This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.
Azure AD / Entra ID identity and authentication
Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.
Azure AD Connect and account replication from On-Premises AD DS
This article contains my brief notes on the very large area of Azure AD for Microsoft 365 / Office 365 services. I didn't have time to study in detail, so I tried to make it as simple as possible to test and get the necessary things up and running. That is, the replication of local accounts to the online environment. Additionally, in a situation where manually created accounts already existed in Azure AD (cloud) and needed to be paired with local accounts (on-premises). I do not guarantee accuracy and the article is by no means comprehensive.
23.04.2021 | 18.09.2020 | Samuraj - Petr Bouška | Microsoft admin | 14 856x | Comments [3]
Azure AD modern authentication, self-service password reset (SSPR)
In this article, we'll look at the Azure AD capabilities for self-service password change or reset (SSPR) or account unlocking. We'll focus on the situation where we have On-Premises Active Directory Domain Services (AD DS) users synced to cloud Azure AD. Not so important is that Password hash synchronization (PHS) is used. At the beginning, we will address Password Writeback so that password changes in the cloud are reflected in On-Premises. We will mention the concept of modern authentication, password policies and importantly Authentication methods.
20.05.2021 | Microsoft admin | 5 898x | Comments [0]
| Azure AD passwordless login and multi-factor authentication (MFA)
Following on from our last article, which looked at the Self-Service Password Reset or Account Unlocking Portal (SSPR), we'll look at what Microsoft refers to as Passwordless Sign-in. Here using the Microsoft Authenticator application. As a main focus, we'll look at Multi-Factor Authentication (MFA). We'll mention authentication methods again and look at managing them in Azure AD.
20.12.2021 | 21.05.2021 | Microsoft admin | 7 731x | Comments [0]
| Hybrid Azure AD Join
Enrolling computers and other devices (such as mobile phones) in Azure AD can bring us various benefits. Let's briefly mention the basic Azure AD Device Registration option. Next, we will discuss Hybrid Azure AD Join. When we have computers connected to On-Premises AD domain, we sync their accounts to Azure AD and the computers get registered to Azure AD. They can then take advantage of both environments. SSO and Conditional Access works in Azure AD.
02.06.2021 | Microsoft admin | 10 065x | Comments [4]
| Windows, macOS and Android Azure AD enrollment and device authentication
Let's take a look at the possible ways to enroll devices into Azure AD / Entra ID. We'll focus on macOS and Android (iOS should be similar), but we'll also cover Windows. In the second part, we'll discuss Device Authentication, which is the authentication of a device when logging into Azure AD that we can use for device identification and access control. Again, it's more interesting working on macOS and Android, which has some limitations, whereas Windows simply works automatically.
15.02.2023 | Microsoft admin | 4 084x | Comments [0]
| Windows Hello for Business - introduction
In a corporate environment, we can increase the security of user accounts, and often the convenience of users, by deploying Windows Hello for Business. This involves creating credentials (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD). These credentials are hardwired to a specific device (computer) and cannot be used elsewhere (remotely). The user sets a fingerprint (most often) for login, with a PIN as a backup. This article briefly describes the technology and makes arguments about the increased security.
09.06.2023 | 05.06.2023 | Microsoft admin | 5 173x | Comments [1]
| Windows Hello for Business - Cloud Kerberos Trust deployment
Windows Hello creates a login credential (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD) that is hard-coded to a specific device. The user sets a fingerprint (most often) to log in, with a PIN as a backup. In this article, we will describe a possible way to deploy Windows Hello for Business in a hybrid enterprise environment. This is the latest and very simple deployment method called Cloud Kerberos Trust.
11.06.2023 | 06.06.2023 | Microsoft admin | 5 189x | Comments [0]
| Windows Hello for Business - user settings and usage
Windows Hello creates a login credential (an asymmetric key pair, often protected by a TPM) for a user account in Azure AD (or AD) that is hard-coded to a specific device. The user sets a fingerprint (most often) to log in, with a PIN as a backup. In this article, we will describe the process of enrolling (Provisioning) Windows Hello on a device. It can take place during the first login after power on or via Windows settings. We will mention logging in and resetting the PIN.
12.06.2023 | 07.06.2023 | Microsoft admin | 3 987x | Comments [3]
| Sign-in with FIDO2 security key
Let's take a look at Microsoft support for logging in (authentication) using the FIDO2 security key (in a corporate environment). Within Azure AD, authentication using the FIDO2 security key is supported. In a hybrid environment, we can also use it for logging into Windows and local Active Directory. FIDO2 is among the secure multi-factor authentication without password, moreover, resistant to phishing, and we can significantly increase the security of user accounts. Key login can also be more convenient.
13.07.2023 | 21.06.2023 | Microsoft admin | 7 743x | Comments [2]
| Multi-Factor Authentication (MFA) in Microsoft Entra ID
The use of Multi-Factor Authentication (MFA) is now a common standard. Let's take a look at the options Microsoft offers for corporate accounts in Microsoft Entra ID. We can use this authentication within Microsoft 365, but we can also connect third party applications or our internal applications. We'll list what authentication methods are available, and why some are more secure than others. We will describe how the different categories of MFA work.
19.10.2023 | Microsoft admin | 4 226x | Comments [0]
| Multi-Factor Authentication (MFA) authentication method registration and login
After a general description of Microsoft Entra Multi-Factor Authentication (MFA), let's take a more practical look at registering and managing authentication methods. We'll focus on the capabilities of Microsoft Authenticator, in this case the optimal Phone sign-in. Then we'll walk through the MFA sign-in process and the use of some authentication methods.
22.10.2023 | Microsoft admin | 3 209x | Comments [2]
| FIDO passkeys part 1 - passkeys for authentication
User FIDO authentication with passkeys (access keys). Passkeys are a significantly more secure way to log in to a service than using a password. Private (user's own) and public (stored with the service) keys are used. Passkeys are FIDO credentials according to the FIDO2 standard. In this article we will look at how passkeys work, what their properties are and how they relate to the FIDO2 security key.
24.03.2024 | 21.03.2024 | Microsoft admin | 3 217x | Comments [1]
| FIDO passkeys part 2 - practical use of passkeys on Windows and Android
We'll look at the practicalities of creating and using passkeys to sign in to online services on Microsoft Windows and Google Android platforms, including Cross-Device Authentication. That is, using an internal authenticator (and local passkeys) or an external authenticator (and passkeys on another device), including the FIDO2 security key. We will try different web browsers. We will test on a Google account for which we will create passkeys on different devices.
14.04.2024 | 06.04.2024 | Microsoft admin | 2 853x | Comments [0]
| FIDO passkeys part 3 - using passkeys in Microsoft Entra ID
Microsoft is currently adding (perhaps better said, expanding) support for passkeys on its accounts, both for personal Microsoft accounts and work or school accounts in Entra ID. Let's look at the options for personal accounts, where usage is looser. We'll look more at corporate accounts that require device-bound passkeys. Additionally, on Android (since version 14) and iOS (since version 17) mobile devices, they can only be found in the Microsoft Authenticator app for now.
25.04.2024 | 18.04.2024 | Microsoft admin | 2 549x | Comments [0]
|