I feel You should have shown a few more things. How does Minnie re-login next time she reboots or logs off. How she would experience Phish resistant MFA in action during the next login process would have been lovely to see. Also if she forgets her PIN, and never setup facial recognition; or if her phone is lost, how would she get in. etc.
@@DilipBalsaraf the next login to the PC will be Windows Hello for Business, so either PIN or Biometrics. The next login to her web apps would be passkey.
@@bearded365guygotcha, thanks! I presume the web apps will just sent a push to her MS authenticator? Since this is not a yubikey, I presume MS authenticator will ensure that the URL user is logging is correct. Thus making it phishing resistant. I think this bit would have been good to demo. It would give people the whole picture about how phishing resistant MFA works. Love your videos! Cheers!
Good explanation of the different elements, however the portion regarding conditional access policies, requires a note that Microsoft Entra ID P1 or P2 licensing is required.
Yep. Superb video as always, but I find there is limited value for those organisations that do not have the M365 Premium. My heart sank when you went into Conditional Access Policies. I'm working hard to improve security on my network, but it is a very hard sell to get the budget to move from Business Basics to Business Premium.
I tested this and although it works with M365, it does have compatibility issue with Entra ID Registered Apps (3rd party) with those apps only supporting sso and mfa. It is good if all industries supports this method.
Great video. Dumb question, will this still work if our organization still uses on premise Windows AD that is synced to Azure? We are unable to retire Windows AD at this time. Thoughts? Thanks again for great videos.
Yep, same question. We also don't generally tell people to login with their email address, instead using the samaccountname convention. I guess that's just a training/behavioral solution, but I too wonder if this will work if they're logging into on-prem "first."
@bearded365guy The MFA Legacy Migration and Windows Hello vidoes you mention. You whould add a link in the video to those videos at the point when you mention them, this way people don't have to go searching through your massive collection! :) I already migrated from Legacy MFA ages ago, and now need to watch your Windows Hello video which I am looking forward to!
I think it's this one. Seems silly to not link it in the video description or pin it as the top comment.... ruclips.net/video/B4kgKb4H9iw/видео.htmlsi=33BfK8jraeM1lWxL
...That is all great :) BUT what is OOBE if we already set Win device (HP Lap) delivered to end-user based in France (head office UK ) > We then use the steps from your vid > What would be the end-user experience ;)😁🤩😁
If you're using a managed windows pc with a user that is already logged in and then try to sign in with a different user account for the first time it asks for the account password.
Great video! I have a few questions: Is there a way to bulk-create temporary access keys and assign them to users, especially when there are many new starters? Can these be created for existing staff and students as well? Additionally, if users don’t have mobile devices or are unwilling to use personal or company phones, and if FIDO keys aren’t an option, could Windows Hello serve as an alternative to the authenticator for user authentication?
Thanks for sharing! One thing; When I try the same steps on an Android it prompts me to download the Microsoft Intune portal? And I should use Microsoft Edge to follow the steps.
What is confusing is the new flow registers the phone and sets up phone sign-in as well as Passkey unless you tap SKIP. Why do you think Microsoft is forcing a flow to setup both a passwordless and a passwordless/phishing resistant MFA method?
What about legacy hybrid orgs that have on-premise active directory and desktops with no biometric readers? Are Yubikeys the only option for signing in to the desktops?
WHfB supports Hybrid Joined devices - i Recommend taking a look at the Cloud Kerberos Trust approach. The temporary access pass method wouldnt work for the first sign in on the windows Device though
So how do we deal with registering a new user on a device if the system is shared or it's not a brand new device? When you try and log a user into an Entra joined PC's the new user can't login with TAP, they have to use the actual password. Seems like this might only work with a brand new device during the OOBE?
Is there an option to use " fingerprint" to login instead of a (USB) security key? we currently use security key (usb) to plugin to the device and login. But i want to change that to fingerprint. Is that even possible?
This isn’t for hybrid tenant setups right? If you sync users from an on-prem AD this wouldn’t work, right? Password is still needed for all on-prem resources etc so I’m thinking it would confuse users to have 2 different type of logins even if it was setup.
I can't get this to work. After the first windows login with temporary pass, Windows (24H2) insists on looking for updates (where it offers for you to play the surfing game). I can't cancel this, I even tried removing the virtual NIC without success. Then it Reboots. Windows Hello has not been setup yet, so it asks for a password. I can't get around it.
If you are referring to a Platform SSO configured Mac, or a Mac uisng something like Jamf Connect, I believe we are out of luck and the user's password must still be known. This is because the Apple device still requires a password for the local user account. Would love to learn there's another option for passwordless on Mac!
We've disabled Windows Hello as its so insecure. This whole setup is pretty pointless if you need to use SSO with other sites. Those sites WILL need a password first.
Sorry but both of your statements are completely wrong. SSO for other SaaS apps work fine without a password. Please explain how WHfB is less secure than having a password that can be used from any device compared to WHfB that is hard bound to one specific device. WHfB is literally MFA by design.
Ive just tried setting this up for a single user but the user is still being prompted to enter a password. Any idea why and where i can turn this off for the user?
As far as I know, if a user has phone-sign in enabled they should see a line below the password field that says "Use app instead". I would be interested to know if there is a way of setting the login to the authenticator app by default. Lots of users don't realise it's there and keep using their password.
Am I the only one that thinks PINs are a really bad idea? I get that they're tied to a machine, but someone looking over a user's shoulder can watch them enter the pin (which will often be shorter than an old-style password), steal the laptop, and log in. All the apps - Word, Outlook, Onedrive, Teams , Edge etc. will SSO in to 365 and they've got all your data! Yes, passwords are really bad, but I think PINs can be even worse and that neither should be used. I've just set up a tenant using only Hardware keys for Windows login; Temporary Password is used for setting the key up. PIN setup is disabled on new PCs' first-run, and they use the key (and its PIN) to log in. Same for adding email to iPhones - key only. (Yes, they have spare keys!)
On the surface, PINs seems weak. Of course, they can be shoulder surfed. But think about it: Banks allow 4 character numeric plus a card to secure their customers accounts.
@@andywright3107 Remember, the PIN is tied to that device - so the attacker would need both the device and the PIN. The PIN is not synced in any way to 365.
It's no different than if the Bad Actor steals someone's YubiKey and can guess their PIN. Remember, at the end of the day this is phishing-resistant, not phishing-proof.
Excellent video, thank you. We have been thinking about implementing this for some time now, your video definitely makes it clearer.
I feel You should have shown a few more things. How does Minnie re-login next time she reboots or logs off. How she would experience Phish resistant MFA in action during the next login process would have been lovely to see. Also if she forgets her PIN, and never setup facial recognition; or if her phone is lost, how would she get in. etc.
@@DilipBalsaraf the next login to the PC will be Windows Hello for Business, so either PIN or Biometrics. The next login to her web apps would be passkey.
@@bearded365guygotcha, thanks! I presume the web apps will just sent a push to her MS authenticator? Since this is not a yubikey, I presume MS authenticator will ensure that the URL user is logging is correct. Thus making it phishing resistant. I think this bit would have been good to demo. It would give people the whole picture about how phishing resistant MFA works. Love your videos! Cheers!
@@DilipBalsarafno push. The web apps will show a QR code you have to scan with you camera.
@@stormlight1553 Ah, thanks thats good to know! Appreciate the help!
@@bearded365guy awesome 👌
Brilliant as always!!!😎well done Mr Edwards!!!
Good explanation of the different elements, however the portion regarding conditional access policies, requires a note that Microsoft Entra ID P1 or P2 licensing is required.
Yep. Superb video as always, but I find there is limited value for those organisations that do not have the M365 Premium. My heart sank when you went into Conditional Access Policies. I'm working hard to improve security on my network, but it is a very hard sell to get the budget to move from Business Basics to Business Premium.
I tested this and although it works with M365, it does have compatibility issue with Entra ID Registered Apps (3rd party) with those apps only supporting sso and mfa. It is good if all industries supports this method.
Yes, fair point. Which apps in particular did you have problems with?
Awesome video 💯 🔥 Enhanced security 🔒
Hey Jonathan, thank you very much for the video. In a hybrid environment, what's the best approach in your opinion?
Great video.
Dumb question, will this still work if our organization still uses on premise Windows AD that is synced to Azure? We are unable to retire Windows AD at this time.
Thoughts?
Thanks again for great videos.
Yep, same question. We also don't generally tell people to login with their email address, instead using the samaccountname convention. I guess that's just a training/behavioral solution, but I too wonder if this will work if they're logging into on-prem "first."
Yes, same question. Is this only compatible with Entra Joined or also Hybrid Joined devices?
Looking strong on this video thumbnail Jonathan. (Tim)
@bearded365guy The MFA Legacy Migration and Windows Hello vidoes you mention. You whould add a link in the video to those videos at the point when you mention them, this way people don't have to go searching through your massive collection! :) I already migrated from Legacy MFA ages ago, and now need to watch your Windows Hello video which I am looking forward to!
@@andrewenglish3810 Guess what? I published this video in the wrong order 😩 - so next week I talk about Legacy MFA in that video, sorry about that.
@@andrewenglish3810 Windows Hello - ruclips.net/video/A8faHO-bn-0/видео.htmlsi=T2oFesFzG34mknJ7
Great video Jon, thanks. Have you run through cert based authentication? Would be great to see that in action in future.
@@tony6626 I’ll do something on it soon!
Hi Jonathan, Re Authentication Methods policies, which of your other videos at 1:53 are you referring to please?
I think it's this one. Seems silly to not link it in the video description or pin it as the top comment....
ruclips.net/video/B4kgKb4H9iw/видео.htmlsi=33BfK8jraeM1lWxL
Why don't use the new shiny Passkeys for logon to the PC setup?
...That is all great :) BUT what is OOBE if we already set Win device (HP Lap) delivered to end-user based in France (head office UK ) > We then use the steps from your vid > What would be the end-user experience ;)😁🤩😁
If you're using a managed windows pc with a user that is already logged in and then try to sign in with a different user account for the first time it asks for the account password.
Great video! I have a few questions:
Is there a way to bulk-create temporary access keys and assign them to users, especially when there are many new starters? Can these be created for existing staff and students as well?
Additionally, if users don’t have mobile devices or are unwilling to use personal or company phones, and if FIDO keys aren’t an option, could Windows Hello serve as an alternative to the authenticator for user authentication?
Thanks for sharing! One thing; When I try the same steps on an Android it prompts me to download the Microsoft Intune portal? And I should use Microsoft Edge to follow the steps.
This is the way
What is your opinion about windows hello PIN? I think it's a weak point and can't be disabled. Password + fingerprint should work alone.
What is confusing is the new flow registers the phone and sets up phone sign-in as well as Passkey unless you tap SKIP. Why do you think Microsoft is forcing a flow to setup both a passwordless and a passwordless/phishing resistant MFA method?
What about legacy hybrid orgs that have on-premise active directory and desktops with no biometric readers? Are Yubikeys the only option for signing in to the desktops?
WHfB supports Hybrid Joined devices - i Recommend taking a look at the Cloud Kerberos Trust approach.
The temporary access pass method wouldnt work for the first sign in on the windows Device though
So how do we deal with registering a new user on a device if the system is shared or it's not a brand new device? When you try and log a user into an Entra joined PC's the new user can't login with TAP, they have to use the actual password. Seems like this might only work with a brand new device during the OOBE?
If you want to login using TAP on a PC you'd need to enable web sign in via intune policies
Is there an option to use " fingerprint" to login instead of a (USB) security key?
we currently use security key (usb) to plugin to the device and login. But i want to change that to fingerprint. Is that even possible?
we are hybrid im assuming that dont work for us. is that right?
This isn’t for hybrid tenant setups right? If you sync users from an on-prem AD this wouldn’t work, right? Password is still needed for all on-prem resources etc so I’m thinking it would confuse users to have 2 different type of logins even if it was setup.
I guess you could have a on-prem login password (really long one) set that never expires and then use a temp password + windows hello.
I can't get this to work. After the first windows login with temporary pass, Windows (24H2) insists on looking for updates (where it offers for you to play the surfing game). I can't cancel this, I even tried removing the virtual NIC without success. Then it Reboots. Windows Hello has not been setup yet, so it asks for a password. I can't get around it.
Thanks but this dont work for MacOs users?
Have you a solution for them as well?
@@maximusthor2390 Yes, use this for Macs - ruclips.net/video/bunnbpTZzaU/видео.htmlsi=LIVAR7naG38kcqvl
If you are referring to a Platform SSO configured Mac, or a Mac uisng something like Jamf Connect, I believe we are out of luck and the user's password must still be known. This is because the Apple device still requires a password for the local user account. Would love to learn there's another option for passwordless on Mac!
We've disabled Windows Hello as its so insecure. This whole setup is pretty pointless if you need to use SSO with other sites. Those sites WILL need a password first.
@@TheStevenWhiting Why do you think that Windows Hello isn’t secure?
Sorry but both of your statements are completely wrong. SSO for other SaaS apps work fine without a password. Please explain how WHfB is less secure than having a password that can be used from any device compared to WHfB that is hard bound to one specific device. WHfB is literally MFA by design.
Ive just tried setting this up for a single user but the user is still being prompted to enter a password. Any idea why and where i can turn this off for the user?
As far as I know, if a user has phone-sign in enabled they should see a line below the password field that says "Use app instead". I would be interested to know if there is a way of setting the login to the authenticator app by default. Lots of users don't realise it's there and keep using their password.
Am I the only one that thinks PINs are a really bad idea? I get that they're tied to a machine, but someone looking over a user's shoulder can watch them enter the pin (which will often be shorter than an old-style password), steal the laptop, and log in. All the apps - Word, Outlook, Onedrive, Teams , Edge etc. will SSO in to 365 and they've got all your data! Yes, passwords are really bad, but I think PINs can be even worse and that neither should be used.
I've just set up a tenant using only Hardware keys for Windows login; Temporary Password is used for setting the key up. PIN setup is disabled on new PCs' first-run, and they use the key (and its PIN) to log in. Same for adding email to iPhones - key only.
(Yes, they have spare keys!)
@@andywright3107 I don’t mind PINs, but prefer biometrics with Windows Hello.
I am of the same opinion. Someone who knows what year their mom or first child was born can just log into it
On the surface, PINs seems weak. Of course, they can be shoulder surfed. But think about it: Banks allow 4 character numeric plus a card to secure their customers accounts.
@@andywright3107 Remember, the PIN is tied to that device - so the attacker would need both the device and the PIN. The PIN is not synced in any way to 365.
It's no different than if the Bad Actor steals someone's YubiKey and can guess their PIN. Remember, at the end of the day this is phishing-resistant, not phishing-proof.
I would love to see a demo of you testing this and showing its resistant to this type of attack: ruclips.net/video/CNyzGUY3Ujk/видео.html
Very nice, but seems like a lot of steps for a monkey (user) to follow.
There is no point in learning that. Microsoft will change that soon as always they do.