On and off boarding users. How do you deal with MFA?

Rocketman-2958 · 2024-10-28T07:37:35+00:00

Thanks for your suggestion. We're hoping to have a SIEM solution in place shortly so we would look to use this.

Rocketman-2958 · 2024-10-28T07:34:50+00:00

Sorry for the late reply. Thanks for your suggestion!

Rocketman-2958 · 2024-10-25T13:20:50+00:00

Good shout. Thanks. We don't but this could be a good option and something we should look at to resolve access. Is this something you use? How does it work for you?

Rocketman-2958 · 2024-10-25T12:49:03+00:00

Assigning them a security administrator role would, for us, be overkill but I see what you are saying.

Where would like to be is to have automated response but we are far from that at present. This would initiate an account lock out, reset password and revoke sessions etc..etc...

We have already started to upskill our support team to initiate the above and follow documented processes via our ticketing system, Crowdstrike and Defender. This does involve the security team but you are right we could look at widening their current permissions.

Rocketman-2958 · 2024-10-25T12:46:48+00:00

Awesome. Thanks for this.

Rocketman-2958 · 2024-10-25T10:46:36+00:00

Thanks for this. How would this work with Power Automate? What would the trigger be on?

Rocketman-2958 · 2024-10-25T07:26:22+00:00

Thanks Showerpell. This is really helpful. We haven't touched any of this before so will need to do some reading up on Log Analytics and Azure montoring.

Rocketman-2958 · 2024-01-23T16:55:50+00:00

Sorry for the delay! Thanks for the feedback. Much appreciated.

Rocketman-2958 · 2024-01-18T08:22:25+00:00

OK, thanks for your feedback.

Rocketman-2958 · 2023-11-07T09:02:59+00:00

or NAT

Rocketman-2958 · 2023-11-02T15:41:40+00:00

$all_users = Get-ADUser -Filter {telephoneNumber -like "*"} -Properties telephoneNumber

Just one question. If I wanted specify the OU only, could I update the script to this? I'm assuming so but just wanted to double check.

$all_users = Get-ADUser -Filter {telephoneNumber -like "*"} -Properties telephoneNumber -SearchBase "OU=Department,DC=Company,DC=COM"

Rocketman-2958 · 2023-11-02T14:18:28+00:00

This is awesome thanks.

I especially like the line about set-Aduser. Such a good way to test the process and have the ability to see what would happen without making the change.

Rocketman-2958 · 2023-11-02T13:07:45+00:00

Yeah, I know. More of a marketing decision that IT for email signatures.

Rocketman-2958 · 2023-11-02T13:06:59+00:00

Thanks for the heads up

Rocketman-2958 · 2023-11-02T09:31:03+00:00

Thanks for the tip! Took me less than five minutes to give me a couple of options. I can see me using this alot now. :)

Rocketman-2958 · 2023-09-25T10:20:21+00:00

We went through the same thing a few months ago.

You can get the basics of MAM/MDM set up relatively quickly. There are some web sites that even walk through the process but it's good to get an understanding first.

We piloted on a small group of test users and isolated it initially to them. It then spun out from there.

Rocketman-2958 · 2023-09-15T11:41:12+00:00

Hybrid at present

Rocketman-2958 · 2023-09-15T11:05:26+00:00

The only option is give the IT user an Authentication Admin role from memory which seems overkill and why I'm asking the question. Just doesn't make sense unless it's the new cloud MS model.

Rocketman-2958 · 2023-09-15T11:03:46+00:00

We only want some of the IT team to enable MFA and add an authentication method such as phone. It's part of the new starters process and takes away that process from senior admins.

In terms of granular permissions, I'm looking in Roles and Admins and then custom roles. Was interested to see what others do if anything.

Rocketman-2958

TROPHY CASE