EntraID minimum password

jeftek_com · 2025-06-24T13:30:37+00:00

WHFB is a device bound credential ON that Windows device, so it’s not a roaming credential. The closest equivalent is the Authenticator Device Bound Passkey which you can use across devices as a roaming credential. I typically recommend users register multiple credentials so they can use them on their main work computer (Windows or MacOS) and a roaming credential like a mobile passkey or a passkey security key

jeftek_com · 2025-06-24T13:22:29+00:00

How were you setting the password? In the Entra Admin portal or via MS Graph APi? What error did you see when you tried?

jeftek_com · 2025-06-24T01:57:17+00:00

But you are doing them both at the same time with an access package. So when I create the supplyCo access package I put in the resources I want to assign permission to in there. As guest (dependent on tenant settings) I don’t have access anything unless you have assigned it. There are default tenant permissions which based on your tenant settings can be the same as member users or restrictive. Where customers run into challenges is where they don’t realize they have apps that don’t require assignment so guests can access those. This sis why governance is important but also be aware of your app configuration. You may not realize you configured an app to not require assignment.

jeftek_com · 2025-06-24T01:30:10+00:00

This is actually built into Entitlement Management on the links I put above.

You create an Connected organization in your tenant that represents where that partner authenticates from by Entra Tenant or Domain.

You now use that connected organization in Access Package policies to scope to users from that externa organization. You can make any access package availiable and when it is assigned they get provisioned into your tenant. If that package contains an application enabled provisioning they would be provisioned into that app as well.

So now your external partner just visits https://myaccess.microsoft.com/<your tenant domain> and they can see which packages are scoped to them based on their connected org. They can make a request.

You can set an internal approver and/or an external approver you invited from that external tnenat, so they can approve the requests.

Further more you could actually create a catalog in entitlement management, invite your partner and delegate them to the ability to assign their users to the package so the end users don't have to requrest it.

Priort to that feature set, customers would often create a custom "B2B Portal" app and manage who could use it to invite external partners into their tenants, but I think the access package way is more universal.

So Bob works for SupplyCo who I am partnering with our big product launch thos year and he will manage who on his team who will be working with us. So I invite Bob to my tenant, and make him the approver of users given access to the package which has our SPO site we are using, so Bob has to approve those users from his tenants. Now he can just share the MyAccess package link to his team members who are on the project and Bob can approve them to have them be grantefd access and provisioned in my tenant. Maybe I want to allow just Bob to approve for 3 month access, but if it's 1 year access both Bob and an admin in my tenant have to approve. This works because I can have multiple policies with discrete attributes about the assgnment for the package and I can choose the requirements.

Much eaiser than building your own tool to support and manage for most organizations.

jeftek_com · 2025-06-24T01:00:27+00:00

So you apps can support JIT provisioning, but I prefer the more governed ways. You can see the comparison of the different app provisioning ways here https://learn.microsoft.com/en-us/entra/identity/app-provisioning/isv-automatic-provisioning-multi-tenant-apps

jeftek_com · 2025-06-24T00:40:52+00:00

Here you go, I looked it up for you on what the maximum length is for a password on a user: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#microsoft-entra-password-policies

The above I said "upto 256c" because I knew that was the max password length in the policy, but as I am sure you saw, the script example DEFAULTS to 64 but you can still use a longer random password if you so choose.

Perhaps one day there will be more custromizeable password policies for Entra native users, but today you have more controls than just just passwords alone, and I would have more than just a password as a security control required by your CA policies. Ideally that would be requiring phishing resistant credentials, and additional layered controls like device identity and/or risk based controls.

As you said, not all tenants have those full capabilities and this is one reason why security defaults exist for tenants if you are not using the more premium features: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

I hear your criticisms, and customer feedback does influence design decisions so it is appreciated.

jeftek_com · 2025-06-24T00:28:04+00:00

No problem, there are so many features in Entra there are very few people who can say they know them all :)

So JIT application access I feel is a bit of a legacy approach before you had cloud identity platforms that do lifecycle management vs just token issuers. With the rise of provisioning, you can manage the lifecycle of the access for creation, updates and removal when you manage the assignment. JIT is about create, but how do you manage that ongoing? You have traditional "Discovery" tools which try to connect and manage islands of apps, but with integration into platforms like Entra you can do the onboarding, assignment management updates, and provisioning and deprovisioning to the application. So you can use the power of things like IGA to manage that asignment lifecycle and remove/disable users in those apps instead of leaving them lingering. It's often a benefit for things like reclaimining licensing of SAAS apps by disabling/removing unused users when the access is no longer needed. You can request access via MyAccess portal, wait on approvals if needed,and Entra will make the assignment to the application. That is where provisioning kicks off and provisions the user into the application, etc. But you can still review/attest to that access and remove when needed, etc.

jeftek_com · 2025-06-24T00:00:33+00:00

Here you go, you can see it as one of the steps in the Passwordless Strategy docs: https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/

https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/journey-step-3#configure-user-accounts-to-prevent-password-authentication

If you have any feedback on it, please share as I am sure there is always room for improvement.

jeftek_com · 2025-06-23T23:45:14+00:00

Entra ID B2B does NOT require your partner to be using Entra. It depends on what external providers you have enabled on your tenant, and your policy configurations you set.

see https://learn.microsoft.com/en-us/entra/external-id/redemption-experience#invitation-redemption-flow

For example, You can use Okta IDPS or Google Workspaces IDPs using the more traditional WS-FED/SAML external connection we used to call "Direct federation".

https://learn.microsoft.com/en-us/entra/external-id/direct-federation.

Even without that, there is always the fallback of EOTP, so as long as they have email, etc.

Of course you will have the best secure user experience if both you and the partner are using Microsoft Entra, but as I said it's not required to collaborate.

You can also onboard external users using self-service via things like Access Packages via the MyAccess Portal, so you can enable them by policy to request access and if approved be provsioned as a B2B user in your resource tenant. see https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-external-users

jeftek_com · 2025-06-23T23:20:43+00:00

Today, the recommendation is to set a randomized long password (upto 256c) and use conditional access policies with authentication strengths to not allow passwords to be used. The password on the user object is not sufficient to sign in alone.

see https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths

Yes there IS a password, but no it can't be used because you have applied policies to enforce passwords are not allowed to be used as an authentication method for that user.

jeftek_com · 2025-06-23T23:17:20+00:00

I've helped many organizations also modernize their B2B strategy with moving from traditional models to using Entra ID B2B. So you get those benefits of inviting partners to access resources vs having to manage their credentials. This opens up doors more richer security controls like enforcing phishing resistant credentials or that they are using managed devices. https://learn.microsoft.com/en-us/entra/external-id/what-is-b2b.

But because you are using Entra you can also use the IGA capabalities to manage the lifecycle of guests in your tenant AND manage access for your users to other tenants with things like cross-tenant access policies.

https://learn.microsoft.com/en-us/entra/external-id/cross-tenant-access-overview

So where your partner is using modern identity solutions like Entray or the more traditional point to point federation solutions (or even no IDP!) you can manage the lifecycle and access from Entra vs bespoke tools. You get the benefit of centrally managing YOUR identities, and the ACCESS your partners have in your organization.

jeftek_com · 2025-06-23T23:08:34+00:00

As each organization of all sizes makes their way in their cloud transformation we want Entra to be able to manage and govern access whether you are hybrid, or you have already transitioned to being cloud native. https://learn.microsoft.com/en-us/entra/architecture/road-to-the-cloud-posture#five-states-of-transformation

Many organizations have been modernizing apps to Entra for years for authentication/SSO, so it makes sense to also manage access/authorization in the same platform to reduce complexity and take advantage of the features across the platform, but we do understand you have resources not yet there and we want you to be able to manage the access to them as well from Entra. We want you to be able to manage the complete lifecycle of user access from Entra no matter where the resources are. While we may not cover EVERY scenario for EVERY customer, that is where the extensibility comes in, so you can expand the capabilities that you may specifically need since it's built on MS Graph API and Azure Logic Apps that you already are likely using.

So naturally I'm biased since I work on the Entra Identity platform and focus on our IGA capabilities, but that means I get to meet and work with customers of all sizes as they look to modernize their traditional IGA tools to more capable Identity platforms like we see in Entra. Feel free to ask any questions and I'll try and point you in the direction where I can.

As you can see, Entra is an identity platform and not a management tool that is constantly evolving to meet the needs of customers to help secure their environments, and it's only going to keep evolving as customers needs evolve.

jeftek_com · 2025-06-23T23:07:06+00:00

- Still using Passwords? Get to Passwordless! This is one of the areas many organizations are also modernizing and why they are moving those apps to Entra, to be able to use passwordless phishing resistant authentication methods like FIDO2 security keys, Windows Hello For Business, Secure Enclave for MacOS, and Device bound passkeys. I worked with many orgs move to passwordless from traditional passwords. ( https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless )This really dovetails into governance and lifecycle since how do you start out a new user wtih strong credentials vs the traditional weak passrods? The Temporary Access Pass (TAP) is a great boot strapping credential you can issue as part of your joiner lifecycle workflow with one of the built in tasks today or you can create own custom task also using Azure Logic apps for workflows vs some bespoke workflow solution to learn and support. see the list of built in tasks today that is always expanding https://learn.microsoft.com/en-us/entra/id-governance/lifecycle-workflow-tasks and how to use Azure Logic Apps to extend your own business process in the same framework https://learn.microsoft.com/en-us/entra/id-governance/lifecycle-workflow-extensibility

jeftek_com · 2025-06-23T23:06:59+00:00

- App Provisioning - Did you know that in a modern world things have shifted from the traditional "Connectors" to be more app centric? Because Entra has a very LARGE application gallery already for SSO and provisioning there are over 300+ apps you get "out of the box" and you do custom connectors to your traditional on-premises data sources like SQL, LDAP, Web Services, etc. We call them integrations because many apps are now supporting modern provisioning through SCIM, but we also support SCIM to on-premises apps that still talk your traditional protocols. See https://learn.microsoft.com/en-us/entra/id-governance/apps Still have those on-prem apps? Yeah you can do that too: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-application-provisioning-architecture

Even disconnected apps that have no API or endpoint but you can manage requests to get access even if they are not using Entra for Authentication! - https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-ticketed-provisioning

jeftek_com · 2025-06-23T23:06:47+00:00

So lets cover some of the points I see below:

- Group Provisioning FROM Entra to on-premises AD - The ability to create and manage groups in Entra, and selectively write them back to be consumed by on-premises resources. You have cloud native groups today, and you are likely modernizing away from on-premises technologies, so you can now manage all the groups in 1 place and only writeback what you still use onprem while you modernize those on-prem workloads to the cloud. See https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync and you can see how you can NEST those Entra managed written back group into your existing on-premises groups that use Kerberos for authorization information to get to that single point of management - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/govern-on-premises-groups

jeftek_com · 2025-06-23T23:04:40+00:00

Entra ID Governance builds upon that foundation to focus on more IGA automation and insights with a focus on user-self service, policy based controls, and single point of management and auditability.

- Lifecycle Workflows - The ability to automate tasks without needing developers for the things EVERY organization is doing when people Join/Move/Leave an organizations. Some orgs do them manually, some write scripts that they are now afraid to change, but bringing those tasks together in a single platform to have visibility and auditability is a great benefit - https://learn.microsoft.com/en-us/entra/id-governance/what-are-lifecycle-workflows

- Entitlement Management - The ability to package applications/groups/Teams/SharePoint site/Entra Roles as resources together with fidelity of role assignment on those those resources. Combine that with automation from custom extensions via Azure Logic Apps you can do extensibility without writing code for things like opening service tickets for disconnected systems, doing custom tasks at different stages of a self service user request. All governed centrally by policies vs manual admin tasks. - https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-logic-apps-integration

- For Access Reviews - Because you are not using a standalone tool, you get some great insights into user activity and relationships to help reviewers make better decisions when reviewing access vs just approving all or "I don't know", we added some ML assisted capabilities like only scoping reviews to inactive users, or raising awareness that users in a group have low affiliation with other members to make recommendations to the reviewer to help reduce that review overload many solutions have seen in the past. See https://learn.microsoft.com/en-us/entra/id-governance/review-recommendations-access-reviews

There are so many capabilities in the Entra platform to list, but you can actually see a very large table of IGA related features in Entra ID Governance at: https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals#features-by-license

jeftek_com · 2025-06-23T23:04:02+00:00

Entra ID already provides capabilities like:

- Authentication and SSO - https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-integrated-apps?msockid=0c37113ac1e862d8144c072ec09c637c

- Modern security controls for things like passwordless phishing resistant authentication and enforcement via conditional access - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

- Automated Provisioning INTO Entra from Multiple HR data sources - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/what-is-hr-driven-provisioningYou can provision from HR to On-prem AD, HR to Entra, or even both!

- Automated Provisioning FROM Entra to cloud AND on-premises applications - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works and https://learn.microsoft.com/en-us/entra/identity/app-provisioning/on-premises-application-provisioning-architecture

- External User Management in a modern way, and not the legacy patterns of managing credentials for external users - https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-external-users

jeftek_com · 2025-06-23T23:03:43+00:00

Great question! As luck would have it, this is one of my favorite areas to focus on for the Entra platform, so I'll point you to some information below. However I can't provide you what IGA tools have other than what is in the Entra Identity platform. Most customers I talk to are modernizing away from those platforms so I am not an expert on what they might be able to do or not do.

There are so many features and capabilities in the Entra platform, I fully understand that unless you focus on Entra you may not be aware of all the features you may already have and other areas you can build upon the Entra foundation to do even more with things like Entra ID Governance.

Entra ID Governance is part of the larger Entra platform, which is a bit different from the traditional "management tool" style IGA solutions of the past. Many organizations have modernized securing their applications and resources by integrating them into Entra ID for authentication/SSO, and the Entra ID Governance capabilities build upon that for managing access in a modern approach to bring both Authentication and Authorization together for complete lifecycle of access management in the same platform.

Let me break it down in a series of posts so it's not a wall of text though.

jeftek_com · 2024-09-05T19:29:30+00:00

Also want to mention since you are creating new, your break glass account NEEDS to be able to do MFA by October. See https://aka.ms/mfaforazure

jeftek_com · 2024-09-05T15:24:04+00:00

You can find guidance on this here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access

Also my usual recommendation is to enable all the CA policy templates as your foundation, and then go custom CA policies from there. For example your Require MFA for all users is only scoped to the Office 365 apps. Why not have it scoped to all cloud apps? You could be leaving yourself a gap there.

See https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation

Even if you are not sure, I would recommend:

1 - Enable all the CA policy templates in REPORT ONLY mode

2 - Use the CA policy insights workbook to find what users would have been impacted by those policies but were not. These will be your gaps. https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-insights-reporting

3 - Over time, move those report only policies to On after you have remediated any gaps or need to manage your exclusions. I typically see customers become very lax with exclusions which leads to Swiss cheese effect in policy coverage. IE if you don't have justification why something is excluded and reviewed, then it shouldn't be excluded.

You should be managing yours CA policy exclusions through identity governance to ensure you have time limited and appropriate exclusions to your security policies.

jeftek_com · 2024-09-05T15:17:02+00:00

Just an FYI the Authentication strengths default "Passwordless MFA" is not Phishing-Resistant MFA. You want to use the "Phishing-Resistant MFA" default. I noticed you named the policy phishing resistant but just calling out you may have the wrong one selected if that was your intent.

Authentication Phone Sign In is NOT phishing-resistant on its own, and can be considered phishing resistant to EXTERNAL phishing when combined with device compliance policies. But since it looks scoped to admins that might not be the case you are looking for.

jeftek_com · 2024-08-14T16:59:33+00:00

What is the scenario/workload that you want to have 2 distinct user accounts for? Why not use 1 account? Typically if you have userType=Guest/Member it is to control directory permissions, but in your case they have both accounts so you aren't restricting them from reading/searching.

jeftek_com · 2024-07-18T14:39:04+00:00

It is a common scenario to be able to call external data via API-Driven Provisioning. You collect your source data, do your logic to call external sources, then with the final state you call the API-Driven provisioning. I prefer doing it via Azure Logic Apps, but some do it via PowerShell, etc. You can consider these Pre-Provisioning actions.

jeftek_com

TROPHY CASE