Cloudbrothers
Azure Attack Paths Posts Categories About me Talks english
Cloudbrothers
/images/avatar.png

Work and live with IT

/legacy-authentication-kontrolliert-abschalten-abschaltung/images/CAPolicyBlockLegacyAuth.png

Phase out Legacy Authentication - Endgame

Fabian Bader published on  included in Microsoft 365 Security Azure AD Entra ID Identity and Access Conditional Access KQL

Blog series

This is the last part of the series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

A lot of work lies behind you when you arrive here. Starting with the necessary preliminary work, the required changes, through reporting and maintaining exception lists.

But the biggest hurdle for the next step was definitely the last 9%. Finding and removing every exception is time-consuming and tedious. Depending on the environment, this last step can take anywhere from a few days to half a year.

Read More
/legacy-authentication-kontrolliert-abschalten-die-naechsten-9-prozent/images/Preview.png

Phase out Legacy Authentication - The next 9%

Fabian Bader published on  included in Microsoft 365 Security Azure AD Entra ID Identity and Access Conditional Access KQL

Blog series

This is part three of the six-part series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

Recap

Having disabled the majority of users who do not use Legacy Authentication in the last article, it is now time to use the methods outlined in part three to identify the user groups that are still affected.

This data will be used to create an action plan for the deactivation of Legacy Authentication for these user groups. Additionally, the data will be used to transition the Conditional Access Policy “Temporary Policy: Block legacy authentication rollout” to Phase 2.

Read More
/intune-scep-profil-hangt-im-status-pending/images/Preview.png

The case of the... Intune SCEP Profil hangs in pending state

Fabian Bader published on  included in Intune The Case of The PKI
The case of the...

In this category I publish blog post explaining a problem and the solution but more important the analysis that lead to the root cause.

The name is a homage to “The Case of the Unexplained” from Mark Russinovich.

The error

Quote
Trust of the root CA is best established by deploying a trusted certificate profile to the same group that receives the SCEP certificate profile. […] To use a SCEP certificate profile, a device must have also received the trusted certificate profile that provisions it with your Trusted Root CA certificate.

These two sentences in the Intune documentation are very important when you want to deploy a SCEP profile.
If you do not follow them exactly, the following phenomenon will occur.

Read More
/legacy-authentication-kontrolliert-abschalten-die-ersten-90-prozent/images/Preview.png

Phase out Legacy Authentication - The first 90%

Fabian Bader published on  included in Microsoft 365 Security Azure AD Entra ID Identity and Access Conditional Access KQL

Blog series

This is part three of the six-part series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

Recap

The first three parts of the series set the stage (1/2) for the deactivation and used Entra ID (Azure AD) workbooks and Kusto queries to identify the first usergroup.

Add AAD group members

To go straight ahead, the Entra ID (Azure AD) group CAPolicy-Include-Block-Legacy-Authentication must be populated with the users from the last query. / This prevents these users from beginning to use legacy authentication protocols in the next few weeks.

Read More
/legacy-authentication-kontrolliert-abschalten-einblicke-gewinnen/images/Preview.png

Phase out Legacy Authentication - Gain insights

Fabian Bader published on  included in Microsoft 365 Security Azure AD Entra ID Identity and Access Conditional Access KQL

Blog series

This is part three of the six-part series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

Recap

In the first part, Modern Authentication was enabled and in the second part, the prerequisites were created to create detailed reports and to disable Legacy Authentication for individual users.

Conditional Access policy logic

To better understand how it is possible to block individual users, let’s take a look at the Conditional Access Policies created and the login associated with them.

Read More
/legacy-authentication-kontrolliert-abschalten-voraussetzungen-schaffen/images/AzurePortalCreateLogAnalytics.png

Phase out Legacy Authentication - Create prerequisites

Fabian Bader published on  included in Microsoft 365 Security Azure AD Entra ID Identity and Access Conditional Access

Blog series

This is part three of the six-part series on “Phase out Legacy Authentication”.

  1. Preface
  2. Enable Modern Authentication
  3. Create prerequisites
  4. Gain insights
  5. The first 90%
  6. The next 9%
  7. Endgame

Recap

In the first part of the series, Modern Authentication was enabled for all Microsoft 365 services and can now be used.

This part is about creating the prerequisites to gain a detailed insight into the usage of the different authentication methods and to make it possible to disable legacy authentication per user.

Read More