Muchas gracias Carlos, he aprendido bastante con tus conocimientos, tengo un par de preguntas: 1- como configuras que el doble MFA sea un mensaje sms al celular del usuario? 2- Como puedes forzar al usuario que use una contraseña fuerte de cierto largo?
Gracias Alexander, 1. Debes incresar a tu cuenta de usuario de MS, click en la parte superior derecha (ene l circulo con las iniciales o tu foto), view account, Securiy info, Add sign-in method. 2. Creo que no se puede forzar en el panel de admin, pero quizas se puede hacer via Powershell. Una mas para la lista de investigar :) Saludos y gracias
My concern at my organization is as follows (thought exercise): I have two Global Admin Accounts > Admin A + Admin B Admin A account get "hacked/ compromised" - Now the hacker has access to everything. As the hacker I would "block user sign-in" for all users including Admin B This would prevent Admin B from logging in. Without Admin access. I would be locked out and unable to fix the issue. Questions: Am I missing something? Is there a solution to prevent this? i.e. create another domain/office365 that is given permission to access the Main Domain? (similar to how MSP have backend access) This is a major concern as Microsoft has released Microsoft Office Backup feature. The Main reason for backup is to protect against ransom attacks in our case. BUT if all my Admin accounts are locked out or compromised as explained above in the thought exercise. I would not be able to access the backup to start the restore.
What you described is possible situation. I am not sure how the additional domain can protect you in this case. I would make sure both global admin users are enforced and configured with MFA, this can will helps prevent about 99% percent of cases. Using a hard key (like Yubikey) for authentication can increase security even more. Acting quick when detecting an issue is also key. Thank you for sharing the scenario.
Awesome content !!!
Glad you like it! thank you.
Muchas gracias Carlos, he aprendido bastante con tus conocimientos, tengo un par de preguntas:
1- como configuras que el doble MFA sea un mensaje sms al celular del usuario?
2- Como puedes forzar al usuario que use una contraseña fuerte de cierto largo?
Gracias Alexander,
1. Debes incresar a tu cuenta de usuario de MS, click en la parte superior derecha (ene l circulo con las iniciales o tu foto), view account, Securiy info, Add sign-in method.
2. Creo que no se puede forzar en el panel de admin, pero quizas se puede hacer via Powershell. Una mas para la lista de investigar :)
Saludos y gracias
@@itwithcarlos muchas gracias por tu respuesta, en el punto 1, desde el tenant no hay forma de hacerlo para todos o toca uno a uno desde sus cuentas?
My concern at my organization is as follows (thought exercise):
I have two Global Admin Accounts >
Admin A + Admin B
Admin A account get "hacked/ compromised"
- Now the hacker has access to everything. As the hacker I would "block user sign-in" for all users including Admin B
This would prevent Admin B from logging in.
Without Admin access. I would be locked out and unable to fix the issue.
Questions:
Am I missing something?
Is there a solution to prevent this? i.e. create another domain/office365 that is given permission to access the Main Domain? (similar to how MSP have backend access)
This is a major concern as Microsoft has released Microsoft Office Backup feature. The Main reason for backup is to protect against ransom attacks in our case. BUT if all my Admin accounts are locked out or compromised as explained above in the thought exercise. I would not be able to access the backup to start the restore.
What you described is possible situation. I am not sure how the additional domain can protect you in this case.
I would make sure both global admin users are enforced and configured with MFA, this can will helps prevent about 99% percent of cases. Using a hard key (like Yubikey) for authentication can increase security even more.
Acting quick when detecting an issue is also key.
Thank you for sharing the scenario.