Hey everyone, lets look at what the required MFA update really means! Please make sure to read the description for the chapters and key information about this video and others. ⚠ P L E A S E N O T E ⚠ 🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there! 🕰 I don't discuss future content nor take requests for future content so please don't ask 😇 🤔 Due to the channel growth and number of people wanting help I no longer can answer or even read questions and they will just stay in the moderation queue never to be seen so please post questions to other sites like Reddit, Microsoft Community Hub etc. 👂 Translate the captions to your native language via the auto-translate feature in settings! czcams.com/video/v5b53-PgEmI/video.html for a demo of using this feature. Thanks for watching! 🤙
I missed that announcement, great video! I find Entra very confusing when it comes to licensing. Especially in mixed entra license environments. It is quite hard to stay license compliant. I also wish they would add a entra p2 license step up from p1. Especially those for business premium users.
Thanks for the clarification John, makes perfect sense in today world. Already doing all of this :-) so not going to have much of an impact, will keep an eye out for announcement in the portal.
Great video, thanks as always John. For the KQL, I had to change: | where AuthenticationDetails has "SingleFactorAuthentication" to | where AuthenticationRequirement has "SingleFactorAuthentication" i.e. SigninLogs | where UserDisplayName != "" | where UserPrincipalName != "" | where (AppDisplayName == "Azure Portal" or AppDisplayName == "Microsoft Azure PowerShell" or AppDisplayName == "Microsoft Azure CLI") | where AuthenticationRequirement has "SingleFactorAuthentication" | project TimeGenerated, UserDisplayName, UserPrincipalName, AppDisplayName, AuthenticationDetails
Our problem is with Entra SSPR not supporting the external preview. Moving away from the CA custom control for Duo, any verification methods set up for SSPR show up in the list with Duo meaning a user can bypass our policy to use Duo by choosing a voice call or SMS for example. Our MSFT rep is looking into it but hasn't found anything so far.
I'm surprised to hear that the break glass fido recommendation is 2 years old. 6 months ago, I set up PIM with BG accounts and ms documentation definitely still had the two safes method.
So, Microsoft are releasing a feature in July that affects authentication, you can't opt out of, with a half baked attempt at communicating the change in a blog post.....and they're still gathering feedback. I know you say it won't happen all at once. But what if my tenant is among the first batch to have the change applied. Then it's happening in just over a month and we' don't know the full scope of the change. Seems to me like something's happening in the background and there's a big rush to get this change out. We've only recently had the Microsoft managed conditional access policy rollout, which had better communication and planning wrapped around it, so you could measure its impact and deploy your own version of the policy if required
Thanks for this. Currently if you turn on MFA in Azure, it also is turned on for o365, since its the same identity management. Does that change with this new feature?
MFA requirement is based on the target service. Just because a user has setup MFA does not mean its now required for everything. This only applies to those services I talk about in the video.
Hmm, i wonder how this affects resources. I need to check our Teams-room set up as we use CA to remove mfa need. I'm not sure if they're set up a user accounts or not.
So if you create service accounts as users to avoid mfa you’ll want to switch to using service principals? Currently we just exclude them from our CA policies.
Hey everyone, lets look at what the required MFA update really means! Please make sure to read the description for the chapters and key information about this video and others.
⚠ P L E A S E N O T E ⚠
🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there!
🕰 I don't discuss future content nor take requests for future content so please don't ask 😇
🤔 Due to the channel growth and number of people wanting help I no longer can answer or even read questions and they will just stay in the moderation queue never to be seen so please post questions to other sites like Reddit, Microsoft Community Hub etc.
👂 Translate the captions to your native language via the auto-translate feature in settings! czcams.com/video/v5b53-PgEmI/video.html for a demo of using this feature.
Thanks for watching!
🤙
Clear explanation of the MFA announcement. Thanks John 👍
Very welcome
congrats Microsoft, accomplish to yet again making things more complicated
edit: thanks for the video! great way to explain a rather obscure change
Thank you, Chief. This is a great update. 👍👍😉
You bet
Easy to understand, sir, you are a Great teacher 🙏
So nice of you. Thanks!
You are really a good Teacher,.Love from India 🎉
Thank you!
Fantastic content, thanks for taking the time to do these videos. They're very much appreciated.
My pleasure!
I missed that announcement, great video!
I find Entra very confusing when it comes to licensing. Especially in mixed entra license environments. It is quite hard to stay license compliant.
I also wish they would add a entra p2 license step up from p1. Especially those for business premium users.
Thanks John. I appreciate your breakdown of their announcement.
You bet
Great video John. Made it very clear and easy to follow as always.
Great video John.
Only problem i see here is with our break glass accounts - only accounts excluded from MFA as it stands anyway.
Yep talked about those in the video.
Thanks for the clarification John, makes perfect sense in today world. Already doing all of this :-) so not going to have much of an impact, will keep an eye out for announcement in the portal.
Great video, thanks as always John.
For the KQL, I had to change:
| where AuthenticationDetails has "SingleFactorAuthentication"
to
| where AuthenticationRequirement has "SingleFactorAuthentication"
i.e.
SigninLogs
| where UserDisplayName != ""
| where UserPrincipalName != ""
| where (AppDisplayName == "Azure Portal" or AppDisplayName == "Microsoft Azure PowerShell" or AppDisplayName == "Microsoft Azure CLI")
| where AuthenticationRequirement has "SingleFactorAuthentication"
| project TimeGenerated, UserDisplayName, UserPrincipalName, AppDisplayName, AuthenticationDetails
Fantastic stuff John thanks for the reply in MS blog post, you have provided more clarity than Microsoft!
Our problem is with Entra SSPR not supporting the external preview. Moving away from the CA custom control for Duo, any verification methods set up for SSPR show up in the list with Duo meaning a user can bypass our policy to use Duo by choosing a voice call or SMS for example. Our MSFT rep is looking into it but hasn't found anything so far.
I'm surprised to hear that the break glass fido recommendation is 2 years old. 6 months ago, I set up PIM with BG accounts and ms documentation definitely still had the two safes method.
enjoying this video for today learning, thanks a lot!
Glad you enjoyed it!
Awesome as always.
Thank you! Cheers!
Thank you - very well explained 👍
Glad it was helpful!
Great video as usual. Microsoft have really sh*t the bed with this one....
Thxs sir John😊
Welcome 😊
Thanks, Mr NTFAQ. (time flies!). This should have come from the PM's. heh! Really appreciate this.
lol. Hey stranger :)
Clear explanation as usual !
Glad it was helpful!
"That's wrong... don't do that." Good advice! 🙂
So, Microsoft are releasing a feature in July that affects authentication, you can't opt out of, with a half baked attempt at communicating the change in a blog post.....and they're still gathering feedback.
I know you say it won't happen all at once. But what if my tenant is among the first batch to have the change applied. Then it's happening in just over a month and we' don't know the full scope of the change.
Seems to me like something's happening in the background and there's a big rush to get this change out.
We've only recently had the Microsoft managed conditional access policy rollout, which had better communication and planning wrapped around it, so you could measure its impact and deploy your own version of the policy if required
Great video thanks :-)
Thanks for the video!
You're welcome!
Really useful Session.
Glad to hear that!
Thanks for this. Currently if you turn on MFA in Azure, it also is turned on for o365, since its the same identity management. Does that change with this new feature?
MFA requirement is based on the target service. Just because a user has setup MFA does not mean its now required for everything. This only applies to those services I talk about in the video.
Nice
Thanks
Hmm, i wonder how this affects resources. I need to check our Teams-room set up as we use CA to remove mfa need. I'm not sure if they're set up a user accounts or not.
Oops, nevermind, I just realised that we don't manage anything using the room logins. This does not affect our resources, as per John's teachings.
So if you create service accounts as users to avoid mfa you’ll want to switch to using service principals? Currently we just exclude them from our CA policies.
You shouldn't be creating user accounts for service accounts. Yes, use service principal.
"carbon-based fleshy things" - lol!
Guess I need to buy stock in FIDO keys. Where I work no cell phones are allowed.
ROFL
seems that Superman is angry today 😁or the mic is on max loudness 🤩 or MFA makes him angry 😎😁
ROFL, didn't notice
@@NTFAQGuy 😁 all good ...I was under the impression someone stole your doughnut allowance 😁
I would pity that person :-D
@@NTFAQGuy 😂
It’s a good thing. “Who moved my cheese” shouldn’t apply here.
Also. If I'm using Conditional access policies for MFA and I have users in the exceptions list, will they now be required to use MFA?
I address this in the video. Yes, its cumulative.
@NTFAQGuy I must have missed that part. Thank you. Wow that's a bit painful.
It was not the most clearly written post of all time. Especially if you are not an EntraID junkie…. 🤣🤣
lol
@@NTFAQGuyThere was a great deal of wailing and gnashing of teeth by some of my colleagues 🤣🤣
hahahahaha
I guess carbon-based fleshy things is better than meat-bags.
💯