Search This Blog

Showing posts with label Azure AD. Show all posts
Showing posts with label Azure AD. Show all posts

Dec 8, 2022

Azure - Places to enable MFA - and special notes about Authentication App as a factor

There are multiple places where you can mandate MFA. Below are the list and the advantages/disadvantages of each place.

  • Conditional Access Policy

    This method focuses on "access control". It forces MFA based on certain conditions when user is accessing resources. Naturally, this is fit for when you want to have higher level of assurance when certain resources are accessed

  • Identity Protection\MFA registration policy

    This place is to force users to register MFA rather than define when to use

  • Sign-in risk policy

    Force user to use MFA base on risk detected. What considered as "risky" is determiend by MS algorithm that is not disclosed. Factors include unusual logon behavior, unusual location etc.

  • Security Default

    This is a heavy hand approach. "Security Default" enforces a bunch of best practices tenant-wide along with MFA requirement.

Places you define what factors you can offer to users for registration, and how each factor should behave
  • Legacy
    • AAD | Security | Multifactor authentication | additional cloud-based MFA settings
    • AAD | Password Reset | SSPR Policy (if used, only for SSPR)
  • New
    • AAD | Security | Authentication policies (how each factor should behave )
Besides the above 4 approaches to require MFA, it can also be registered on per-user basis in AAD portal. To improve Authenticator registration rate among users, you can create a registration campaign under "Security | Authentication methods | Registration campaign"

Special notes about registering Authenticator App as a factor:

When doing a per-user registration, other form of factors (SMS, voice call) can be assigned to users in AAD portal, but Authenticator App can only be registered by user himself in "my account" portal

Oct 21, 2022

Sync custom AD attributes to AAD and other ways to have custom attributes

Custom attributes from on-prem AD (by extend schema) can be sync'ed to AAD:


Azure AD Connect sync: Directory extensions - Microsoft Entra | Microsoft Learn

How to sync Custom Active Directory Attributes to Azure AD? (rebeladmin.com)

Sync'ed attributes can be retrieved thru a pre-built app called "Tenant Schema Extension App"


This is not the same as "external identities | custom attributes", or "B2C | user attributes", but using same mechanism behind the scene.

In fact, using same mechanism, you can just "extend" AAD to have custom attributes without the help of ADC or external ID or B2C. 

Azure AD Graph API Directory Schema Extensions | Microsoft Learn

Please note, it's not a true extension of AAD schema (MS won't allow that), but a clever way of utilizing an app to store such "extended attributes".

This is also different from "custom security attributes". Not sure if "custom security attributes" is using same technique (likely not)

Other reads/Best summary:

Custom security attributes in Azure AD part 1: a trip down memory lane | Blog (michev.info)


See also specific case of syncing on premises AD extend attributes to AAD (extend attributes in this context is any attribute that is not included by default by ADC engine)

Sync additional attributes from on-prem AD to AAD