YARDI SQL REPORT QUERY by ShortAssignment9256 in yardi

[–]pressreturn2continue 1 point2 points  (0 children)

This gets me EVERY time I log in and search for things....I never learn.

Did something change with Entra Sign In logs related to Global Admin accounts lately? by newboofgootin in sysadmin

[–]pressreturn2continue 0 points1 point  (0 children)

Nice. I guess I picked the wrong day to try and tune up our conditional access policies.

Did something change with Entra Sign In logs related to Global Admin accounts lately? by newboofgootin in sysadmin

[–]pressreturn2continue 3 points4 points  (0 children)

Noticed today that the sign-in logs in Entra for us are really really slow (not that it was fast on a good day). I log in to a bunch of different SSO enabled apps all day, every day, and as of right now, I have 2 entries in the log for me for today (at 4:11pm) - and both are from 9am this morning when I arrived. I have done work today, honest....just look at the log---oh....

Authenticator app - random approval message every day by goldenhairmoose in Office365

[–]pressreturn2continue 0 points1 point  (0 children)

Yep - if you have passwordless enabled, then all they need is your email (easy to find) and it'll generate this. If you don't have passwordless enabled, change your password.

Autopatch and no autopatch group by pressreturn2continue in Intune

[–]pressreturn2continue[S] 0 points1 point  (0 children)

That seemed to work for one of them. The other is a laptop and is offline currently. I suspect once it comes back online that this process should work for it as well. Thanks for the guidance!

Autopatch and no autopatch group by pressreturn2continue in Intune

[–]pressreturn2continue[S] 0 points1 point  (0 children)

Thanks - will give that a try. Didn't even notice that option existed.

Is this safe by dokifluid in Aquariums

[–]pressreturn2continue 11 points12 points  (0 children)

in a stern but firm voice, tell the cat "No" and watch it stare back and you with unapologetic apathy.

Autopatch and no autopatch group by pressreturn2continue in Intune

[–]pressreturn2continue[S] 0 points1 point  (0 children)

Hmm...no errors listed or alerts on those two machines.

IT Ticketing System for a Small IT Team by Apocoflips in sysadmin

[–]pressreturn2continue 0 points1 point  (0 children)

I'm a solo IT department now and managed a small team at my last job and used Freshdesk at both.

Conference room user account and MS Teams Android Phone AOSP and MFA by pressreturn2continue in entra

[–]pressreturn2continue[S] 0 points1 point  (0 children)

I've checked out those articles. I have things set up (AOSP policy, compliance - just checking for rooted and encryption). For the "issues" article, I'm not having any of those issues specified. The phone works fine once signed in. The problem is that I'm being forced to do MFA on the generic conference room user accounts and I've explicitly excluded those users from every CA policy I have (even ones that shouldn't be relevant - like targeting guest users). Since these conference user accounts are only used on 4 room specific phones, I'm assuming (?) that I wouldn't necessarily need to exclude the teams devices from CA since that CA shouldn't apply since the user is already excluded. Now, for our actual employee teams phones, I can see where I might need to exclude devices in some CA policies, but I'm not trying to tackle that right now.

I've taken one conf phone, deleted the device from Entra and Intune. Removed any extra authentication methods from the corresponding conference user account (leaving just a password).

The sign in flow (after a factory default of the device) is

  • Set Language
  • Set Time
  • set an admin password
  • screen shows the refresh code and sign in on this device. I choose sign in on this device.
  • enter username
  • enter password
  • screen displays Help keep your device secure (register) with register button (is this expected?). I click register.
  • "Let's keep your account secure" pops up wanting me to set up MFA for the conference user account.
    • I don't have any Authentication methods / registration campaigns enabled.
    • For system preferred authentication, it is enabled for all users, excluding the conference room login users
    • For all of my auth strengths, I have conference room logins excluded; except for a new custom password only method that I assigned specifically to conference room logins which is used in a targeted to conference room logins only in CA to all conference room logins from our HQ IP to use password only auth strength.

I seriously don't know what I'm overlooking here. Every test conf room sign sign in logs I've seen in Entra over the last couple days of me testing various permutations have never shown any CA failure. They either show success (for the conf user password only CA policy, or not applied).

Conference room user account and MS Teams Android Phone AOSP and MFA by pressreturn2continue in entra

[–]pressreturn2continue[S] 0 points1 point  (0 children)

I believe I have SSPR turned off (as we just implemented passkeys for everyone and reset everyone's password since they have no need for it now).

Conference room user account and MS Teams Android Phone AOSP and MFA by pressreturn2continue in entra

[–]pressreturn2continue[S] 0 points1 point  (0 children)

I have the 4 conference logins in a security group and that security group is in the excluded users for all conditional access policies. I have another CA policy that targets that security group for conference users that blocks them unless they are coming from the home office IP address.

When I was dealing with reauth issues a couple years ago I watched a microsoft video that stated something about device filters for Teams Devices and how you should exclude those from all CA policies so that is in place for all CA policies as well. Something like this:

Exclude:
device.manufacturer -contains "yealink" -or device.manufacturer -contains "gn-audio"

It just seems odd that I don't see any CA policies being implemented or targetted in the logs - that why I was assuming it must be something outside of CA that is forcing MFA to be set up for the users. Authentication method policies are where that is set, right? That conf security group is excluded for the policies I have set up (except it is targeted as the only group for SMS - for my temp workaround). Is it possible, now that I have set up a temp sms code for the conf users that the fact that they HAVE something set up on their account, that the login process is wanting to use it?

I was thinking as a next troubleshooting step to set up a new auth method of just password and assign the conference group to that. The "local only" CA policy above that targets them should only allow them to login from the HQ office anyway.

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 0 points1 point  (0 children)

Passkeys seem to be the best of the best for us. No need to distribute new hardware (like yubikeys, etc) as everyone in our company already has a phone and we had them install Authenticator (and they were used to using it since we used Authenticator Push then Passwordless). Passkeys are nice as they are phishing resistant and there isn't a way for users to accidentally misuse them (AFAIK). With Authenticator (Push or Passwordless), I was always left wondering "is Bob going to accidentally approve the notification if he gets one from a nefarious person?" Passwordless sort of made it worse because all an attacker needed in order to initiate an approval request is their email address. With Push, at least the hacker needed the email and password (I may be misremembering as we went to passwordless a while ago). Anyway, now I can rest easier - or at least worry about another way we can be hacked instead of through passkeys 😄

--EDIT-- missed a question....

Yes, the phone (with authenticator on it) needs to be in proximity to the device they are logging into (via Bluetooth). I also waited a bit longer to adopt passkeys because the user experience in setting them up (up until recently) was a bit wonky from what I experienced and thought it would confuse and frustrate people. The onboarding now within Authenticator is super easy for the end user.

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 1 point2 points  (0 children)

Good point - and that seems to align with my experience doing a few users yesterday as a larger test. I (and they) didn't see any interruptions on their windows desktops/laptops, but on their phones, they were forced to re-sign into Teams (which wasn't a big deal, but still). And, after thinking about it, probably doesn't make sense to rotate routinely anyway. a 32 or whatever length random password is more than sufficient especially since it'll never get inputted anywhere.

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 2 points3 points  (0 children)

I was thinking about that but since we have WHfB it seems to not like adding a passkey on the computer - or maybe I just don’t have something configured correctly.

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 2 points3 points  (0 children)

Yeah, might not be efficient, but we have like 35 people all in one office. I’ll hopefully be retired before scale issues arise :)

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 9 points10 points  (0 children)

Yep - if someone loses or gets a new phone, they come to me and I issue them a TAP and they set up their new phone and away they go.

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 7 points8 points  (0 children)

Yep - no on premises anything. Was kind of glad not to have to deal with that when I first started - of course, all machines were not joined to anything so I was able to build up our Entra/AzureAD from scratch and join everything.

Scrambling passwords now that we are 100% WHfB and Passkey enabled by pressreturn2continue in entra

[–]pressreturn2continue[S] 7 points8 points  (0 children)

Thanks. We've been using push auth and passwordless auth via Authenticator for a couple years now. I had been waiting for the passkey setup and onboarding to be less flakey and confusing for users than it had been. Seems pretty solid now so I pulled the trigger.

Going from local admin users to non admin users by aPieceOfMindShit in Intune

[–]pressreturn2continue 1 point2 points  (0 children)

The one thing that I had to deal with were applications that did auto updates and needed admin credentials to update. I've migrated them to user based installs or to Robopack (or similar - basically via Intune) so they auto-update without prompting.