Microsoft Tenant Hardening
Are you looking for information about Microsoft Tenant Hardening? In this archive you will find all our posts about Microsoft Tenant Hardening.
Kerberos Cloud Trust and Windows Hello for Business: Secure and Seamless Authentication in Hybrid Environments
Kerberos Cloud Trust is a hybrid authentication protocol developed by Microsoft to enable secure and passwordless sign-ins. Kerberos Cloud Trust combines the strengths of Kerberos and Windows Hello for Business to offer a modern, secure, and user-friendly authentication solution. It is particularly useful in hybrid environments where both cloud and on-premises resources are utilized. Users authenticate securely and seamlessly both locally and in the cloud.
Microsoft Entra ID: Automatically Roll Over Kerberos Decryption Key
The regular roll over of the Kerberos decryption key is crucial to ensure the security and integrity of seamless Single Sign-On (SSO) in hybrid IT environments. Microsoft recommends rolling over this key every 30 days to close potential security gaps and ensure smooth integration between on-premises Active Directory and Microsoft Entra ID. This process can be automated to minimize administrative effort and ensure continuous security.
Switch from per-user MFA to MFA with Microsoft Entra Conditional Access
Setting up Multi-Factor Authentication (MFA) per user significantly enhances the security of a Microsoft tenant and is now the standard practice for every administrator. With per-user MFA, a Multi-Factor Authentication is required from the user during each sign-in. However, this can lead to frustration among legitimate users whose workflows are disrupted by frequent MFA prompts. To achieve a better user experience while balancing security and usability, it is recommended to switch to MFA (Multi-Factor Authentication) using Microsoft Entra Conditional Access.
Migrate Legacy MFA and SSPR Policies to Authentication Methods in Microsoft Entra ID
Microsoft announced that the legacy policies for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) will no longer be supported after September 30, 2025. We need to migrate the legacy MFA and SSPR policies to the authentication methods in Microsoft Entra ID.
Hardening your Identities: Microsoft Authenticator device-bound passkey
A device-bound passkey is an advanced security feature implemented in Microsoft Authenticator. It is a unique security key that is tied to a specific device. When a user logs in to their account, they use this key to verify their identity. Since the key is bound to the device, no one else can access the user’s account, even if they know the password, unless they also have access to the device.