Skip to content

Onboard FIDO2 keys using Temporary Access Pass in Azure AD

One of the requirements to use FIDO2 security keys with your Microsoft 365 or Azure Active Directory account is multi-factor authentication. So if the user has not added an authentication method, they need to do that first, in order to add the FIDO2 security key to the account. That is sort of a chicken and egg situation. To work around that, we can use Azure Active Directory’s Temporary Access Pass (TAP) to onboard the user. Using this method, TAP will… 

Use Registration campaign to promote Microsoft Authenticator App

With all the new improvements to the Microsoft Authenticator App, this seems a good time to highlight a new capability in Azure AD: Registration Campain, also known as the nudge feature. Also, organizations should move away from phone transports for authentication. If your users use text (SMS) for second-factor authentication, they have very little context, and therefore might be confusing. On top of that, attackers use SIM jacking techniques to bypass those phone methods. By far the most secure way… 

The day I bought my WinRAR license

This post is about WinRAR. We all know WinRAR for it’s never expiring trial period and the annoying pop-up that we have massively ignored for decades now. At least, in the personal space. I think there are not that many people that bought a WinRAR license for their personal computer, out of principles, guilt, or even accidentally. Including me. I have never owned a WinRAR license myself. But that has changed. I actually bought my very own license last month.… 

Enable Location Information and Code Match for Azure MFA

Update 26-11-2021 As this feature is now in public preview, you can also manage those settings via the Azure portal now. You can find the new settings under Azure Active Directory -> Security -> Authentication methods -> Authenticator App. By default, both settings are managed by Microsoft. You can either enable or disable the feature. Learn more from the Microsoft docs: Use number matching in multifactor authentication (MFA) notifications (Preview) – Azure Active Directory | Microsoft DocsUse additional context in… 

Create Role Assignable Groups based on existing groups

Today’s post is about Role Assignable Groups. Are you new to this? Please check out this post first. If you are already familiar with Role Assignable Groups, you might know, these types of groups have an immutable property ” isAssignableToRole” that cannot be changed. Therefore, you cannot convert existing groups into Role Assignable Groups and vice versa. Role Assignable Groups do not support group nesting, and the group cannot be dynamic as well. So you have two options: Start from… 

10 productivity tips for M365 administrators

I have worked with Microsoft 365 over the past few years, and every now and then you learn a new trick. When that moment comes, your work is a little more pleasant, easier, or more productive from that moment forward. I’d like to share some of that tips in no particular order. Tip 1 – Hello darkness my old friend Dark themes is a thing in the IT world. You either hate or love it. Did you know the Azure… 

Customize the MFA registration policy in Azure AD Identity Protection

Disclaimer: this is a proof of concept, not something that is supported or recommended by me or Microsoft. Needless to say, don’t do this in your, or your customers’ (production) environment. This article points to internal API’s, and those are most likely be changed over time. With that out of the way: on with the show! What are we looking at? As discussed before, there are a lot (and counting) ways to enroll for multi-factor authentication in Azure AD. Two… 

KB – Add account operation is blocked by policy on the device

This is a knowledgebase item. Hope it helps you out someday. Error Add work or school account in Windows 10 or 11 fails with this message: “add account operation is blocked by policy on the device”. Error code: CAA50101 Solution Check the value of Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin\BlockAADWorkplaceJoin Change the value to 0. If this device is managed by your organization, you might not able to change this. Please contact your administrator, if that is the case.

Role Assignable Groups and Privileged Identity Management.

I have used this feature from the very beginning, but now that it reached GA (General Availability) in August 2021, it seemed like a good moment to talk about Role Assignable groups, and how they can help on our Zero Trust adventure. Before this feature existed, Azure AD roles could only be assigned to individual user accounts. Since only Global- and Privileged Role Administrators can assign roles, this is a very cumbersome process. Especially when you are working with larger… 

This might be the FIDO2 key for you! Authentrend ATKey.Pro

In the past few years, I tried different types of FIDO2 keys, from different vendors. And picking your FIDO2 key might seem simple, but I think it’s like picking a new phone: some many options! They come in all sizes and colors, with or without biometrics, and even as wearables like rings or bracelets. What is FIDO2? Let’s go one step back first. Why do we need them? FIDO2 security keys are one of the options to liberate us from…