@AzureSupport Please share contact number for Microsoft Premier Support. Currently all services are down, including your Support portal. We need to connect our phone with Microsoft Support ASAP. @azuread@Azure
I’ve completed the @azuread SSPR migration, but SMS & phone are still available as SSPR methods even though they’re disabled in the authentication methods policy. They’re only enabled in the legacy password reset method. Is this expected behavior? @merill@JefTek@janbakker_
@azuread@merill Is it possible to export TOTP codes from Microsoft Authenticator, which can be used to perform MFA even when you don’t have access to your phone? I believe some providers allow this, but I haven’t found any documentation for MS Authenticator app. @AzureSupport
@merill@JefTek@azuread@MS_EntraID There should be an option to exclude critical services like MySignins because short-term contractors may only need access to a few apps, and blocking everything else manually is impractical for orgs with thousands of applications.
Can we block users with CAP for all cloud apps but allow a few, including M365 and My Sign-Ins/Security Info? Excluding My Sign-Ins isn’t possible without an SPN, so they get blocked when “all apps” is selected. Any alternative solutions? @merill@JefTek@azuread@MS_EntraID
What's the best way for an org to find user accounts affected by phase 2 of MFA in #EntraID, including those for CLI, PowerShell, and automation? Many service accounts might lack MFA or be excluded, making it hard to track those used behind the scenes. @merill@JefTek@MS_EntraID
What r ur recommendations to protect service accounts (without MFA) in Entra used for automation? I understand using SPNs & workload identities is preferred, but what steps can be done to secure existing service accounts while transitioning to SPN etc. @merill@JefTek@azuread
@merill@JefTek Alright, so if an org has 50K users and 55K P2 licenses in the tenant, they’re fully covered for P2 features like Identity Protection. Individual license assignment isn’t required to utilise Identity Protection premium features.
When u have enough P2 licenses available in ur tenant to cover all users,is it mandatory to assign them to individual users to protect them with Identity Protection? Without assigning the licenses, I can still see all premium risk detections visible for all users @merill@JefTek
We can restrict users from resetting their passwords using SSPR configuration, however, users can still change their passwords without any restrictions. Is there a reason why we don’t have control over that behaviour ? Or if there is any less known solution to it. @JefTek@merill
@tim_siddle@merill@CynicLib So how is attacker going to receive the temporary password generated and shared by admins in case of reset ? Even in case of SSPR, reset requires pre-set auth methods to be successfully completed. May be you can share a different perspective.
In case of compromised user account, what should we do first and why ? Reset password in AD or revoke entra id session. @merill@JefTek @wiele @DrAzureAD
Can we use TAP to also login to MAC managed via JAMF/Intune and setup MFA/SSPR. Just like how we can do it for windows Entra ID join/Windows Hello for Business setup ? This will help eliminating password sharing in advance for a new user. @azuread@merill#TAP#Azure#Entra