Replies

Ha! No, I don’t think telling the details of *any* admin duties other than adding and deleting users on any platform to a board would be a fruitful conversation.

Understood. I don’t doubt that what you said was true. It’s just odd that I’ve never seen MFA forced using Authenticator rather than it just be a choice for the user. If I remember right, it could be that it’s recommended at setup so the user thinks, “oh sure, why not!”

Anyway best of luck!

8string (mandolin)

1 user thanked author for this post.

KeithC

Hi Keith. I might be misunderstanding you, (posting is so inadequate a communication channel…). I have installed over 100 MFA clients in the last year, and none of them start by needing Authenticator. I suppose if you mean that you choose to use Authenticator when you first log in and then find you aren’t already setup with Authenticator that you would be correct, you would need to get an admin involved. But there is no forcing of anyone to use Authenticator. The majority of my clients use txt messaging on a phone. I might be the only one using authenticator out of those 100. But maybe something changed in the last few days. I just setup a couple of people the other day.

Yes, while technically we might win a legal battle over this issue with a pissed off client, I choose to avoid it altogether to avoid paying a lawyer to find out who is right. If it wasn’t clearly documented in advance they could claim they hired you as a ‘security expert’ to give them the right advice. I build the phrase into my contracts. I have only had to turn down one client so far. All of my clients had their email hacked before I arrived, none have since MFA. It works, as we both know! Thanks for your articles. I always read them.

Will. A couple of things:

1. I do not do consulting work anymore for any client that refuses to do MFA. It’s a condition of my work. Why? I could be liable as a consultant. It’s easier to say, “Your bank makes you do it, and so do I. It’s your data but my liability.” See more on this at the bottom of this thread below.
2. Your issues with the Microsoft personal account being different MFA settings are valid, but to be clear, there is a very clear screen in the Microsoft Consumer account settings. It seems to me, as a home admin as well, to be quite easy to use.
   1. 
3. In the business admin settings I don’t see what you see in User admin settings. This is the Admin screen as it looks to me. MFA is SECOND in the listing.

Screen 1

Also, I do not have to use MFA to log into outlook every time I use it. It remembers the credentials. I only do it the first time. BUT the Admin can make the MFA credentials need revalidation on the timeframe of their choice. Look at the AD admin panel for that.

Next: Here is the next screen I see, cut down to the key elements: enforced or not and managing settings.

Screen 2

and you then have these choices:

Screen 3

This is what you can do from the USER ADMIN screens.

If I login into Azure AD  User settings I see these options.

This takes you to the same (?) page you would get into in the second screen above.

If I Don’t go to that screen I can click on any user and get their Profile Page (too complex to show here).

But: down that screen is a choice on Authentication Methods

And once there, you can have the user re-register. You don’t have to wade through all this to re-register, just login as admin, go to the Azure AD admin panel, go to users and change these settings to re-register the person. You can also turn MFA on and off there. Not that hard for an admin.

As to your Security Defaults issue. Here’s MSFT official docs. I agree that your client might not want to do MFA, but remind them of the following from below:

More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication.

Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today’s environment. More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:

• Requiring all users to register for Azure AD Multi-Factor Authentication.
• Requiring administrators to do multi-factor authentication.
• Requiring users to do multi-factor authentication when necessary.
• Blocking legacy authentication protocols.
• Protecting privileged activities like access to the Azure portal.

 

1 user thanked author for this post.

Will Fastie

I have one client who was using GoDaddy before I took over the account. I also have many accounts hosted through Microsoft themselves. I can catagorically state that GoDaddy does not have 3rd tier tech support for Office 365. Their techs are only level 2 at best. It is the worst tech support I’ve encountered and if it wasn’t for the fact that it would be much too hard to move the Office 365 account and SharePoint environments entirely I would do it tomorrow.  I have never encountered a worse system for administrating Office 365. I have hosted with HostPapa and been very happy with their tech support. They do not offer MFA for their logins though and I have told them that I might move my hosting if they don’t implement it. I can’t trust a hosting company that doesn’t offer it.

2 users thanked author for this post.

WSGeo, Travasaurus

Is it indexing or can you really not find any messages after that date? Are they in your inbox but not found by search?

Maybe I don’t understand Will. If I need a desktop box, which is what you are building, I would simply buy a Dell or Lenovo or HP with a small hard drive and as little RAM as possible and a legal copy of W11, and then do what you are doing to upgrade it. Why wouldn’t that work? Here’s an example of a $1800 Dell XPS just screen shot today. Including DVD

I owned an iWatch for about a year. Too Large. Too clunky. Hated recharging it nightly. Switched to a simple Fitbit. Love it. Only take it off once a week to recharge it. Recharges in less than an hour. Shows me who’s calling on my iPhone. Doesn’t answer the phone though. I did like that on the iWatch when I was on my bike. But hell, I can stop on my bike and answer the damn phone. I’m not that busy.

Just as a random thought: My wife switched to the iPhone from using Android phones for years. Why? One reason alone, FaceTime. Her daughter and many work associates rely on it frequently. What is her take on the iphone? “If it wasn’t for Facetime I would go back to the Android tomorrow.”

She hates the battery life, she hates the confusion of where things are at on the menus, she just doesn’t like it at all. Her daughter, a 30 something, refuses to use Skype, which is what my wife is familiar with.

Anyway, I’ve been using iphones for about a decade, and have no intention of going to Android. I’ve helped many Android users and it seems a much more confusing set of interfaces than the iPhone. Yes, the typing on Android is better. I agree with that. So is the voice recognition. But I don’t want to monetize everything I do on a phone, which I’m sure that Google is doing to all Android phone users.

I like you have been around the block building my own computers as well as buying them off the shelf from major manufacturers. After reading your adventures with opal, I don’t think I’ll be ever be building a machine again. Since I can buy basic high performance empty cases with motherboards supported by a number manufacturers and then configure them afterwards I’ll rely on them to do the work for the BIOS  updates etc. Good luck!

2 users thanked author for this post.

Will Fastie, Lars220

Oscar, I am not arguing that one software style is better than the other, but that there has been a haughty attitude for over 20 years that an imagined security review by “everyone” is better than a real one by “someone.”  As we all know now, and this clearly shows, that there is no totally secure software, just various degrees on the spectrum. So maybe we can lay to rest that old saying and get down to the business of securing all software. Some metric perhaps would be a good starting point, as there seems to be none at the moment, or am I missing it?

1 user thanked author for this post.

wavy

Hey, wait a minute! I’ve been hearing for over 20 years that “many eyes make all bugs shallow”!  The next idiot saying this to me will be laughed out of the room. sigh.

1 user thanked author for this post.

Alex5723

I have been supporting OneDrive on many machines for a number of years. The product is buggy (often stops working for reasons that not even MSFT tech support, which I call frequently on issues related to OneDrive, do not understand nor can offer technical guidance other than “reboot”).  The product is poorly documented. Given that it’s the only way to connect to SharePoint to sync using File Explorer and that millions of users rely on it for that reason, it’s really a candidate for one of MSFT’s worse products in years. If I had another product to turn to, I would.  I’m also wondering if most people who use it know that when you copy thousands of files in a folder on SharePoint to another location on SP, that the files are first copied to your local machine, then transferred to the new location and then erased off your machine. That coming to me from MSFT tech support directly when I wondered why it was taking days to copy a couple of thousand files. MSFT tech support *instructed* me to do it two different ways, both of which took days to complete.

However, I understand MSFT not wanting to continue to support Windows 7 or 8 for consumers. The last purchase any consumer could have made of those OS’s was likely almost a  decade ago.   Corporate users have many reasons to stay put and pay MSFT for staffing support people on their behalf. I worked for a while helping out a paper factory move to Windows 10. They had 100s of machines that needed to be useable when the internet was down due to weather. We all know that consumers are rarely willing to pay anything extra at all for software no matter how valuable it may be to their daily lives.

 

Fred, I work with OneDrive and SharePoint for a number of customers and consider myself pretty competent at consulting on them. I have a bit of disagreement with your thoughts on “always keeping all copies on local machines” choice in OneDrive. Why? Two reasons:

 

• If the client has a 128 or 256 (or eve 512GB!) SSD or hard drive, space can be at a premium. If they don’t have an easy way to upgrade to a larger drive then keeping things only that are used on the local drive is appropriate. Letting One Drive decide what to remove because it’s not being used is ok.
• Secondly, if the person is also connecting to SharePoint, there could be 10s of thousands of files, some huge, that should NOT be synced! Maybe this is self evident, but lots of clients are using SP these days.
• Lastly, I remind people that have a synchronized copy in the cloud is NOT the same as a backup! It is a copy, that is changed (including perhaps corrupted) and or can be accidentally deleted and lost by not discovering the deletion before MSFT permanently deletes it! So having backups is still worth doing if you really have a need to not lose something!
• Hope this helps.