What's New in Entra ID for February 2024

Reading Time: 3 minutes

Microsoft Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for February 2024:

 

What's Planned

Microsoft Entra ID Protection: "Low" risk age out Planned

Service category: Identity Protection
Product capability: Identity Security & Protection

Starting March 31st, 2024, all low risk detections and users in Microsoft Entra ID Protection that are older than 6 months will be automatically aged out and dismissed. This allows organizations to focus on more relevant risks and provides a cleaner investigation environment.

 

What's Deprecated

Windows Azure Active Directory Connector for Forefront Identity Manager Deprecated

Service category: Microsoft Identity Manager
Product capability: Inbound to Microsoft Entra ID

The Windows Azure Active Directory Connector for Forefront Identity Manager (FIM WAAD Connector) from 2014 was deprecated in 2021. The standard support for this connector ends in April 2024. Organizations should remove this connector from their Microsoft Identity Manager (MIM) sync deployment, and instead use an alternative provisioning mechanism.

 

What's New

Granular filtering of Conditional Access policy list General Availability

Service category: Conditional Access
Product capability: Access Control

Conditional access policies can now be filtered on actor, target resources, conditions, grant control and session control. The granular filtering experience can help admins quickly discover policies containing specific configurations.

 

Microsoft Entra ID Protection: New premium user risk detection; Suspicious API Traffic General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft has released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user account is compromised and abused to conduct reconnaissance in the environment.

 

Identity Protection and Risk Remediation on the Azure Mobile App General Availability

Service category: Identity Protection
Product capability: Identity Security & Protection

Previously supported only in the portal, Identity Protection is a powerful tool that empowers admins to proactively manage identity risks. Now available in the Azure Mobile app, admins can respond to potential threats with ease and efficiency. This feature includes comprehensive reporting, offering insights into risky behaviors such as compromised user accounts and suspicious sign-ins.

  • The Risky users report provides visibility into accounts flagged as compromised or vulnerable. Actions such as blocking/unblocking sign-ins, confirming the legitimacy of compromises, or resetting passwords are conveniently accessible, ensuring timely risk mitigation.
  • The Risky sign-ins report provides a detailed overview of suspicious sign-in activities, aiding admins in identifying potential security breaches. While capabilities on mobile are limited to viewing sign-in details, admins can take necessary actions through the portal, such as blocking sign-ins. Alternatively, admins can choose to manage the corresponding risky user's account until all risks are mitigated.

Stay ahead of identity risks effortlessly with Identity Protection on the Azure Mobile app. These capabilities are intended to provide user with the tools to maintain a secure environment and peace of mind for their organization.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Entra App gallery with Provisioning support. Admins can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

 

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In February 2024, Microsoft has added the following new applications in the Entra App gallery with Federation support:

  1. Presswise
  2. Stonebranch Universal Automation Center (SaaS Cloud)
  3. ProductPlan
  4. Bigtincan for Outlook
  5. Blinktime
  6. Stargo
  7. Garage Hive BC v2
  8. Avochato
  9. Luscii
  10. LEVR
  11. XM Discover
  12. Sailsdock
  13. Mercado Eletronico SAML
  14. Moveworks
  15. Silbo
  16.  Alation Data Catalog
  17. Papirfly SSO
  18. Secure Cloud User Integration
  19. AlbertStudio
  20. Automatic Email Manager
  21. Streamboxy
  22. NewHotel PMS
  23. Ving Room
  24. Trevanna Tracks
  25. Alteryx Server
  26. RICOH Smart Integration
  27. Genius
  28. Othership Workplace Scheduler
  29. GitHub Enterprise Managed User – ghe.com
  30. Thumb Technologies
  31. Freightender SSO for TRP (Tender Response Platform)
  32. BeWhere Portal (UPS Access)
  33. Flexiroute
  34. SEEDL
  35. Isolocity
  36. SpotDraft
  37. Blinq
  38. Cisco Phone OBTJ
  39. Applitools Eyes

 

What's Changed

Expansion of the Conditional Access re-authentication policy for additional scenarios Public Preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Re-authentication policies lets admins require people in the organization to interactively provide their credentials again, typically before accessing critical applications and taking sensitive actions. Combined with the Conditional Access session control Sign-in frequency, admins can require re-authentication for users and sign-ins with risk, or for Intune enrollment. With this public preview, admins can now require re-authentication on any resource protected by Conditional Access.

0  

I'm a 2024 Veeam Vanguard

Reading Time: < 1 minute

Veeam Vanguard 2024

Today, I received an e-mail from Nikola Pejkova  from Veeam congratulating me with being selected for the 2024 Veeam Vanguard Program as part of the Veeam100 family of programs.

For me, it means I successfully renewed my previous eight Veeam Vanguard Awards in this veeamazing program, dating back to 2016.

I feel honored.

Thank you! 🙏

 

 

About Veeam Vanguards

The Vanguard program is led by the Veeam Technical Product Marketing & Evangelism team and supported by the entire company. It’s a program around the community of Veeam experts that truly get Veeam’s message, understand Veeam’s products and are Veeam’s closest peers in IT.

Veeam Vanguards represent Veeam’s brand to the highest level in many of the different technology communities. These individuals are chosen for their acumen, engagement and style in their activities on and offline.

The full list of Veeam Vanguards will be available shortly here.

FURTHER READING

I'm a 2023 Veeam Vanguard
I’m a 2022 Veeam Vanguard
I’m a 2021 Veeam Vanguard
I’m a 2020 Veeam Vanguard
I am a 2019 Veeam Vanguard
I am a 2018 Veeam Vanguard
I am a 2017 Veeam Vanguard
I am a 2016 Veeam Vanguard

0  

Entra Connect Sync v2.3.6.0 improves Automatic Upgrade eligibility detection

Reading Time: < 1 minute

Entra Connect Sync v2.1.15.0 was the first v2.x to be announced with Automatic Upgrades functionality, on July 6th 2022. However, Microsoft's support life cycle for Windows Server Operating Systems and .NET Framework versions would sometimes stand in the way of these upgrades. Entra Connect Sync v2.3.6.0 now comes with improvements in this area.

 

What’s New

Entra Connect Sync v2.3.6.0 offers a bug fix.

Improved Automatic Upgrade eligibility detection

Starting with Entra Connect Sync v2.3.6.0, Entra Connect Sync's Automatic Upgrade functionality will no longer retry if it detects the host does not meet the Operating System (OS) or .NET Framework requirements.

While this improvement limits automatic upgrades to unsupported configurations, it results in Entra Connect Sync installations on outdated and possibly vulnerable versions. I bet that not every Identity admin experiences this as an improvement…

 

Version information

Version 2.3.6.0 of Entra Connect Sync (previously known as Azure AD Connect Sync) was made available for download only on February 21st, 2024.

You can download the latest version of Entra Connect Sync here.

Superseded versions

Past versions of Microsoft Entra Connect Sync 2.x are retired 12 months from the date they are superseded by a newer version. With Entra Connect Sync v2.3.6.0, Entra Connect Sync version 2.1.19.0 and versions before are retired (superseded by Entra Connect Sync v2.1.20.0 on November 9th, 2022).

If you run a retired version of Microsoft Entra Connect, it might unexpectedly stop working.

0  

VMware's Enhanced Authentication Plug-in is deprecated and critically vulnerable – Remove it now (VMSA-2024-0003)

Reading Time: 2 minutes

Critical Updates

Two critical vulnerabilities in the optional Enhanced Authentication Plug-in require the immediate removal of this software from admin workstations and management servers.

 

About VMware's Enhanced Authentication Plug-in

VMware's Enhanced Authentication Plug-in (EAP) is an optional piece of software that can be downloaded from VMware's download center and can be installed om admin workstations and management servers (client-side). The plug-in allows administrators to seamlessly sign in to vCenter Server using Windows Integrated Authentication and/or Windows-based smart cards.

The Enhanced Authentication Plugin has been deprecated since the General Availability (GA) of vSphere 7.0. From vSphere 7.0u2 onward, VMware discontinued support for Windows Integrated Authentcation, smart card support and RSA SecurID for vCenter Server. VMware advises Identity Federation to sign in to vCenter Server as an alternative to using the plug-in, providing connections to Active Directory Federation Services (ADFS), Okta and Microsoft Entra ID (formerly AzureAD).

The latest version of the plug-in is version 6.7.0.

 

About the vulnerabilities in the Plug-in

VMSA-2024-0003 reports two vulnerabilities in VMware's Enhanced Authentication Plug-in:

 

Arbitrary Authentication Relay Vulnerability

The VMware Enhanced Authentication Plug-in contains an Arbitrary Authentication Relay vulnerability, tracked as CVE-2024-22245. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3.1 base score of 9.6.

An adversary could trick a vSphere admin with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

 

Session Hijack Vulnerability

The VMware Enhanced Authentication Plug-in contains a Session Hijack vulnerability, tracked as CVE-2024-22250. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3.1 base score of 7.8.

An adversary with unprivileged local access to a Windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.

 

Call to action

Remove the VMware Enhanced Authentication Plug-in by following the guidance in VMware KB96442.

 

Further reading

VMSA-2024-0003
VMSA-2024-0003: Questions & Answers
Removing the deprecated VMware Enhanced Authentication Plugin (EAP) to address CVE-2024-22245 and CVE-2024-22250 (96442)

0  

I'm speaking at Netwrix Connect 2024

Reading Time: 2 minutes

Netwrix Connect 2024, March 4-6 in Orlando Florida

Back in 2012, I had the pleasure of talking to the people at STEALTHbits. They offered great products that are of great use to Identity admins. Then, they got acquired by Netwrix – another vendor with great solutions, that I've often highlighted during webinars. Now, Netwrix is hosting their first in-person customer and partner event. They've asked me to present. 😊

 

About Netwrix

Netwrix logoNetwrix empowers information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

 

About Netwrix Connect

Netwrix Connect is Netwrix' first and eagerly anticipated user and partner conference that takes place in March of 2024 in Orlando, Florida. The focus of this two-day event is providing deep technical training for Netwrix data security investments.

Attendees receive deep technical product training for Netwrix products, connect with like-minded peers, Netwrix executives and product experts, can earn CPE credits, can engage in roadmap discussions to influence the future of Netwrix, can receive official product certifications, and ennjoy March's stunning Florida weather.

 

About my presentation

I'm presenting a 60-minute session with Tyler Reese, Director of Product Management at Netwrix, on:

Incorporating ITDR into Your Organization's SOC

Tuesday March 5th, 3 PM – 4 PM

Identity professionals have traditionally focused on compliance and governance activities, while leaving Security Operations to the Cyber security team to monitor the endpoint (EDR) and network (NDR), potentially missing Identity Threats. Cloud adoption has made identity a primary target for cyber security attacks, making it one of the key vectors of attack expansion after infiltration.

As a result, Identity professionals need to consider an Identity Threat Detection and Response (ITDR) program and how to integrate it into their organization’s larger Security Operations Center (SOC).

Tyler and I discuss the considerations that should be made when bringing on an ITDR program and how to incorporate it into an organization's larger SOC program. By doing so, you can ensure that your organization is well-protected against identity-based cyber threats.

 

Join us!

Join us at Orlando's Embassy Suites by Hilton for Netwrix Connect 2024. Register here.

0  

We're presenting at 2024's first Workplace Ninjas Netherlands meetup

Reading Time: 2 minutes

Workplace Ninjas Netherlands' first 2024 meetup

As the Dutch IT Bro's, Raymond Comvalius and I are in high demand for many events and communities to come present on identity, security, windows and devices in our typically hilarious way. A couple of weeks ago, Raymond received a message from the Dutch Workplace Ninja's to come present at their first 2024 meetup on February 27th, 2024.

 

About Workplace Ninjas Netherlands

Workplace Ninjas Netherlands (WPNinjasNL) is a user group, that was founded in February 2013 by IT Professionals with a passion for everything that has to do with managing Windows, but not limited to Windows. Their goal is to provide a platform for IT Professionals to share knowledge gained from the field and to share tips and tricks. They organize periodic physical meetups, virtual events, share blogs and share on other channels, too.

The Workplace Ninjas Netherlands were previously known as Windows Management User Group Netherlands (WMUGnl) and Raymond and I have presented with them under that name before.

 

About 2024's first WPNinjasNL meetup

2024's first in-person meetup of Workplace Ninjas Netherlands is sponsored by Pink Elephant and takes place at their offices in Naarden in the Netherlands on Tuesday February 27th, 2024.

As usual, the event is content packed with 3 sessions. To accommodate for this, Workplace Ninjas Netherlands opens the doors at Pink Elephant at 3:30 PM. Bob Cornelissen presents a 60-minute session on multi-cloud and hybrid monitoring with Azure Monitor, starting at 4 PM. At 5:05 PM, Remco Visser presents another 60-minute session on Microsoft Copilot for organizations and legal departments. At 6:05 dinner and drinks are served.

 

About our session

Raymond and I will present a 60-minute session on:

Ali Baba

Ali Baba and the Entra ID tokens: Script authentication with the Microsoft Graph

7 PM – 8 PM

As the AzureAD and MSOnline PowerShell modules get deprecated, we're adapting to accessing Entra ID using the Microsoft Graph. This session clarifies how to authenticate in new ways, focusing on App Registrations, Mg*-modules, tokens, and App Permissions. We'll debate the need for App Registrations, the advantages and drawbacks of secrets versus certificates or federated authentication, and the practicalities of these methods. Attendees learn about federated authentication's applicability, Mg*-modules' authentication compatibility, and the functionalities of access tokens.

We share our first-hand experiences in developing scripts for this new authentication framework. Join us to gain insights and practical skills for a smooth transition to scripting with the Microsoft Graph for Entra ID.

 

Join us!

After our session, drinks are served from 8 PM to 9PM, so there really is no reason not to join us. 😉

Workplace Ninjas Netherlands meetups are free to attend, but all presentations are delivered in Dutch.  Seats are limited, so sign up fast.

0  

Pictures of the Inaugural Dutch Microsoft Entra Community meetup

Reading Time: 2 minutes

Presenting on the basics (Picture by Inspark)On Thursday February 1st, 2024, I presented at the inaugural Dutch Microsoft Entra Community meetup at the Inspark offices in Amstelveen. Jan, Pim and Stefan invited me to speak at the second speaker slot of the first event they organized together in the context of this new community.

I arrived early, chatted with some of the attendees and enjoyed the Italian food that was served.

Food and Drinks (picture by Inspark)

Jan, Pim and Stefan kicked off the sold-out event with an introduction of the Dutch Microsoft Entra Community and an overview of Microsoft Entra. After their talk,  Guus van Berge dove into Entra ID Governance and the many things you can do with the many features of this service to support the Identity and Access Management processes towards an organization's heterogeneous landscape of  systems and applications.

Introduction by Jan (left), Stefan and Pim (right) (picture by Inspark)

Guus presenting (picture by Inspark)

After a short break, I presented on applying the security basics to Entra tenants to prevent against 99,8% of attacks towards this platform. With several demos I made clear where the specific toggles live in the Entra portal and with several anecdotes I provided background on how these toggles impact end-users.

Title slide (photo by Pim Jacobs)

Title Slide 'Entra ID: Just apply the basics, already!' (photo by Vincent Loen-Ajaiso)

Concluding the session (picture by Inspark)

After the presentation, I had some great conversations with attendees while we enjoyed the sponsored drinks. Being one of the last people to leave, I was home at  10:30 PM.

 

Thank you!

Thank you to Jan, Stefan and Pim from the Dutch Microsoft Entra Community for organizing a successful event and inviting me as a speaker, to all my community friends and, of course, to all the people attending, sitting in on the session and, of course, the people with whom I had interesting discussions.

0  

What's New in Entra ID for January 2024

Reading Time: 3 minutes

Microsoft Entra ID

Entra ID, previously known as Azure AD is Microsoft's Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Entra ID and through the Microsoft 365 Message Center, Microsoft communicated the following planned, new and changed functionality for Entra ID for January 2024:

 

What's Planned

New Microsoft Teams-specific consent settings

Service category: User Access Management
Product capability: User Management

For Microsoft Entra and Microsoft Teams, we are introducing two new resource-specific consent settings (RSC) for teams and chats to enhance secure app adoption. These settings will affect Chat RSC and Team RSC for apps in Microsoft Teams. This update also empowers Teams-level admins to independently manage these settings. Existing Group owner consent settings and API and the existing Chat RSC API will be retired with this update.

Microsoft begins rolling out early March 2024 and expects to complete by mid-March 2024. This change is associated with MC712143 in the Message Center.

 

Removal of MFA text message delivery via WhatsApp in India

Service category: MFA
Product capability: User Authentication

Meta has announced that due to an updated regulation in India not allowing over-the-top (OTT) apps like WhatsApp to be used for business communication, they will block the ability to send authentication messages via WhatsApp to users in India starting March 1st, 2024.

Back in September 2023, Microsoft Entra began delivering one-time passcodes (OTP) for multi-factor authentication (MFA) via WhatsApp for some users in India, Indonesia and New Zealand. While data showed this improved authentication completion rates for users, to comply with Meta's update Microsoft will be removing support for WhatsApp in India by March 1st, 2024.

Starting mid-February 2024, users in India who've been receiving OTP messages via WhatsApp will start receiving them via SMS as they did before. This change is associated with MC710214 in the Message Center.

 

What's New

Microsoft Defender for Office alerts in Identity Protection Generally Available

Service category: Identity Protection
Product capability: Identity Security & Protection

The Suspicious sending patterns risk detection type is discovered using information provided by Microsoft Defender for Office (MDO). This alert is generated when someone in your organization has sent suspicious email, and is either at risk of being restricted from sending email, or has already been restricted from sending email. This detection moves users to medium risk, and only fires in organizations that have deployed MDO.

 

App-Only User.ReadBasic.All Permission

Service category: Role-based access control (RBAC)
Product capability: Access Control

User.ReadBasic.All allows an application to retrieve basic user properties like ID, display name, first and last name, email address, and photo. Previously, only delegated User.ReadBasic.All was available. Microsoft heard feedback to enable app-only User.ReadBasic.All permission as well, to limit their app access to only basic user properties.

Consider granting the User.ReadBasic.All permission instead of User.Read.All.

This change is associated with MC704030 in the Message Center.

 

New Microsoft Entra recommendation to migrate off MFA Server Public Preview

Service category: MFA
Product capability: User Authentication

Microsoft has released a new recommendation in the Microsoft Entra admin center for organizations to move off MFA Server to Microsoft Entra multi-factor authentication. MFA Server will be retired on September 30, 2024. Any organization with MFA Server activity in the last seven days will see the recommendation that includes details about their current usage, and steps on how to move to Microsoft Entra multi-factor authentication.

 

Cross-tenant manager synchronization Public Preview

Service category: Provisioning
Product capability: Identity Governance

Cross-tenant synchronization now supports synchronizing the manager attribute across tenants.

 

Service category: App Provisioning
Product capability: 3rd Party Integration

Microsoft has added the following new applications in the Entra Application gallery with Provisioning support. Organizations can now automate creating, updating, and deleting of user objects for these newly integrated apps:

 

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In January 2024, Microsoft has added the following new applications in the Entra Application gallery with Federation support:

  1. Boeing ToolBox
  2. Kloud Connect Practice Management
  3. トーニチ・ネクスタ・メイシ ( Tonichi Nexta Meishi )
  4. Vinkey
  5. Cognito Forms
  6. Ocurus
  7. Magister
  8. eFlok
  9. GoSkills
  10. FortifyData
  11. Toolsfactory platform, Briq
  12. Mailosaur
  13. Astro
  14. JobDiva / Teams VOIP Integration
  15. Colossyan SAML
  16. CallTower Connect
  17. Jellyfish
  18. MetLife Legal Plans Member App
  19. Navigo Cloud SAML
  20. Delivery Scheduling Tool
  21. Highspot for MS Teams
  22. Reach 360
  23. Fareharbor SAML SSO
  24. HPE Aruba Networking EdgeConnect Orchestrator
  25. Terranova Security Awareness Platform

 

What's Changed

New Microsoft Entra Home page Generally Available

Service category: N/A
Product capability: Directory

Microsoft redesigned the Microsoft Entra admin center's homepage to help admins do the following:

  • Learn about the product suite
  • Identify opportunities to maximize feature value
  • Stay up to date with recent announcements, new features, and more!

See the new experience at https://entra.microsoft.com.

0  

On-premises Identity-related updates and fixes for January 2024

Reading Time: 3 minutes

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for January 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5034119 January 9, 2024

The January 9, 2024, update for Windows Server 2016 (KB5034119), updating the OS build number to 14393.6614 is a monthly cumulative update and includes no Identity-related improvements. Updates for Windows Server 2016 merely address security issues for your Windows operating system, because the product is in extended support.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5034127 January 9, 2024

The January 9, 2024, update for Windows Server 2019 (KB5034127), updating the OS build number to 17763.5329, is a monthly cumulative update and includes the following Identity-related improvements:

  • This update addresses an issue that causes your device to shut down after 60 seconds. This occurs when you use a smart card to authenticate on a remote system.
  • This update addresses an issue that affects the Windows Local Administrator Password Solution (Windows LAPS). The LAPS account does not work. This occurs if the password is older than the age that the maximum age device policy allows.
  • This update addresses an issue that affects the Kerberos Key Distribution Center (KDC). It returns an  error during trust referrals, which is wrong:

KDC_ERR_S_PRINCIPAL_UNKNOWN

  • This update addresses an issue that causes lsass.exe to stop responding. Because of this, a restart loop occurs.
  • This update addresses an issue that affects the Key Distribution Service (KDS). It does not start in the time required if LDAP referrals are needed.
  • This update addresses an issue that affects Group Policy Folder Redirection in a multi-forest deployment. The issue stops admins from choosing a group account from the target Active Directory domain. Because of this, admins cannot apply advanced folder redirection settings to that Active Directory domain. This issue occurs when the target domain has a one-way trust with the domain of the admin's user account. This issue affects all Enhanced Security Admin Environment (ESAE), Hardened Forests (HF) and Privileged Access Management (PAM) deployments.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5034129 January 9, 2024

The January 9, 2024, update for Windows Server 2022 (KB5034129), updating the OS build number to 20348.2227, is a monthly cumulative update and includes the following Identity-related improvements:

  • This update addresses an issue that causes your device to shut down after 60 seconds. This occurs when you use a smart card to authenticate on a remote system.
  • This update addresses an issue that affects the Windows Local Administrator Password Solution (Windows LAPS). The LAPS account does not work. This occurs if the password is older than the age that the maximum age device policy allows.
  • This update addresses an issue that affects the Kerberos Key Distribution Center (KDC). It returns an  error during trust referrals, which is wrong:

KDC_ERR_S_PRINCIPAL_UNKNOWN

  • This update addresses an issue that causes lsass.exe to stop responding. Because of this, a restart loop occurs.
  • This update addresses an issue that affects the Key Distribution Service (KDS). It does not start in the time required if LDAP referrals are needed.
  • This update addresses an issue that affects account lockout event 4625. The format of the event is wrong in the ForwardedEvents log. This occurs when an account name is in the user principal name (UPN) format.
  • This update addresses an issue that affects hybrid joined devices. You cannot sign in to them if they are not connected to the internet. This occurs when you use a Windows Hello for Business PIN or biometric credentials. This issue applies to a cloud trust deployment.
  • This update addresses an issue that affects the Trusted Sites Zone logon policy. You cannot manage it using mobile device management (MDM).
  • This update addresses an issue that affects the display of a smart card icon. The icon does not appear when you sign in. This occurs when there are multiple certificates on the smart card.
  • This update addresses an issue that affects Active Directory domain controllers. They report the following errorswhen you create new users, on the Domain Controller with the Primary Domain Controller emulators (PDCe) Flexible Single Master Operations (FSMO) role:

DS_BUSY

  • This update addresses an issue that affects the msDS-KeyCredentialLink attribute. In some cases, it is updated when it should not be.
0  

Multi-Factor Authentication Server versions 8.1.11.1 and 8.1.12.1 add support for OATH codes

Reading Time: 2 minutes

Microsoft Azure Multi-Factor Authentication

On January 19th, 2024, Microsoft released versions 8.1.11.1 and 8.1.12.1 of its MFA Server product that allows organization to add multi-factor authentication to RADIUS-, AD FS-, IIS-based and other on-premises authentication scenarios.

 

Versions 8.1.11.1 and 8.1.12

MFA Server v8.1.11.1 is intended for  use on:

  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

MFA Server v8.1.12.1 is intended for  use on:

  • Windows Server 2019
  • Windows Server 2022

 

What’s New

The release notes mention the following change:

Support for OATH codes

MFA Server versions 8.1.11.1 and 8.1.12.1 add support for OATH codes  in the Microsoft Authenticator app after the user account has been migrated to Entra MFA.

After the first push notification attempt in Entra MFA, the account in the Microsoft Authenticator app starts using SHA-256 to generate OATH codes. MFA Server previously only supported SHA-1 so could not validate these codes. Azure MFA Server has been modified to check both SHA-1 and SHA-256 codes, which allows users to use OATH codes for both Entra MFA and MFA Server scenarios during migration.

 

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2, and up.

 

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.

 

Download

You can download Azure Multi-Factor Authentication Server 8.1.11.1 and 8.1.12.1 here.
The download weighs 145 MB.

 

Version information

These are versions 8.1.11.1 and 8.1.12.1 of Multi-Factor Authentication Server.
It was signed off on January 19th, 2024.

Further reading

Existing Azure MFA Server deployments stop working starting September 30, 2024
TODO: Migrate from Azure MFA Server to Azure multi-factor authentication
Multi-Factor Authentication Server version 8.1.10.1 addresses service crashes during activation
Multi-Factor Authentication Server version 8.1.9.1 offers improved migration abilities

0