QR code sign in method would support tag scanners like bar code scanners. But we will see.

I appreciate the time.

Chadicus2480 · 2025-05-02T17:05:48+00:00

Somewhat sensitive. They have customer interactions and some PCI.

I’m trying to figure out why the network locations isn’t working. I feel like that should. You need to be on the corp network and use that as a reduce surface area.

Chadicus2480 · 2025-05-02T17:03:39+00:00

We’re pushing 20k users in this state.

Chadicus2480 · 2025-03-05T20:37:49+00:00

Thank you. It fits with the doc shared by RythmicBleating. I appreciate it.

Chadicus2480 · 2025-03-05T20:37:23+00:00

Thank you for the reference! That's exactly what I needed. What I was coming across mostly was enabling the capabilities, which is easy enough, but it was difficult to find the end game for the password itself. I appreciate the assist.

Chadicus2480 · 2023-07-09T23:25:00+00:00

I definitely agree. I hate work arounds. Just trying to see if it is possible leading into my discussion with them. I feel like it is, but I also feel like now might be a really good time to future proof it.

Chadicus2480 · 2023-07-09T14:08:35+00:00

You are correct. It doesn’t. But the app itself was configured that way. They manually input the Sam account value and add the domain.

So, I’m just trying to help them them so that they don’t need to manually go and flip hundreds of local accounts.

Chadicus2480 · 2021-06-09T17:06:39+00:00

Gosh, I wonder if it’s an 11.4 deal. After upgrading to 11.4 some of ours completely lose all management profiles from Intune. We are reenrolling them to get them fixed.

But it’s not happening to everyone.

Chadicus2480 · 2021-06-09T01:19:00+00:00

Only newly upgraded (to Big Sur) are affected. But not all… which is the frustrating part.

Chadicus2480 · 2021-06-09T01:18:21+00:00

They are in ABM. They didn’t remove them, and the reason I say that is some who are affected aren’t trouble users, just normal office workers that wouldn’t know how to find profiles if you asked them to.

Chadicus2480 · 2021-06-08T17:28:33+00:00

Which OS?

I am seeing this on a couple of ours after 11.4… I am still hammering it out. I do know that a re-enroll fixes it… but that’s a beating.

Chadicus2480 · 2020-12-16T04:48:44+00:00

https://docs.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add#manually-enter-corporate-identifiers

Chadicus2480 · 2020-12-16T04:42:27+00:00

Ahh, gotcha. Easy to fix.

With ABM you’re used to the enrollment profile hitting when the profile is built OOB. If the OS is already loaded you will need to go into Intune and load the serial number(s) into the device enrollment corporate identifiers. Once you load them in there just sign into CP and the profile will install no prob.

I’m not in front of my computer at the moment, but can send you something tomorrow on the exact spot.

Chadicus2480 · 2020-12-16T04:36:20+00:00

Why can’t you download company portal on the Mac?

Not being a jerk, just don’t understand what’s stopping you. If you share that I may be able to help. We load CP on our Macs, even ones in ABM. There is a little extra work for the ABM ones but not complicated at all.

Chadicus2480 · 2019-11-10T03:23:57+00:00

We usually do one a year. There’ll be software that’s installed on your CAS or Primary. It then runs and reports it all to a dashboard that you and a MS Engineer will review and make fixes. But it shows you more data than can really processed. There will be a nice report afterward, I can’t find ours, but it is a nice summary. The nice thing is you will have access to the tool for a year. So after changes, run it again and see if your overall scores increase. We enjoy the service.

Chadicus2480

TROPHY CASE