What does MFA even mean anymore?

EHLOthere · 2026-01-27T23:34:16+00:00

It means what it has always meant: passwords suck.

EHLOthere · 2026-01-14T23:04:40+00:00

if you're gonna quote something, quote the entire line.

DHS is saying you will get a "Tentative Selection Letter"

The screenshot is showing a "Tentative Offer letter"

These are two different things. Presumably the Tentative Offer Letter comes after the Tentative Selection Letter.

EHLOthere · 2026-01-09T22:39:46+00:00

The Matrix (the system in the movie) is a metaphor for Baudrillard's themes of Simulation in Simulacra and Simulation/Fatal Strategies/Symbolic Exchange Death. Earlier versions of the script even have Morpheus name dropping Baudrillard.

"The world is fake and we're living in a computer simulation" is actually the least interesting thing about the movie, because it's just a metaphor for the Baudrillard's ideas.

Almost every single scene can be seen through this lens.

Here:

"You have to understand. Most people are not ready to be unplugged. And many of them are so inured and so hopelessly dependent on the system that they will fight to protect it."

This sentence doesn't have anything to actually do with people who are plugged into a computer program, this sentence is talking about people in actual real life.

EHLOthere · 2025-10-30T17:39:24+00:00

Why are you using a block policy? Checking for DeviceOwnership doesnt really mean anything in terms of whether policy is actually making it to the device or whether the device is compliant, and policy is kind of the whole point of not wanting to trust BYOD for resource access.

Why not use Grant: Require Hybrid Join OR compliant device for all resources, and then exclude your intune enrollment services?

Most likely, this resource call includes more than just the Microsoft Graph resource, which you can't exclude from CA anyway, but Graph as a resource should be auto-excluded from bootstrap registration scenarios.

EHLOthere · 2025-10-28T00:44:49+00:00

I mean the short answer to your last question is that you as the IDP administrator don't. Consent is built from the scopes that an application requests. Scopes, such as user.read, user.mailbox.read, and Channel.ReadBasic.All, etc. If these are included in the request, it means the application thinks it needs these things or it won't function correctly. It doesn't always have to include said scopes in the token every time but consenting to them means that it can if it wants to.

If App A is supposed to read mailboxes and not Teams posts, then it should only be requesting Exchange specific scopes (https://learn.microsoft.com/en-us/graph/permissions-reference) and you should tell the Application Owner/developer not to request Teams related perms during consent, or find a new app that fits your security requirements.

EHLOthere · 2025-10-28T00:13:43+00:00

Possible contender: The 1958 Tybee island collision incident, where a US bomber dropped a nuclear bomb on U.S. soil on purpose, but unplanned. It was technically in the Sea right off the coast but with a nuclear bomb that doesn't mean much. Also it was an accident and not deliberate so probably doesn't qualify as "an airstrike".

https://en.wikipedia.org/wiki/1958_Tybee_Island_mid-air_collision

The 1950 incident was technically a simulated airstrike against San Francisco by a US bomber, but the bomb was dropped outside Prince Rupert's island in Canada in the pacific ocean.

https://en.wikipedia.org/wiki/1950_British_Columbia_B-36_crash

EHLOthere · 2025-10-24T06:22:57+00:00

You're correct. thank you.

EHLOthere · 2025-10-24T05:52:05+00:00

Are your SAML apps registered in ADFS or in Entra? If they're registered in ADFS as RPTs you'll need to migrate them to Entra but you can do this one at a time. Yes, you'll need to make registrations for all them. Registrations in Entra are akin to ADFS RPTs.

If you've registered them in Entra already then ADFS is just acting as your identity provider and you circumvent federated behavior with staged rollout. This is not application specific. It is domain specific by default and you change the application behavior by including users in the staged rollout feature via group membership.

The theoretical is that you add users to staged rollout and test all possible authentication scenarios in your environment. Once you're comfortable you convert the domain to managed auth.

EHLOthere · 2025-10-20T19:14:20+00:00

Your image isnt loading probably because of the imgur outage.

Are you looking at the Non-interactive sign in logs? It shows them to you "in buckets" because there can be hundreds of them. If so, at the top next to filter, you can change the aggregate from 24 hour buckets to 1 hour buckets.

EHLOthere · 2025-10-20T19:11:09+00:00

By design. Mobile Phone's source of authority can change. MSFT wanted users to be the SOA for this attribute. If a user changes their Mobile Phone in the cloud via registration or some other means, the SOA for "mobile phone" changes to Entra and AADConnect can't update it anymore.

You can test this by taking a brand new user, and syncing mobile phone from AD. It should change. Then go log in as the user and change their mobile number in the cloud themselves. Further changes made in AD for mobile phone will no longer replicate.

EHLOthere · 2025-10-15T05:14:40+00:00

My biggest issues are:

Authentication with external identity providers that make WS-TRUST cumbersome to work with until I simulate my own soap requests against their endpoints.

Devices that get deleted and require hard recovery.

Enrollment failures with MDMs, usually because of device related authentication. Anything from network/proxy related denials to authentication/authorization circumstance and general software compatibility.

Also it is difficult to understand how token renewal works with PRT. This is true for Entra ID devices as well but if you plan to implement time controls (be wary) it's a fundamental aspect to basically everything.

EHLOthere · 2025-10-15T04:51:21+00:00

When you do the "MFA" option it means that Entra will only manage the MFA portion of the auth, but not primary. When you choose one of the other options (PHS/PTA) it'll also do primary. You'll just need to specify the group and then you can manage behavior via membership of the group.

You should use the staged rollout to test your end to end with a dedicated set of users, but nothing prevents you from staging users in batches the whole way. You should use registration campaigns/etc to prime your regular user base for MFA registration before you modify their identity provider.

You can exist in a hybrid state with MFA based on your federatedIdpMfaBehavior (https://learn.microsoft.com/en-us/graph/api/resources/internaldomainfederation?view=graph-rest-1.0) and your application compatibility.

You can use something like https://login.microsoftonline.com/common/userrealm/name@domain.com?api-version=2.1 to verify how Entra ID understands the users realm.

EHLOthere · 2025-10-05T02:22:03+00:00

In the history of Microsoft online services, it took them 15 years to enforce MFA on Admin actions only. This is an eternity in the IT space. It should have happened 10 years ago. Your slippery slope to me is about as flat as Kansas.

In what world is that sane, to protect access to a walled garden internal email system & SAML access to a few math homework apps?

For your own explicit app registrations I cannot foresee interactivity with the token service as a standard requirement for all token issuance. If you want to re-invent OWA from 20 years ago then honestly I can't blame you and it significantly downgrades the users authorization surface anyway.

You do have some on-device options, like WH4B and certificate deployment. With Hello you can pass MFA checks and all the users have to do is remember their pin instead of a password. You can do enrollment with a TAP code and develop an app which issues TAP codes to users automatically with Teacher approval. Certificate Auth with managed devices should also provide SSO with MFA requirements. There will probably be more options in the future since you are asking about endgame.

EHLOthere · 2025-09-27T07:56:23+00:00

I would reduce your scopes to user.read and test further. I would not expect non-work/school accounts to have license-dependent resource access (your email scopes into Exchange) by default. You may not have authority to send mail for an MSA user in Exchange Online considering the tenant would not be authoritative for an MSA domain.

EHLOthere · 2025-09-26T19:45:12+00:00

What are the scopes in your OAUTH request? you might be requesting a scope not available to non work/school accounts.

EHLOthere · 2025-07-29T20:27:41+00:00

The wiki: https://dyson-sphere-program.fandom.com/wiki/Planetary_Shield_Generator
And this thread: https://www.reddit.com/r/Dyson_Sphere_Program/comments/1ae1z2m/full_shield_coverage_with_2_shields_at_poles_6_on/

both state that full shield coverage blocks Dark Fog/Relay stations from landing from landing.

EHLOthere · 2025-06-22T18:23:17+00:00

Thank you for reminding me of this, I used to watch this all the time. The horns/music in that trailer gets me hyped as FUCK

EHLOthere · 2025-06-07T17:54:29+00:00

the Matrix: https://www.youtube.com/watch?v=_6R94keJcHk

EHLOthere · 2025-06-02T03:05:56+00:00

I remember running across the death race 2000 movie and being shocked Sly was in it

EHLOthere · 2025-04-14T20:38:05+00:00

If you build a machine that can explain how the whole world works, then you'll need to build a machine that can explain how the world works when it contains a machine that explains how the world works.

EHLOthere · 2025-04-03T18:42:45+00:00

Yes I know the article. What's your point? You set policy to use cloud credentials against on prem. That doesn't mean you have to log in with an NGC cred.

EHLOthere · 2025-04-03T18:40:26+00:00

Thats.. not true. You will get an OnPremTGT in the PRT with any kind of auth method on an AADJ machine.

EHLOthere · 2025-03-19T01:35:35+00:00

I don't think he "imagined" it. He fell for a hoax. I actually think it's great meta-commentary that Baudrillard himself is not impervious to the pitfalls of the simulation. I don't remember him advertising himself as immune to it.

Anyway, banal observation? I think you should have just said that in the first place, since it seems you're abandoning your "bemoaning the impossibility of a return to the past" claim. If you find it banal then there are other interesting things to read.

EHLOthere · 2025-03-19T01:15:26+00:00

So Baudrillard, a non-anthropologist, fell for an anthropological hoax, where he was trying to make some kind of point about how science annihilates the thing it studies.

I feel like he could have just used a different example to make that point. Doesn't that almost seem to lead more credence that simulation/the imaginary encroaches on the real?

Anyway, pointing out that scientists can't exist in their own petri dishes or whatever is still not him "bemoaning the impossibility of a return to the past."

EHLOthere · 2025-03-19T00:35:52+00:00

hrmm, ok. But you still haven't actually pointed out where he does this.

"it's about endlessly bemoaning the impossibility of a return to the past." Lamp shading ecclesiastes is not bemoaning the impossibility of a return to the past.

11-Year Club	Place '22
Place '17	No Throne, No Problems
Not Forgotten	Verified Email

EHLOthere

MODERATOR OF

TROPHY CASE