@fabian_bader This pretty much removes the option to protect "Register security information" with a compliant device, if you are asking for WHfB setup during OOBE, or am I wrong?
@reprise_99 Visual verification of a user -> issue TAP -> use TAP to onboard device -> restrict access to MFA setup to only compliant devices.
@merill@AdamWatts888 With Password in MSI you can do changes (when you still know the old pw), but you cant do passwordless signin and then reset. That is why we need Passkeys, CBA and WHfB in SSPR or a change in functionality to the PW in MSI feature (like it was while in preview)
@NathanMcNulty@pfransces@arekfurt I not for overprompting, but if you dont use WHfB, FIDO2, CBA or Web Signin for signing into a device, I have a hard time accepting that you satisfy "MFA", just because you did it once 4 weeks ago.
@NathanMcNulty@pfransces@arekfurt I wish the Windows password credprov was always SF. If you do MFA in an app which uses WAM, while in a session which was unlocked with password, the MFA claim is added and is there even if you reboot the machine and sign in with PW again (happy to be corrected).
@janbakker_@EricaZelic Using Sentinel for DCF usage reporting worked well for us, I also recommend to exclude Teams Meeting Rooms and provide an access package for developers to exclude themselves for 180 days from the policy.
@Licantrop0@NathanMcNulty But that assumes what you want to retrieve has less than 999 entries right? So if I have 2000 users, if I run "Get-MgBetaUser -All -Top 999" I will only get 999 objects back, right?
@EricaZelic@merill@JefTek@NathanMcNulty E.g. I am a normal user and have owner permissions on an app/service principal which has the app permissions Application.ReadWrite.All, if my user account gets taken over, the attacker can add an app credential and use it.
@merill Imho this is pre-req. for a.) scrambling users pws in AD and b.) requiring pw change on high risk for users who dont know their pw. Also, there isn't a "good" (secure) combo of factors for SSPR if you want a 2-gate policy.
@merill The biggest issue is still that a.) the new change pw UI requires you to know the pw and b.) that SSPR doesnt support WHfB, FIDO2/PK or CBA.
What we need is to allow "password reset" (not knowing the current pw) by signing in passwordless into mysecinfo.
@awakecoding@EricaZelic Yes, the one you linked is the one I was looking for. I think the important part of the MS statement is the "discover and use information about the target system" part - they likely got some info about auth. methods available - I agree.
@merill Entra ID group owners should be able to see the audit logs for their group.
Works for owners of service principals, they can read the signin logs and audit logs, why not for groups?