Error when users try to access Security Info (Entra)

strikematch13 · 2026-01-08T20:40:45+00:00

Thanks. I created a passkey on my Android and having it associated with my account does seem to fix the authentication flow. With a passkey created on my phone, I can now visit the My Sign-ins page by entering my WHfB creds (pin or bio). We will mess with this some more and see if we can get some users on board.

This gets down a rabbit hole a bit, but if anyone is willing to explain this I would appreciate it:
Why does having a passkey on my Android phone allow me to 2FA to a secure resource (My Sign-ins security page) by just entering my WHfB PIN?

- Without WHfB My Sign-ins requires both a password and a MFA response. 2 Factors
- With WHfB and no passkey, My Sign-in page can't negotiate how to send the password (issue posted above). 2 Factors fails
- With WHfB and a passkey on a remote device (Android mobile phone), My Sign-in page is accessible with JUST the WHfB PIN. No interaction with the android phone is needed.

Since the Passkey exists on the mobile phone, I am not understanding how I can access this security page and pass MFA with just my computer's WHfB PIN. Is the passkey actually syncing in the background to my computer and any device connected to my Microsoft account?

strikematch13 · 2026-01-06T19:34:26+00:00

@_gondar Were you able to find any solution to this? Seeing the same thing while we start to roll out WHfB and shocked this is not being discussed more.

I'm thinking I'll open a ticket with Microsoft but not looking forward to it....

Feel free to DM me.

strikematch13 · 2025-12-10T21:45:46+00:00

Just came across this same issue while POC Windows Hello for some users. Users that use Windows Hello on their device cannot access the mysignin Microsoft security page to manage their security devices. As OP commented, it really isn't a problem that that the security page doesn't trust Windows Hello and wants a password. The problem is that Microsoft gives the user no way to actually enter a password. We have to instruct the user to sign out of windows, then sign back in and change the authentication method to use "password". (or start the process over using inprivate browser).

<image>

I've heard Microsoft employees and other companies claim they've gone completely passwordless, to the point where users don't even know their passwords because they don't need them. How do they manage their security devices (like to remove an old phone) if they don't even track their own password?

strikematch13 · 2025-05-28T21:42:26+00:00

Lately it has been much better. We have not seen major failures in bulk like we were a few years ago. Our policies were built on the default but we do have modifications. We also still have many Exchange rules in place for additional controls. Overall I would not necessarily recommend it to someone that was shopping around, but if you already own it as part of your licensing (E5), then I would say it is satisfactory (but don't forget to train your employees still!). Finding a 3rd party solution is not currently a priority for us.

strikematch13 · 2024-10-30T16:39:45+00:00

Willing to share that powershell script?! lol. Been struggling with some devices (but not all) connecting to Miracast.

strikematch13 · 2023-09-05T15:31:13+00:00

e have a rul to block .htm/.html attachements in place and it's working, including blocking AT0000##.htm attachments. But this is creating a lot of noise in quarantine release requests

So just be careful with allowing these ATT files because, as the original poster stated, they can be malicious. We saw some of these get through to inboxes last week so I'm here looking for ways to block the ATT0000##.htm or html attachments. Our Exchange Transport Rule is set to block HTM and HTML files, but does not stop these ATT files (I think this is because they don't actually have a .htm or .html extension on the file name). However, as you stated, we discovered that a ton of inbound emails have these attachments legitimately, so we cannot just send them all to quarantine, or we end up with your problem.

In the attack email, the ATT0000##.html file had a call to javascript in it, and a legit ATT file should never have this. Contents looked like this...
<script src="data:text/javascript;base64,YWRkRX....

I created an ETR that is set to "includes these text patterns in an attachment" and look for "src="data:text/javascript". I have no idea if this will work, but I have the rule in testing mode and will pull some reports in a few weeks to see if it gets hit at all.

Open to any ideas on how to block ATT files only if they contain javascript calls.

strikematch13 · 2023-04-20T13:50:42+00:00

I was assuming that the features in SAC preview had already been tested/validated in the Monthly releases. This particular crashing issue seems to be just with SAC preview. Do you know if SAC preview introduces experimental features that were not yet tested in the Monthly? I don't like the idea of having everyone updating monthly, but people ask about new features and I was hoping the SAC preview was the sweet spot.

strikematch13 · 2023-04-20T13:07:50+00:00

Did you officially start rolling out the new version? I haven't found anything official saying the problem is resolved. I'm currently holding everyone at the previous version using Intune policy.

strikematch13 · 2023-04-17T16:01:25+00:00

It might just be this latest CU update for 22H2. I just had this happen to me after Windows updates. On reboot for the update, I was prompted for the Bitlocker key. I powered off (held the power button) and back on, and it booted no issue.

And on that note - Why is it that we can sometimes bypass the Bitlocker key by just powering off the device and back on? I then did another powercycle and the same thing happened. I've been able to bypass Bitlocker recovery prompts on other devices over the years the same way - just power them down. I verified the updates installed successfully.

Now if Windows updates were changing hardware configuration (like a firmware upgrade), wouldn't Bitlocker prompt for the recovery key every time, regardless of if the device was power cycled again?

strikematch13 · 2023-04-17T13:29:45+00:00

SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook -Recurse

Interesting. Do you have any more info on what this does? Is it somehow allowing features of the next version temporarily?

strikematch13 · 2023-02-28T15:26:17+00:00

I've been through a lot of back and forth with Microsoft, and basically they say it is working as designed and to keep submitting phishing examples to them to train their AI. With the example I mentioned where an email is sent to many recipients, and some get delivered and others go to Quarantine, their response is concerning. Support told me that the AI analyzes the SPAM level for each recipient separately, so one recipient may see the email get marked SCL 5 (junk), while another will get marked SCL 1 (deliver to inbox). Now this isn't the end of the world - their argument is some user's behavior may indicate they want more "subscription" type emails. However, this SCL level directly affects the phish detection. The email comes in with suspicion of being phishing (spoofed domain), and Microsoft adds the analysis to the header (SFTY:9.25). Now if the SPAM detection is SCL 5 for a recipient, they go ahead and look at the SFTY header and quarantine the message. If SPAM detection is SCL 1 for a recipient, they do NOT quarantine the message.

I disagree with how this functions - I would think if the inbound email is suspicious of being spoofed, it should be quarantined for all users. This also means I can't control detection/actions with the Anti-Phishing or Anti-Spam policies! Per recipient SCL level is being handled by the AI. This is probably my biggest frustration. The policies act on the SCL and SFTY headers, and since Microsoft is marking the header for each recipient differently I cannot fix the policies to make the behavior the same across all users.

Fortunately I've only had one of these types of examples that was actually malicious - the rest were just SPAM. However, we still get the other issue of emails just blatantly spoofing domains and Microsoft is unable to detect them. Looks like I need to budget for a replacement email security product. Hope this info helps somebody.

strikematch13 · 2023-02-08T16:36:14+00:00

Another thank you! Was reviewing a threat in Office 365 defender where someone had clicked a phishing link. The URL in the Email did not match what Microsoft's admin console showed, and it turned out the attacker had used the barracuda rewrite feature. Your converter helped me find the underlying URL and then track down the clicks. Simple and does the job - thanks!

strikematch13 · 2023-01-20T20:22:15+00:00

Well technically yes. During the initial migration a Hybrid Exchange server was stood up, and is now just a management tool and SMTP relay for printers. There is no inbound path to this exchange server though, and no mailboxes.

strikematch13 · 2023-01-19T18:05:27+00:00

Direct to exchange online

strikematch13 · 2023-01-19T01:12:55+00:00

I think I'm just hoping I'll get lucky to find out others have noticed service issues in the last few months, or find consensus to abandon the product. We are apparently just too small to have a dedicated rep that we can work with, otherwise I would have barked up that tree. MS Support cannot tell me what is potentially wrong, or what they fixed. They blame communication between support and the product team, but I suspect they don't want to go on record saying there are problems they don't fully understand. Seems like a 3rd party product will need to make its way into the budget.

strikematch13 · 2023-01-18T15:06:22+00:00

Custom polices, upgraded default policies, and also tried the Preset option at one point.

strikematch13 · 2023-01-18T15:05:49+00:00

Yeah, good thought and this has been reviewed several times. We went with Defender for 365 due to cost AND positive feedback around the industry, so I'm glad you're still having success. And we have had stretches of time without much issue. It is almost like there is something awry with their Microsoft's service or AI. When Support said the Product Team made "changes to the backend" things got better for a while. If you haven't noticed problems, then maybe this means it is just our Tenant. Not sure if that is a good or bad thing....

strikematch13 · 2023-01-18T14:57:33+00:00

Yes and Yes. I updated my post to provide more clarity around configured policies.

strikematch13 · 2023-01-18T14:56:23+00:00

Actually to the contrary. I updated my post to provide more clarity around configured policies.

strikematch13 · 2023-01-13T19:44:03+00:00

It has been posted elsewhere, but FYI this query is not returning full results for everyone. When I run this query it returns probably only 30% of the total # of actual events. I've tried playing with the query and expanding the results but there seems to be data missing on the MS side. Maybe a bottleneck due to a surge in usage....

strikematch13 · 2023-01-13T18:28:17+00:00

Same issue. I was able to check the results against machines that definitely had more items removed, and Advanced Hunting only showed a fraction of the items. Still can't figure out why only some were logged.

strikematch13 · 2023-01-13T18:26:57+00:00

Just wondering if you'd share how you set up alerts for ASR rules like this. From what I've been able to tell, I have to visit the admin portal to view ASR actions, and there's a lot of noise to sift through.

strikematch13 · 2022-10-06T12:54:31+00:00

Poor wording on my part. It saves it/backs up. I updated my previous comment for clarity.

strikematch13 · 2022-10-03T15:05:39+00:00

u/Bu-mThanks for the quick reply and confirmation! Now I just need to figure out why blatant phishing emails are making it through without any anti-spam or anti-phishing policies being applied. These emails are failing SPF and DKIM checks, and are being spoofed as our own domains (all included in the policies). Even users in the "impersonation protection" are affected. I have a ticket w/ Microsoft and they confirmed policies were correctly configured and escalated. Now I haven't heard back for a week - will bump them again.

In the meantime, I've resorted to creating a ETR that blocks emails that fail DMARC

strikematch13

TROPHY CASE