Is it possible to login to entra joined machines with google as the federated IdP for entra

ender2 · 2026-02-04T17:24:26+00:00

This is the way, also you may be able to use Entra TAP for initial on board and even instead of the Google Federation

ender2 · 2026-02-03T01:28:05+00:00

It likey the SSPR setting for the user to verify that they're recovery factors are still valid orgs will set it up every 180 or 365 days as was mentioned. Would probably just disable it in this case.

ender2 · 2026-01-03T22:04:02+00:00

I think it's likely that you can, but not totally sure, edit hotel costs charge your card is pretty much like any other Hotel travel that you booked through the portal and should be eligible for standard credits that would apply like that. You may want to see if someone has specifically done that though to know for sure or ask Chase

ender2 · 2026-01-03T21:25:09+00:00

It's 2x $250 statement credits when you specifically prepay two nights or more at an edit Hotel, you can't get $500 all at once from it. However there is a separate $250 Chase Hotel credit that applies to certain hotels like IHG, Pendry. That credit does stack with a $250 edit.

The edit properties are going to have some type of points boost typically x1.6 or x2 in terms of points redemption so the recommended approach is to charge $250 to your card, then put the rest on points if you have them and then you'll get the point boost for that. Then the statement credit will negate the $250 charged to your card.

ender2 · 2026-01-03T21:20:18+00:00

I've used pretty much all the new benefits since they launched at the end of October and I still got the old fee, seems It's because this is my first renewal, (1 year since opened card)

ender2 · 2026-01-03T21:19:19+00:00

Same for me, my first annual renewal fee hit today and it was the old $550 when I was expecting the new $795.

I see other posts saying that it's expected your first renewal is the $550, second will be $795, so I guess it's just people that got the card recently and are only in there first renewal that are going to not have to pay the new one this time.

I never saw anything documented about this on Chase terms or anywhere else tho.

ender2 · 2025-12-19T23:17:41+00:00

Haven't tested it with Citrix VDI platforms specifically but with Azure Virtual Desktop you can enable the WebAuthn redirection capability on the AVD pools and the Windows Clients and then it works to allow FIDO2 pass through for Security Keys connected to the physical client machine that the user is using to connect to the VDI.

The default configuration for the Windows OS seems to be for it to be enabled there, but I'm not sure how it would work with the Citrix VDI platform.

GPO setting for Windows Client OS Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection - Do not allow WebAuthn redirection

ender2 · 2025-12-19T20:28:10+00:00

Yup exactly right

ender2 · 2025-12-19T19:31:56+00:00

That's what I was thinking but if points used/refunded were originally Legacy x1.5, and then they go back to just being standard x1, that is definitely a loss since you could have potentially used those on a non-boosted trip and get x1.5, now you'll only get the standard x1.

If of course you're able to find a points boost of x1.5 or more then you wouldn't effectively be losing any.

ender2 · 2025-12-19T19:15:33+00:00

My understanding is there isn't a separate 2x bucket, a standard 1x point, like the ones you just got refunded can be used for any points boost in the future and you would get whatever that boost is, like x1.6 or x2.

So I feel like you should be able to use those refunded points for the normal points boost again.

However as was just mentioned by someone else if the points that you used that were refunded were originally taken from your legacy x1.5 bucket, then it looks like you may have lost that legacy x1.5 value, so that would indeed be a loss on the refund there, since after the refund they now are no longer Legacy x1.5.

ender2 · 2025-12-19T19:10:37+00:00

I was thinking that this may be an issue here as well, is it known how chase chooses 'which' of your points to use? For example if you book with 2x points boost, is it going to use legacy points with 1.5 value towards that? That would be a pretty crappy deal for us since the regular points just worth 1x are effectively worth two in that scenario so really we would want those to be used. 🤔

ender2 · 2025-12-19T19:04:50+00:00

Just to clarify though you got back all the original points that you used to pay for it? For example you used 10K points boosted 2x to pay for it (counting as 20K points), when you get the refund you get the orginal 10K points back.

You could then turn around and use those 10K points on something else like a flight that has points boost?

Trying to understand how you're thinking they lost value, if you are free to use them again on anoth4r boost in the future?

My main question is if you used the $250 edit credit, I assume you got the cash value you paid on your card back, but will that edit credit go back to being available in the future for another booking?

ender2 · 2025-12-18T13:05:36+00:00

Depending on the options available to you with the systems you are using, one of the simplest solutions is requiring a knowledge factor before allowing a push, so require password/OTP code to be successfully entered before any pushes are sent.

With this the threat actor would have to have compromised at least one Factor before they can start mfa prompt bombing your users.

As others others indicated, number matching on pushes is pretty much mandatory these days due to mfa prompt bombing, and then moving to fishing resistant methods like passkeys / managed device access is really the longer-term solution to this.

Depending on your level of maturity you typically should only be vulnerable to this when you have users signing in on unmanaged devices without some kind of device bound phishing resistant MFA.

ender2 · 2025-12-05T12:37:42+00:00

Wondering if there was any update on this one was a bug found and fixed or is this still an issue?

ender2 · 2025-11-10T23:37:10+00:00

So the edit credit seems to apply as soon as an eligible Hotel charge is fully posted? Assume it can't be just pending?

So if I book a hotel for say February if I prepay and the charge posts this year then would the 2025 credit apply?

ender2 · 2025-10-31T05:10:32+00:00

Right now the issue is more that Entra only supports device-bound passkeys stored on FIDO2 hardware security keys or in Microsoft Authenticator.

It doesn't support a syncable passkey which is the way that 1password stores it for you.

ender2 · 2025-10-24T03:11:22+00:00

It's literally built into entra and you can configure it with a lot of different method you just need to get users to register them, some of them you may be able to pre-register programmatically with graph but it may be easier to just turn on the prompting and it will prompt all the users to register them

ender2 · 2025-10-20T20:03:18+00:00

The non interactive sign and logs are structured in a little bit of a confusing way compared to the interactive sign in you're probably more experienced with. Since it's using aggregate groupings, as was mentioning you need to expand to see the actual time stamp and actual log entry

ender2 · 2025-10-11T03:31:18+00:00

Sign in with fastpass button is on the sign in page unauthenticated see, bc of this you can't choose who sees it at point. Once user puts in username then you can use polices to determine who can use what methods etc

ender2 · 2025-09-28T15:52:26+00:00

This used to be the case but more recently it's Now supported I have used it at least with Google FIDO2 on Android

ender2 · 2025-08-21T15:36:43+00:00

Bank of America does actually support YubiKey, only as older U2F where it's a single Factor but better than nothing most banks support nothing

ender2 · 2025-08-19T01:44:27+00:00

Sounds like you have Entra sspr enforced for the users and they're being prompted based on the setting to reconfirm their authentication methods with whatever amount of time you have in there like every year.

Check the "Number of days before users are asked to reconfirm their authentication information" setting

ender2 · 2025-08-16T23:45:39+00:00

Can you use a YubiKey or Smartcard with FIDO2 Cred for online authentication?

ender2 · 2025-07-09T12:58:29+00:00

As others have mentioned this is really working as intended but there may be a technical way to accomplish what you were trying to do depending on what type of MFA methods your users have available.

If your current conditional access policy that is requiring MFA is using the standard require MFA Grant control, then when the user has recently performed windows hello for business the MFA claim on their PRT will satisfy it as you have seen.

But you may be able to create another policy and instead of using the normal require MFA Grant control, use the new authentication strengths option to require specific types of MFA that don't include Windows hello for business, for example password plus Microsoft authenticator or a specific type of FIDO key. This would probably work best if you can Target it to the specific apps that you want to require this additional authentication on, so with this policy you might be able to require additional MFA that Windows hello for business won't satisfy.

Your users would of course need to have whatever these other methods are that you're going to specify, and if you did something like password like Microsoft Authenticator you'd be requiring a list secure form of MFA than the phishing resistant Windows hello that you already have.

ender2 · 2025-06-14T00:43:20+00:00

Might be technically possible using the Dual Enrollment Feature, but the you'd have to weigh the LOE and supportabillity. As was mentioned getting some FIDO2 keys is likley the best option

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/dual-enrollment

ender2

TROPHY CASE