Windows Hello and Hello for Business are usually mutually exclusive, but the Windows Security application is not aware of this when ‘Turn on convenience PIN sign-in’ is configured.
Convenience PIN policy enables Windows Hello for Business enrollment in Windows Security
Posted by Daniel Kovacs on January 19, 2024
https://f12.hu/2024/01/19/convenience-pin-policy-enables-windows-hello-for-business-enrollment-in-windows-security/
Hunting for report-only (Microsoft-managed) Conditional Access impacts
Evaluating report-only Conditional Access impact is very straightforward when Entra ID logs are streamed to Log Analytics. Those who can’t have this feature enabled can still use the AADSignInEvents beta table in Defender to find some extra insights.
Posted by Daniel Kovacs on January 17, 2024
https://f12.hu/2024/01/17/hunting-for-report-only-microsoft-managed-conditional-access-impacts/
Entra Workload Identities – Trusted Certificate Authorities (public preview)
In the November 2023 – What’s New in Microsoft Entra Identity & Security w/ Microsoft Security CxE identity episode, a public preview feature of Entra Workload ID premium license was presented (link) which was actually announced on November 9th (link). I really love the idea of restricting application key credentials to a predefined list of […]
Posted by Daniel Kovacs on December 11, 2023
https://f12.hu/2023/12/11/entra-workload-identities-trusted-certificate-authorities-public-preview/
Entra Workload Identites passwordLifetime policy vs. Entra ID Application Proxy – Application operation failed
Back in the days, I wrote about the Entra Workload Identities Premium licence and it’s very appealing capabilities (link). One of my favorites was the defaultAppManagementPolicy which can (also) restrict the lifetime of (new) password credentials created for an application. Well, it looks like I was too restrictive which led to the error message in […]
Posted by Daniel Kovacs on November 12, 2023
https://f12.hu/2023/11/12/entra-workload-identites-passwordlifetime-policy-vs-entra-id-application-proxy-application-operation-failed/
Windows Web sign-in – my notes
I spent ‘some’ time exploring this web sign-in thing and thought to share the results of my research. History Web sign-in is available since Windows 10 1809 (link) as a private preview feature and it was restricted to TAP (temporary access pass) There was a time when Web sign-in was not limited to TAP, so […]
Posted by Daniel Kovacs on October 31, 2023
https://f12.hu/2023/10/31/windows-web-sign-in-my-notes/
Query Windows Hello for Business registrations and usage
So recently I was planning on requiring authentication stenghts in a Conditional Access policy – more precisely requiring Windows Hello for Business – when I realized that I’m not 100% sure that every user will meet this requirement. I wanted to make sure everybody has WHfB enrollment and that it is actively in use – […]
Posted by Daniel Kovacs on October 15, 2023
https://f12.hu/2023/10/15/query-windows-hello-for-business-registrations-and-usage/
Conditional Access Gap Analyzer – without Log Analytics Integration
Recently, John Savill* uploaded a video on this very cool feature and I thought to give it a try when I realized I have no Log Analytics integration enabled, so no Workbooks for me 🙁[*big fan of John’s videos, pure gold] This is not fair to those who only use Microsoft 365 products or who […]
Posted by Daniel Kovacs on September 3, 2023
https://f12.hu/2023/09/03/conditional-access-gap-analyzer-without-log-analytics-integration/
Fighting AzureAD App registration client secrets – step3: using Conditional Access for Workload Identities (+custom security attributes)
Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) Note: This post is not strictly related to fighting client secret usage for apps. However, it may provide a basis for considering the purchase of Microsoft Entra Workload Identities Premium licence for at least those apps that use client secret. In my previous […]
Posted by Daniel Kovacs on August 12, 2023
https://f12.hu/2023/08/12/fighting-azuread-app-registration-client-secrets-step3-using-conditional-access-for-workload-identities-custom-security-attributes/
Fighting AzureAD App registration client secrets – step2: limiting app password lifetime
Disclaimer: the following configurations require Microsoft Entra Workload Identities Premium licence (link) In my previous post, I highlighted the risks of using password credentials for apps and how to spot client secret usage for service principals. This post will focus on limiting password lifetime for apps (scoped to tenant or specific application level) which can […]
Posted by Daniel Kovacs on June 18, 2023
https://f12.hu/2023/06/18/fighting-azuread-app-registration-client-secrets-step2-limiting-app-password-lifetime/
Fighting AzureAD App registration client secrets – step1: reviewing client secret usage
Workload identity (including service principals) security keeps bugging me, especially the password credentials (aka client secret). I’m sure there are scenarios where this is the only option, but I see environments where these are used just because it is easier to implement. And one day I woke up and realized how dangerous it can be […]
Posted by Daniel Kovacs on June 12, 2023
https://f12.hu/2023/06/12/fighting-azuread-app-registration-client-secrets-step1-reviewing-client-secret-usage/