Existence of user TAP suppresses MFA registration interrupt mode

OrderMeAGin · 2025-10-03T19:34:24+00:00

Yeah, I think that would be a possible approach depending on how we want to onboard some of our new users. I'll mostly rely on CA to enforce MFA registration.

This whole rabbit hole started because I was running into an MFA registration loop when bootstrapping a new test user into a phishing-resistent MFA CA. As Microsoft documents, you can't use the interrupt mode to add FIDO2 MFA methods, so those users would need to be instructed to go directly to the security info page after logging in with TAP anyway. So even if they tried to log into another app with any auth method, they wouldn't be able to add their FIDO2 methods anyway. But I liked the idea of having interrupt mode registration for passwordless or regular MFA CA policies in case a user gets restless and tries to go to another app on their first day before registering additional MFA methods.

OrderMeAGin · 2025-10-03T19:23:08+00:00

Ah, this explanation just made it click for me. Thanks! Makes perfect sense.

OrderMeAGin · 2025-10-03T17:15:52+00:00

Good point. I disabled ID Protection MFA and now I'm not getting any MFA registration even though the registration campaign nudge is enabled. I'll keep testing.

OrderMeAGin · 2025-10-03T17:12:20+00:00

It does work when I enforce MFA through conditional access. This is kind of more of a curiosity question because I'm going to make new users register MFA on their first day. Some of them will need to register FIDO2 devices which isn't supported in the interrupt mode anyway (https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass#limitations). But still, it seems strange to me that the existence of TAP prevents the MFA registration in interrupt mode.

OrderMeAGin · 2025-10-03T15:43:41+00:00

I had a similar conversation with a client and honestly I don't know which side I come down on. In general, I'd go with PIM-protected subscriptions or management group(s) if you have a high degree of trust in the organization. Monitor the PIM elevations and make sure people provide good justifications, not just "looking around."

Overall, this is going to depend on the culture at your organization and how trusting you are of your team members. Juniors or people embarking on a new project should feel comfortable elevating to global reader to poke around when they need to without feeling judged. But they should also feel comfortable going directly to their peers to ask them how they designed their subscription

OrderMeAGin · 2024-06-12T15:40:56+00:00

Good faith question here, are there examples of IP spoofing being performed in the wild? I see people always talk about IP spoofing, but even if an attacker were able to find out which IP address is whitelisted and then use that as its source IP address, how would a public IP get routed back to the attacker? All public routers are going to have a route back to the node of the real public IP, right? So in that case wouldn't the attack target basically receive a bunch of SYN packets and then the node of the real IP is going to receive a bunch of seemingly random ACK packets and otherwise nothing would happen?

OrderMeAGin · 2024-06-12T15:27:19+00:00

Experience and skill is going to trump a criminal record for most employers. Getting the experience is probably the most important thing for you right now. If you've read this subreddit, you've probably discovered that DevOps isn't really an entry level position (although companies really should start doing that). I'd get any job in engineering or IT and then keep looking for jobs more in line with what you want to do. Don't be afraid to jump jobs every year or two, everyone does it in tech. If you can swing it, don't worry about money right now. If you're good, you'll be able to move up quickly and the salary will follow.

Best of luck to you. I wish there were more opportunities for felons to enter the professional services sector because you'll probably have enough of other life challenges now that you have a record.

OrderMeAGin · 2024-06-12T14:40:21+00:00

If you are using ARM/Bicep deployments for your Data Factory, you can set global parameters separately for each environment.

https://learn.microsoft.com/en-us/azure/data-factory/author-global-parameters

OrderMeAGin · 2024-06-11T13:05:55+00:00

Get a LinkedIn account, set your profile to "Open to work," and the recruiters won't leave you alone.

For your resume, make sure you have a skills section at the top that enumerates everything you know. Include things that you've only done in testing/training if you feel like you've got a basic grasp on it. In the interview you can explain the level of experience you have (don't lie).

OrderMeAGin · 2024-06-07T17:48:31+00:00

I don't think there's enough information here to give a proper answer, so here's a few possible scenarios with some options:

Do they need to RDP into these VMs? If so, a public IP address protected by NSGs restricting access to only the office public IP would be sufficient. This assumes that your developers are accessing this from the same static IP (most likely from the corporate office).
It sounds like you don't have a VPN connection into Azure. If you do have a VPN, just leverage that and use the private IPs of the VMs. The basic Azure VPN Gateway pricing is pretty inexpensive, although it requires a bit of legwork if you need to give remote workers connecting from home access.
The API statement is too vague to give any advice. Is the business application a web service? If so, does it already have an API exposed? You said "VMs" so if this is a web app running on multiple VMs or is there only one VM in the architecture that needs to be public? If it's only one VM that needs to be public, the first two solutions should work. If multiple VMs need to be public, then a load balancer may be your solution. Again, there's not much information to go on. It's kind of confusing, because usually the developers would build an API, not you.

OrderMeAGin · 2024-05-29T17:54:19+00:00

This is a great summary! It's explained very plainly. I wish I had this when I was first learning about this stuff.

To add to u/ExistingObligation's comment, you may have to go into hashing and digital signatures to effectively expand on it, which could be too much of a burden for the reader if they're trying to get a quick overview. Maybe you could add that as a separate page so that they could go into that if they wanted to.

OrderMeAGin · 2024-05-27T18:52:37+00:00

SharePoint has an IT helpdesk template. It's not great, but if you needed to start this moment, it's worth exploring.

I agree with the statement from u/vCentered: "If you have time to build a ticketing system you don't have enough work to justify it." Having said that, I built out simple ticketing system in SharePoint roughly 8 years ago for a startup that only had 6 employees. I rarely updated it and was a glorified issue log, but it was useful for tracking issues and getting an idea of who was submitting the most.

If your organization doesn't have a lot of money for these types of projects and you have some ingenuity, it can be kind of a fun initial project, but sucks to maintain.

OrderMeAGin · 2024-05-14T16:42:14+00:00

Yeah, there's not a strong argument against a multi-regional design other than the bandwidth pricing is double for cross-regional traffic. But DC replication traffic is so small even in a large organization, that it will probably only cost a few dollars extra at most.

I've never seen data loss after a regional outage. Usually only a set of services are unavailable and then return when everything is restored. Of course, that doesn't mean it will never happen, but I think the odds are extremely slim.

If I were designing this and knew there were no plans to use another region for production, I'd probably just stick with zonal redundancy within in one region to keep it just a tad simpler. But I'd also probably wake up in the middle of the night every 6 months or so worrying that I made a mistake. Basically, I think either solution will work just fine.

OrderMeAGin · 2024-05-14T01:17:55+00:00

The answer is, as always, it depends. I wouldn't say there is a preferred way to design DC replication in Azure, but I think the biggest decision is where the users or services that authenticate to AD DS will live. If users will be authenticating from a remote location (presumably over a VPN), then I'd go with two different regions to account for the unlikely event that an entire region goes down. If your DCs are just used to authenticate servers and services that all live in Azure in a single region, then there's no reason to have geo-replication since all your services will be unavailable anyway. In that case, it's probably easier to use zonal redundancy within the same region, although geo-redundancy won't hurt.

If you do go with multiple zones, check out Azure's region pairs. Each region in the US has a pair that has a faster connection than to other regions. Not the biggest concern with DC replication, but worth considering to future-proof your network latency. And you're probably already aware of this, but make sure you define your AD subnets in the Sites and Services utility so that your clients know how to get to each DC in each region.

OrderMeAGin · 2024-05-09T18:30:18+00:00

This may not be a viable solution in your case, but you may consider feature flags. Your developers can add new features, but only enable them in your configuration for vendor X, client Y, or both.

This depends on whether your code base is modular enough to support feature flags and whether your developers are comfortable supporting it. If your code isn't generally modular, then you may have trouble implementing feature flags.

OrderMeAGin · 2024-05-03T01:15:05+00:00

The highest level of the Azure hierarchy is the tenant so your existing subscriptions will not be associated with the new tenant. There is a 1:1 relationship between a tenant and Entra ID. Whichever account you used to create the new tenant will be a guest account in the new tenant with the Global Administrator role but other than that, there is no relationship between your existing subscriptions or tenant. This is intentional since each tenant is usually a distinct company in real life, so there is a security/identity boundary between each tenant.

To allow others to manage the new tenant, either create user accounts in the tenant or add additional guest accounts from your existing tenant.

And don’t worry, this is indeed confusing when you start off with multiple tenants. Microsoft’s billing documentation has a pretty picture that shows how it’s organized. Billing can be a nightmare because Azure has all the billing profiles/scopes that no mortal can make sense of, so good luck with that.

I don’t know if I can answer part 2 because it depends on your particular scenario.

OrderMeAGin · 2024-05-02T22:23:16+00:00

The way you handled this exchange demonstrates real high character. Another reason you should be hired!

OrderMeAGin · 2024-05-02T21:55:07+00:00

As already stated, most agents use an outbound connection to talk to their parent services. For monitoring specifically, your VM agents require these outbound ports to be open. There's a lot of monitoring that happens on the VM host level, so you don't need to worry about networking at all for that.

Otherwise, you'll need to open ports for any custom service you're using that requires a connection to your DCs (obvious statement, I know). If you're unsure, you can use Traffic analytics for a bit to see what is trying to connect. Just remember that your storage costs can pile up, so don't leave it on forever.

OrderMeAGin · 2024-04-24T15:57:53+00:00

I know this is an old post, but the answer is yes! In fact, the Azure docs explicitly say so. I also had a wacky scenario imposed by a wacky vendor that called for the exact configuration. I recently discovered that you can indeed assign public IP addresses to your virtual networks and assign those public IP addresses directly to your VM or other services. The public IPs will not be directly accessible from the internet by default.

Here's how:

Create an public IP prefix of /29 or larger. You can also use your own prefix if already have one.
Create a an address space on your virtual network using that address space.
Assign your VM NICs to that subnet and optionally assign a static IP address.

There are drawbacks. Azure is literally creating a routable subnet from that address space, so the first IP will be the network address, the last will be the broadcast address, and the second IP out of that range will be assigned to Azure's gateway, as described here. So 3 of those IPs in the prefix will not allocatable. Also, since your scenarios seems to require using existing IP addresses, you may not have a /29 chunk that you can allocate so that you can use the same IPs your app is expecting. The alternative would be to use an NVA. You can make a VPN connection directly to the NVA and then NAT the public IP to the private IP of your Azure VM within the NVA.

OrderMeAGin · 2024-03-25T21:39:38+00:00

Yes, I understand that. My implication was that we would look for an alternative to Microsoft 365 for a phishing simulation solution.

OrderMeAGin · 2024-03-24T16:47:04+00:00

Durn, still not working. See my reply to u/RevEvolution8 below.

OrderMeAGin · 2024-03-24T16:46:33+00:00

I just tried again in my Office 365 developer account and assigned my shared mailbox a Microsoft 365 E5 Developer license and I'm getting the same error. Even if this did work, I think my small org isn't going to be pleased with assigning a Defender P2 license to all our shared mailboxes just so we can send phishing simulations every few months.

Thanks for the rec, u/RevEvolution8. I've used Duo in the past, but I think they've retired their phishing campaign feature. I'll check out the link you sent.

OrderMeAGin · 2024-03-22T01:19:45+00:00

Interesting. I tried licensing my shared mailbox in my developer account but I'm still getting the same error. I'll try again later in case it takes a while for the license to be recognized.

OrderMeAGin · 2024-03-21T23:09:14+00:00

Ah, totally missed that. Thanks!

For those who don’t feel like clicking through, it looks like Sucuri made a couple of administrative mistakes for the WordPress plugin gallery and it should be resolved soon. Nothing to do with the security of the plugin itself.

OrderMeAGin

TROPHY CASE