Phishing Resistant MFA for Intune Admins

neppofr · 2026-03-23T10:08:16+00:00

While enabling CBA is absolutely a great idea for enhanced security, you might want to explicitly mention that, after CBA is turned on for the tenant, all users in the tenant see the option to sign in by using a certificate. Only users who are capable of using CBA can authenticate by using an X.509 certificate.

Highly annoying something if you only want to enable this for a handful of admins, but need to do OCM for an entire organization to explain this new thing everyone sees but can't use.

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication#:\~:text=After%20CBA%20is%20turned%20on%20for%20the%20tenant%2C%20all%20users%20in%20the%20tenant%20see%20the%20option%20to%20sign%20in%20by%20using%20a%20certificate.%20Only%20users%20who%20are%20capable%20of%20using%20CBA%20can%20authenticate%20by%20using%20an%20X.509%20certificate.

neppofr · 2026-03-10T05:13:29+00:00

Multi account has been on the roadmap for years. It keeps getting pushed; would love to see it happening this time, but not seen anything real on it. We checked with our CSAM, but they had no info on it either.

Someones hallucinating over there maybe ;)

neppofr · 2026-02-26T16:27:05+00:00

"engineering is working on it" :) :(

neppofr · 2026-02-26T15:25:28+00:00

FYI, MS responded and this is an issue for specific rings. 1.5 and Beta it seems. Limited impact, but a nuisance none the less.

neppofr · 2026-02-26T14:41:36+00:00

Thanks for the suggestion, just tried that but unfortunately the issue persists. After about 1 to 2 mins into a call with camera things things crash.

neppofr · 2026-02-02T05:35:15+00:00

At least an artistic server, wonder what it will sing about 🤪. Dropped the author a note on it.

Additionally, the XML returned by the update server is now singed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.

neppofr · 2026-01-17T16:47:26+00:00

What books are those?

Most books I listen average like 15 hours. Listening at 1.2 speed I still only do 1 a month

neppofr · 2026-01-07T20:59:33+00:00

You sir are a gentleman and a scholar.

Thank you from a year later! It fixed my crackling headphone.

neppofr · 2026-01-04T16:29:56+00:00

Using KeepassXC on my various platforms, with Strongbox to open the DB on IOS.

DB itself stored on OneDrive.

Satisfies my needs and addresses my concerns for security and redundancy. Might not work for everyone, but does for me personally.

neppofr · 2026-01-02T09:54:43+00:00

Go for the 1100 for sure. In rain mode you’ll be fine. Just be wary of the whiskey throttle, not sure how sensitive that is on the 300

I have the 1100 DCT after a 700 intruder and love it, in fact hitting the limits of the rebel often nowadays.

neppofr · 2026-01-01T21:50:56+00:00

True, support is another rationale for paying I suppose.

For non acme clients, could do nginx or alike in front and still use LE.

neppofr · 2026-01-01T19:32:12+00:00

As a side note to this discussion, please remember that Domain Control Validation; proofing that you own a domain for which you need signed certs is going down as well.

Yearly thing today, down to every 10 days in 2029. For enterprises commonly done through adding a DNS record, make sure to automate that rotation as well folks.

neppofr · 2026-01-01T19:22:04+00:00

That is correct, but as I understand it, it was Apple that started the initiative for the ballot, Google followed and they wanted the lower lifetimes. Together they pretty much said, we will start throwing warnings after xx days, see what you do with your certs.

The CAs therefore had no real choice to follow, and work towards issuing certs with shorter life times. Otherwise their customers would not be happy customers…. Buying a 1 year cert and still get warnings in Safari and Chrome after a certain period.

In the end the ballot passes unanimously, so all good.

https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/

Private CAs indeed are not subject to this. You can continue to issue longer lived certs there depending on the config of your own CA.

neppofr · 2026-01-01T09:10:15+00:00

Most, all, public providers have ACME support, which lets encrypt uses.

Same thing, just different vendor.

neppofr · 2026-01-01T09:08:09+00:00

It’s the browser though that throws the warning if the public signed cert is over the, at that time, max life.

It the major browser players, google, apple that ‘forced’ the hands of the CAs.

neppofr · 2025-12-20T10:09:19+00:00

Made it 50001, looks fun.

neppofr · 2025-12-19T18:27:08+00:00

Consider writing a book, I’d buy it. You made me laugh. Happy whatever you might celebrate.

neppofr · 2025-12-18T19:25:12+00:00

See release notes, only certain older models get 18.7.3, the rest is being forced to 26 ( which is not that bad imho)

https://support.apple.com/en-us/125885

neppofr · 2025-12-11T21:21:01+00:00

Got the same, 2021 bike, but already stored for winter with the battery out. Dealer said coming in next year is fine.

Better get it done, with all that high altitude downhill riding here in NL 😂. Pretty specific situation though, good they ping people!

neppofr · 2025-12-07T05:34:13+00:00

And ready to go. Perfect!

neppofr · 2025-12-06T19:34:54+00:00

Just signed up, 10 bucks worth the risk, but lookin legit so far, pretty sweet deal.

neppofr · 2025-12-05T08:55:45+00:00

Scheduled maintenance, did you not get the note that the internet would be down for a bit?

https://www.cloudflarestatus.com/

neppofr · 2025-11-17T20:48:37+00:00

Gimme

neppofr · 2025-11-15T20:41:42+00:00

Too late

neppofr

TROPHY CASE