Multi-factor authentication (MFA): multi-factor authentication is a type of authentication that requires the use of two or more verification factors to gain access to a system. Azure MFA offers a 14 day grace period after being initiated. This period allows users to register before it becomes a requirement after 14 days.
https://www.syskit.com/blog/using-azure-conditional-access-when-security-defaults-isnt-enough/
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Named locations
Locations are named in the Azure portal under Azure Active Directory > Security > Conditional Access > Named locations. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations can be defined by IPv4/IPv6 address ranges or by countries.
Fallback reviewers are asked to do a review when the user has no manager specified in the directory or if the group doesn't have an owner. For Privileged Access Groups (Preview), you must select Group owner(s). It is mandatory to assign at least one fallback reviewer to the review.2
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention#how-long-does-azure-ad-store-the-data
Activity reports
| Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
|---|---|---|---|
| Audit logs | Seven days | 30 days | 30 days |
| Sign-ins | Seven days | 30 days | 30 days |
| Azure AD MFA usage | 30 days | 30 days | 30 days |
You can retain the audit and sign-in activity data for longer than the default retention period outlined above by routing it to an Azure storage account using Azure Monitor. For more information, see Archive Azure AD logs to an Azure storage account.
Security signals
| Report | Azure AD Free | Azure AD Premium P1 | Azure AD Premium P2 |
|---|---|---|---|
| Risky users | No limit | No limit | No limit |
| Risky sign-ins | 7 days | 30 days | 90 days |
Use the drawing tools at Tools > Comment.
- SRC INTERNET
When a guest user redeems an invitation or uses a link to a resource that has been shared with them, they’ll receive a one-time passcode if:
They don't have an Azure AD account.
They don't have a Microsoft account.
The inviting tenant didn't set up federation with social (like Google) or other identity providers.
They don't have any other authentication method or any password-backed accounts.
Email one-time passcode is enabled.
At the time of invitation, there's no indication that the user you're inviting will use one-time passcode authentication. But when the guest user signs in, one-time passcode authentication will be the fallback method if no other authentication methods can be used.
Note
When a user redeems a one-time passcode and later obtains an MSA, Azure AD account, or other federated account, they'll continue to be authenticated using a one-time passcode. If you want to update the user's authentication method, you can reset their redemption status.
Assign a role
https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
The simplest and recommended method for enabling cloud authentication for on-premises directory objects in Azure AD is to enable password hash synchronization (PHS). If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync for the following two reasons:
The Users with leaked credentials report in Azure AD warns of username and password pairs, which have been exposed publically. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities.
If an on-premises outage happens, like a ransomware attack, you can switch over to using cloud authentication using password hash sync. This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to shadow IT or personal email accounts to share data until the on-premises outage is resolved.
You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises. These attributes can be consumed through extensions. You can see the available attributes by using Microsoft Graph Explorer. You can also use this feature to create dynamic groups in Azure AD.
看似岁月静好,其实随便一个错误,就能打破平静,陷入危机。
不端亲戚朋友的碗
古人有个劝戒,叫“是亲三分客”。
亲友,在亲密关系中,要保持一种理性的距离。
从亲友转变到上下级、合伙人的身份,自然难有规矩和原则,利益更无从保证。
最后往往付出了时间精力,只换来矛盾重重,分道扬镳。“亲人要生,生人要熟,”也是同样的道理。
不端白食软饭的碗。不吃白食软饭,用现在话说,就是不占小便宜。
总想占便宜吃白饭的人,往往丢掉了更大的人品和格局。
“早先拿去的,回头还要加倍偿付。” 佛教里叫因果循环,股市叫盈亏同源,江湖术语叫迟早要还的。吃亏是福,付出和给予,才是做人的底气和智慧。
不端旁门左道的碗。不义之财,都是人生的陷阱,一旦陷入,再难脱身。“莫伸手,伸手必被捉。”人生总有许多诱惑,能否守住底线,决定了后半生能否安稳度过。不进后门 “靠山山会倒,靠人人会跑,靠自己最好。” 没有从天而降的贵人,有的只是努力的自己。不进偏门 根基不稳,路会越走越窄,练不出真本事。不进急门 “世事多因忙里错。” 饭要一口一口吃,事要一件一件做。与其求快不如求稳,凡事三思而后行。
古人云:事急则变,事缓则圆。沉住气,你就赢了。
人有三不交
不交自私自利的人
不交忘恩负义的人
古人常说:滴水之恩,当涌泉相报。
不交斤斤计较的人 水至清则无鱼,人至察则无徒。”因一点矛盾和过错,就拒人于千里之外。能容天下人,才能为天下人所容。
What is MFA disabled?
Turn off MFA to stop requiring a verification method for the selected users. They'll only need their email address and password to sign in.
An identity provider creates, maintains, and manages identity information while providing authentication services to applications. When sharing your apps and resources with external users, Azure AD is the default identity provider for sharing. This means when you invite external users who already have an Azure AD or Microsoft account, they can automatically sign in without further configuration on your part.
MFA Disabled and MFA Enforced don't mean the user is prompted for MFA every time tries to access something. MFA Enforced means the user has completed the enrollment.
The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD Multi-Factor Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
Go to Azure active directory > under Manage section Password reset blade > Authentication methods & check the Security Questions
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode#when-does-a-guest-user-get-a-one-time-passcode
When a guest user redeems an invitation
or uses a link to a resource that has been shared with them, they'll
receive a one-time passcode if:
They don't have an Azure AD account
They don't have a Microsoft account
The inviting tenant didn't set up federation with social (like Google) or other identity providers.
One-time passcodes are valid for 30 minutes.
The Azure AD conditional access What if tool allows you to understand the impact of your conditional access policies on your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report. The report does not only list the applied conditional access policies but also classic policies if they exist.
| Role | Manage user's auth methods | Manage per-user MFA | Manage MFA settings | Manage auth method policy | Manage password protection policy | Update sensitive properties | Delete and restore users |
|---|---|---|---|---|---|---|---|
| Authentication Administrator | Yes for some users | Yes for some users | No | No | No | Yes for some users | Yes for some users |
| Privileged Authentication Administrator | Yes for all users | Yes for all users | No | No | No | Yes for all users | Yes for all users |
| Authentication Policy Administrator | No | No | Yes | Yes | Yes | No | No |
| User Administrator | No | No | No | No | No | Yes for some users | Yes for some users |
Important
The following authentication methods are available for SSPR:
Mobile app notification •
Mobile app code
•
Email \•\
Mobile phone •
Office phone (available only for tenants with paid subscriptions) •
Security questions
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
| Role | Description | Template ID |
|---|---|---|
| Application Administrator | Can create and manage all aspects of app registrations and enterprise apps. | 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 |
| Application Developer | Can create application registrations independent of the 'Users can register applications' setting. | cf1c38e5-3621-4004-a7cb-879624dced7c |
| Attack Payload Author | Can create attack payloads that an administrator can initiate later. | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f |
| Attack Simulation Administrator | Can create and manage all aspects of attack simulation campaigns. | c430b396-e693-46cc-96f3-db01bf8bb62a |
| Attribute Assignment Administrator | Assign custom security attribute keys and values to supported Azure AD objects. | 58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d |
| Attribute Assignment Reader | Read custom security attribute keys and values for supported Azure AD objects. | ffd52fa5-98dc-465c-991d-fc073eb59f8f |
| Attribute Definition Administrator | Define and manage the definition of custom security attributes. | 8424c6f0-a189-499e-bbd0-26c1753c96d4 |
| Attribute Definition Reader | Read the definition of custom security attributes. | 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c |
| Authentication Administrator | Can access to view, set and reset authentication method information for any non-admin user. | c4e39bd9-1100-46d3-8c65-fb160da0071f |
| Authentication Policy Administrator | Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials. | 0526716b-113d-4c15-b2c8-68e3c22b9f80 |
| Azure AD Joined Device Local Administrator | Users assigned to this role are added to the local administrators group on Azure AD-joined devices. | 9f06204d-73c1-4d4c-880a-6edb90606fd8 |
| Azure DevOps Administrator | Can manage Azure DevOps policies and settings. | e3973bdf-4987-49ae-837a-ba8e231c7286 |
| Azure Information Protection Administrator | Can manage all aspects of the Azure Information Protection product. | 7495fdc4-34c4-4d15-a289-98788ce399fd |
| B2C IEF Keyset Administrator | Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). | aaf43236-0c0d-4d5f-883a-6955382ac081 |
| B2C IEF Policy Administrator | Can create and manage trust framework policies in the Identity Experience Framework (IEF). | 3edaf663-341e-4475-9f94-5c398ef6c070 |
| Billing Administrator | Can perform common billing related tasks like updating payment information. | b0f54661-2d74-4c50-afa3-1ec803f12efe |
| Cloud App Security Administrator | Can manage all aspects of the Defender for Cloud Apps product. | 892c5842-a9a6-463a-8041-72aa08ca3cf6 |
| Cloud Application Administrator | Can create and manage all aspects of app registrations and enterprise apps except App Proxy. | 158c047a-c907-4556-b7ef-446551a6b5f7 |
| Cloud Device Administrator | Limited access to manage devices in Azure AD. | 7698a772-787b-4ac8-901f-60d6b08affd2 |
| Compliance Administrator | Can read and manage compliance configuration and reports in Azure AD and Microsoft 365. | 17315797-102d-40b4-93e0-432062caca18 |
| Compliance Data Administrator | Creates and manages compliance content. | e6d1a23a-da11-4be4-9570-befc86d067a7 |
| Conditional Access Administrator | Can manage Conditional Access capabilities. | b1be1c3e-b65d-4f19-8427-f6fa0d97feb9 |
| Customer LockBox Access Approver | Can approve Microsoft support requests to access customer organizational data. | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 |
| Desktop Analytics Administrator | Can access and manage Desktop management tools and services. | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4 |
| Directory Readers | Can read basic directory information. Commonly used to grant directory read access to applications and guests. | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b |
| Directory Synchronization Accounts | Only used by Azure AD Connect service. | d29b2b05-8046-44ba-8758-1e26182fcf32 |
| Directory Writers | Can read and write basic directory information. For granting access to applications, not intended for users. | 9360feb5-f418-4baa-8175-e2a00bac4301 |
| Domain Name Administrator | Can manage domain names in cloud and on-premises. | 8329153b-31d0-4727-b945-745eb3bc5f31 |
| Dynamics 365 Administrator | Can manage all aspects of the Dynamics 365 product. | 44367163-eba1-44c3-98af-f5787879f96a |
| Edge Administrator | Manage all aspects of Microsoft Edge. | 3f1acade-1e04-4fbc-9b69-f0302cd84aef |
| Exchange Administrator | Can manage all aspects of the Exchange product. | 29232cdf-9323-42fd-ade2-1d097af3e4de |
| Exchange Recipient Administrator | Can create or update Exchange Online recipients within the Exchange Online organization. | 31392ffb-586c-42d1-9346-e59415a2cc4e |
| External ID User Flow Administrator | Can create and manage all aspects of user flows. | 6e591065-9bad-43ed-90f3-e9424366d2f0 |
| External ID User Flow Attribute Administrator | Can create and manage the attribute schema available to all user flows. | 0f971eea-41eb-4569-a71e-57bb8a3eff1e |
| External Identity Provider Administrator | Can configure identity providers for use in direct federation. | be2f45a1-457d-42af-a067-6ec1fa63bc45 |
| Global Administrator | Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. | 62e90394-69f5-4237-9190-012177145e10 |
| Global Reader | Can read everything that a Global Administrator can, but not update anything. | f2ef992c-3afb-46b9-b7cf-a126ee74c451 |
| Groups Administrator | Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports. | fdd7a751-b60b-444a-984c-02652fe8fa1c |
| Guest Inviter | Can invite guest users independent of the 'members can invite guests' setting. | 95e79109-95c0-4d8e-aee3-d01accf2d47b |
| Helpdesk Administrator | Can reset passwords for non-administrators and Helpdesk Administrators. | 729827e3-9c14-49f7-bb1b-9608f156bbb8 |
| Hybrid Identity Administrator | Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings. | 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 |
| Identity Governance Administrator | Manage access using Azure AD for identity governance scenarios. | 45d8d3c5-c802-45c6-b32a-1d70b5e1e86e |
| Insights Administrator | Has administrative access in the Microsoft 365 Insights app. | eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c |
| Insights Analyst | Access the analytical capabilities in Microsoft Viva Insights and run custom queries. | 25df335f-86eb-4119-b717-0ff02de207e9 |
| Insights Business Leader | Can view and share dashboards and insights via the Microsoft 365 Insights app. | 31e939ad-9672-4796-9c2e-873181342d2d |
| Intune Administrator | Can manage all aspects of the Intune product. | 3a2c62db-5318-420d-8d74-23affee5d9d5 |
| Kaizala Administrator | Can manage settings for Microsoft Kaizala. | 74ef975b-6605-40af-a5d2-b9539d836353 |
| Knowledge Administrator | Can configure knowledge, learning, and other intelligent features. | b5a8dcf3-09d5-43a9-a639-8e29ef291470 |
| Knowledge Manager | Can organize, create, manage, and promote topics and knowledge. | 744ec460-397e-42ad-a462-8b3f9747a02c |
| License Administrator | Can manage product licenses on users and groups. | 4d6ac14f-3453-41d0-bef9-a3e0c569773a |
| Lifecycle Workflows Administrator | Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Azure AD. | 59d46f88-662b-457b-bceb-5c3809e5908f |
| Message Center Privacy Reader | Can read security messages and updates in Office 365 Message Center only. | ac16e43d-7b2d-40e0-ac05-243ff356ab5b |
| Message Center Reader | Can read messages and updates for their organization in Office 365 Message Center only. | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b |
| Microsoft Hardware Warranty Administrator | Create and manage all aspects warranty claims and entitlements for Microsoft manufactured hardware, like Surface and HoloLens. | 1501b917-7653-4ff9-a4b5-203eaf33784f |
| Microsoft Hardware Warranty Specialist | Create and read warranty claims for Microsoft manufactured hardware, like Surface and HoloLens. | 281fe777-fb20-4fbb-b7a3-ccebce5b0d96 |
| Modern Commerce User | Can manage commercial purchases for a company, department or team. | d24aef57-1500-4070-84db-2666f29cf966 |
| Network Administrator | Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications. | d37c8bed-0711-4417-ba38-b4abe66ce4c2 |
| Office Apps Administrator | Can manage Office apps cloud services, including policy and settings management, and manage the ability to select, unselect and publish 'what's new' feature content to end-user's devices. | 2b745bdf-0803-4d80-aa65-822c4493daac |
| Organizational Messages Writer | Write, publish, manage, and review the organizational messages for end-users through Microsoft product surfaces. | 507f53e4-4e52-4077-abd3-d2e1558b6ea2 |
| Partner Tier1 Support | Do not use - not intended for general use. | 4ba39ca4-527c-499a-b93d-d9b492c50246 |
| Partner Tier2 Support | Do not use - not intended for general use. | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 |
| Password Administrator | Can reset passwords for non-administrators and Password Administrators. | 966707d0-3269-4727-9be2-8c3a10f19b9d |
| Permissions Management Administrator | Manage all aspects of Entra Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 |
| Power BI Administrator | Can manage all aspects of the Power BI product. | a9ea8996-122f-4c74-9520-8edcd192826c |
| Power Platform Administrator | Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. | 11648597-926c-4cf3-9c36-bcebb0ba8dcc |
| Printer Administrator | Can manage all aspects of printers and printer connectors. | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f |
| Printer Technician | Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
| Privileged Authentication Administrator | Can access to view, set and reset authentication method information for any user (admin or non-admin). | 7be44c8a-adaf-4e2a-84d6-ab2649e08a13 |
| Privileged Role Administrator | Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. | e8611ab8-c189-46e8-94e1-60213ab1f814 |
| Reports Reader | Can read sign-in and audit reports. | 4a5d8f65-41da-4de4-8968-e035b65339cf |
| Search Administrator | Can create and manage all aspects of Microsoft Search settings. | 0964bb5e-9bdb-4d7b-ac29-58e794862a40 |
| Search Editor | Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. | 8835291a-918c-4fd7-a9ce-faa49f0cf7d9 |
| Security Administrator | Can read security information and reports, and manage configuration in Azure AD and Office 365. | 194ae4cb-b126-40b2-bd5b-6091b380977d |
| Security Operator | Creates and manages security events. | 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f |
| Security Reader | Can read security information and reports in Azure AD and Office 365. | 5d6b6bb7-de71-4623-b4af-96380a352509 |
| Service Support Administrator | Can read service health information and manage support tickets. | f023fd81-a637-4b56-95fd-791ac0226033 |
| SharePoint Administrator | Can manage all aspects of the SharePoint service. | f28a1f50-f6e7-4571-818b-6a12f2af6b6c |
| Skype for Business Administrator | Can manage all aspects of the Skype for Business product. | 75941009-915a-4869-abe7-691bff18279e |
| Teams Administrator | Can manage the Microsoft Teams service. | 69091246-20e8-4a56-aa4d-066075b2a7a8 |
| Teams Communications Administrator | Can manage calling and meetings features within the Microsoft Teams service. | baf37b3a-610e-45da-9e62-d9d1e5e8914b |
| Teams Communications Support Engineer | Can troubleshoot communications issues within Teams using advanced tools. | f70938a0-fc10-4177-9e90-2178f8765737 |
| Teams Communications Support Specialist | Can troubleshoot communications issues within Teams using basic tools. | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 |
| Teams Devices Administrator | Can perform management related tasks on Teams certified devices. | 3d762c5a-1b6c-493f-843e-55a3b42923d4 |
| Usage Summary Reports Reader | Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | 75934031-6c7e-415a-99d7-48dbd49e875e |
| User Administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins. | fe930be7-5e62-47db-91af-98c3a49a38b1 |
| Virtual Visits Administrator | Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. | e300d9e7-4a2b-4295-9eff-f1c78b36cc98 |
| Windows 365 Administrator | Can provision and manage all aspects of Cloud PCs. | 11451d60-acb2-45eb-a7d6-43d0f0125c13 |
| Windows Update Deployment Administrator | Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
| Yammer Administrator | Manage all aspects of the Yammer service. | 810a2642-a034-447f-a5e8-41beaa378541 |
1. Under Access controls > Grant, select Grant access, Require multi-factor authentication, and select Select. 2. Confirm your settings and set Enable policy to On. 3. Select Create to create to enable your policy. Sign-in frequency Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.
The following steps will help create a Conditional Access policy to require all users do multifactor authentication.
After confirming your settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.
Organizations may choose to incorporate known network locations known as Named locations to their Conditional Access policies. These named locations may include trusted IPv4 networks like those for a main office location. For more information about configuring named locations, see the article What is the location condition in Azure Active Directory Conditional Access?
In the example policy above, an organization may choose to not require multifactor authentication if accessing a cloud app from their corporate network. In this case they could add the following configuration to the policy:
https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units
Here are some of the constraints for administrative units.
Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but not the members of the group. In other words, an administrator scoped to the administrative unit can manage properties of the group, such as group name or membership, but they cannot manage properties of the users or devices within that group (unless those users and devices are separately added as members of the administrative unit).
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
Conditional Access Administrator
- Does not have access to Identity Protection | User risk policy
- Does not have "Grants access to Risky Users Report"
Authentication Administrator
- Does not have access to Identity Protection | User risk policy
- Does not have "Grants access to Risky Users Report"
Security Administrator
- Has update access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/update = Update all resources in Azure AD Identity Protection
- Grants access to Risky Users Report
Security Operator
- Has only read access to Identity Protection | User risk policy
microsoft.directory/identityProtection/allProperties/allTasks = Create and delete all resources, and read and update standard properties in Azure AD Identity Protection
- Grants access to Risky Users Report
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#block-and-unblock-users%20with%20Fraud%20alert
MFA>settings>Fraud Alert>allow>autoblock>on>save
Publish App. Create a conditional access policy that has session controls configured.
From MCAS modify the Connected apps settings, From MCAS create a session policy
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-blocking-data-downloads-via-microsoft-cloud-app/ba-p/326357
Standard B1s (1 vcpu, 1 GiB memory) is ok for Azure OPenVPN with 2 clients
Users often create passwords that use common local words such as a school, sports team, or famous person. These passwords are easy to guess, and weak against dictionary-based attacks. To enforce strong passwords in your organization, Azure Active Directory (Azure AD) Password Protection provides a global and custom banned password list. A password change request fails if there's a match in these banned password list.
To protect your on-premises Active Directory Domain Services (AD DS) environment, you can install and configure Azure AD Password Protection to work with your on-prem DC. This article shows you how to install and register the Azure AD Password Protection proxy service and Azure AD Password Protection DC agent in your on-premises environment.
NPS (Network Policy and Access Service) is like a middle man between the VPN client and Azure MFA. The NPS role is installed on a domain-joined server or the domain controller and is configured to authenticate and authorize RADIUS requests from the VPN client.
To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support things like multifactor authentication (MFA). MFA is a common requirement to improve security posture in organizations.
Before you can block legacy authentication in your directory, you need to first understand if your users have clients that use legacy authentication. Below, you'll find useful information to identify and triage where clients are using legacy authentication.
You need to disable Security defaults to enable Conditional access policies
Currently supported risk detections are Sign-in risk detections: Activity from anonymous IP address Additional risk detected Admin confirmed user compromised Anomalous Token Anonymous IP address Atypical travel Azure AD threat intelligence Impossible travel Malicious IP address Malware linked IP address Mass Access to Sensitive Files New country Password spray Suspicious browser Suspicious inbox forwarding Suspicious inbox manipulation rules Token Issuer Anomaly Unfamiliar sign-in properties User risk detections: Additional risk detected Anomalous user activity Azure AD threat intelligence Leaked credentials Possible attempt to access Primary Refresh Token (PRT)
=====================
A user risk policy -
User-linked detections include:
Leaked
credentials: This risk detection type indicates that the user's valid
credentials have been leaked. When cybercriminals compromise valid
passwords of legitimate users, they often share those credentials.
User risk policy.
Identity
Protection can calculate what it believes is normal for a user's
behavior and use that to base decisions for their risk. User risk is a
calculation of probability that an identity has been compromised.
A sign-in risk policy -
Suspicious browser: Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser.
You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:
https://autologon.microsoftazuread-sso.comUser principal name,
Initial password
Name [displayName] Required
userPrincipalName, passwordProfile, and accountEnabled
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/identity-providers
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-overview
purview meaning the scope of the influence or concerns of something.
the good thing is free in life .... the OpenVpn server is free for two licenses
it uses tcp 443
udp 1194
fix android phone openvpn connection problem with OPenVPN server on Azure
the default connection profile keeps connecting to private local address
I have to manually set the ip address as public ip address, how stupid that is ...
so it turned out not an ISP issue
OpenVpn does not seems to care about 2 clients connecting to server via the same ip address, I tested with 2 android phones, all good
could not download apps, stuck forever on my old mi-max, google store .... turns out the google store app to outdared, install new version all good
here is a very good write-up
https://build5nines.com/easy-to-use-vpn-openvpn-in-azure/
Add a user:
Sign in to the Admin Web UI.
Click User Management > User Permissions.
Enter a desired username for the new account in the New Username field.
Configure the settings for the new user using the checkboxes: ...
Configure a user authentication method: ...
Add a password for the user profile:
您好~您已经进入人工客服喽~
小琪
小可爱您好呀~我是小米游戏客服小琪~请问有什么可以帮到您的~
你好! 米柚手游模拟器 哪里能下载?
可以给一个链接吗?谢谢!
小琪
① 雷电模拟器链接http://f1.g.mi.com/download/Wali/173c74a7bedcc4f6bdaffb689bf64b8987a406b16/%E9%9B%B7%E7%94%B5_xiao_3.65.exe
小琪
1.下载安装模拟器,
① 雷电模拟器链接http://f1.g.mi.com/download/Wali/173c74a7bedcc4f6bdaffb689bf64b8987a406b16/%E9%9B%B7%E7%94%B5_xiao_3.65.exe
② 网易MUMU模拟器:
http://mumu.163.com/
2.通过模拟器内置浏览器搜索并下载“小米游戏中心”以及游戏服务插件,下载游戏服务:https://f1.g.mi.com/download/Wali/17036931eaca14d9a9d17ad6cb2155d93e6fe7fb9/Service-7.8.1.apk
3.通过小米游戏中心再下载相应游戏即可。
ARM64 based VM currently not available in Australia southeast
All objects that you want to synchronize must be direct members of the group. Users, groups, contacts, and computers or devices must all be direct members. Nested group membership isn't resolved. **When you add a group as a member, only the group itself is added. Its members aren't added.**"
Azure Active Directory (Azure AD) External Identities pricing is based on monthly active users (MAU), which is the count of unique users with authentication activity within a calendar month. This billing model applies to both Azure AD guest user collaboration (B2B) and
Link your Azure AD tenant to a subscription
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-membership-azure-portal
We don't currently support:
DO NOT support the FOLLOWING:
Adding groups to a group synced with on-premises Active Directory.
Adding Security groups to Microsoft 365 groups.
Adding Microsoft 365 groups to Security groups or other Microsoft 365 groups.
Assigning apps to nested groups.
Applying licenses to nested groups.
Adding distribution groups in nesting scenarios.
Adding security groups as members of mail-enabled security groups
Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.
Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user’s account state is disabled, locked out, or their password expires or the logon attempt falls outside the hours when the user is allowed to sign in
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-admin-takeover
self - sign up
login to admin center
ack message
add txt record
https://learn.microsoft.com/en-us/answers/questions/753078/nested-microsoft-365-groups.html
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode#when-does-a-guest-user-get-a-one-time-passcode "When the email one-time passcode feature is enabled, newly invited users who meet certain conditions will use one-time passcode authentication. Guest users who redeemed an invitation before email one-time passcode was enabled will continue to use their same authentication method."
allow users to perform self-service sign-up, but only if those users already have an account in Azure AD (in other words, users who would need an email-verified account to be created first cannot perform self-service sign-up):
Only M365 groups that have the "SecurityEnabled" attribute set to True can have licences assigned to them
You can even create a dynamic device security group and assign licences to it,
unerupted tooth ~~ Embedded teeth are those that have failed to erupt and remain completely or partially covered by bone or soft tissue or both.
unerupted tooth ~~~ 未萌出的牙齿
UN-ERUPTED OR IMPACTED TEETH
granuloma is a small area of inflammation
posterior buccal sulcus 后部 颊 沟
tender In medicine, tenderness is pain or discomfort when an affected area is touched.
mucosa The moist, inner lining of some organs and body cavities
canine a pointed tooth between the incisors and premolars of a mammal,
periapical Periapical X-rays show the whole tooth — from the crown, to beyond the root where the tooth attaches into the jaw.
bony cortex is the dense outer surface of bone that forms a protective layer around the internal cavity
helper generate code in his zoho console
use a browser
how to join zoho assist remote session
enter the session number
enter your name ( or any name)
follow the screen promp to install app
tap / click install app
tap / click -- open
you may be in a store, click get
click install
click open
enter email as ID
click done
click away security / privacy prompt
enter session key again
click broadcast
click allow
allow remote access
Microsoft work/school account and Microsoft personal account usernames can be the same
passwds can be different
Matthews mixed those up, once sort out the correct username for the passwd, all good
google displayed soft-porn on my blog page yesterday ////
Note: Quick Assist only works if you are remotely connecting from a Windows 10 computer to another Windows 10 computer.
Quick Assist was created as a Windows-to-Windows support application. It only works when connecting from one Windows 10/11 computer to another Windows 10/11 computer remotely.
Pith, or medulla, is a tissue in the stems of vascular plants.
Fruit pulp is the most basic product created by the processing of fresh fruit.
rind 果皮
A Follow Me printer is a network print queue set up on the print system server that does not automatically route pages to a specific printer.
MECM stands for "Microsoft Endpoint Configuration Manager",
UniFI network application ~~~ Do you want to upgrade UniFi 7.2.94 to 7.2.95 ? yes
Update UAP-AC-LR? Are you sure you want to update UAP-AC-LR from 6.2.39.14077 to 6.2.44.14098? yes
Teams IP Phone Device logs ~~~ can be collected from The Teams Admin Center
A Microsoft Teams Rooms Standard license includes the Teams Phone license required to use the device with Calling Plans or Direct Routing.
The firmware can't be reverted using the Teams Admin Center and a factory reset of the device will revert the firmware to the version that the device was shipped with, or updated to using the vendor's own update procedures.
about 1 month ago, my test server suddenly become unresponsive
and I found out I could not start additional VMs
then I realized the server memory dropped from 8GB to 6GB
tonight, I pull the test server apart, pull out memory modules, and re-arranged all those mem sticks
and get my 8GB ram back
Use the Set-CsPhoneNumberAssignment cmdlet to assign a telephone number to the user.
A Microsoft 365 E5 or Office 365 E5 SKU including Teams Phone licenses, or individual add-on licenses provide can be used to apply the above licenses. Calling Plan functionality isn't required to use Direct Routing.
A dial plan is a named set of normalization rules that translate dialed phone numbers by an individual user into an alternate format (typically E.164) for purposes of call authorization and voice routing. They describe how phone numbers expressed in various formats are translated to an alternate format.
Teams Cloud Voicemail recordings
Voicemail messages can be delivered to Exchange Online and Exchange server mailboxes.
policy-based compliance recording
Compliance recording can be configured to capture audio, video, screen share, and chat.
PSTN numbers for Contact Center Solutions
API-based solutions can leverage Calling plan number and Direct Routing numbers, and Direct Routing integrated solutions can leverage phone numbers direct from the contact center.
your eyes can only see what your brain knows.” Knowledge is power.
Voice routing helps you dictate how calls are routed through your SBC or multiple SBCs.
Microsoft Teams : represent caller numbers and caller IDs
The E.164 is an international standard used by Microsoft Teams and Teams Phone.
Survivable Branch Appliance
use the New-CSTeamsSurvivableBranchAppliance PowerShell command.
Direct Routing is a way to provide a PSTN (Public Switched Telephone Network) connection to Microsoft Teams users so that they can make and receive external phone calls on Teams.
To decide if a direct route is required answer the following questions, if any are yes, Direct Routing is the right solution for you:
You want to use Teams with Teams Phone.
You need to retain your current PSTN carrier.
You want to mix routing, with some calls going through Calling Plan, some through your carrier.
You need to interoperate with third-party PBXs and/or equipment such as overhead pagers, analog devices, and so on.
