Michael Epping
@michaelepping.com
Senior Product Manager in the Identity and Network Access Division at Microsoft. Opinions are my own.
Got it, makes sense. This is definitely an edge case we plan to address, being able to use a passkey in the Office apps when SSO is not present.
December 5, 2024 at 4:54 PM
Got it, makes sense. This is definitely an edge case we plan to address, being able to use a passkey in the Office apps when SSO is not present.
@crh.bsky.social and seconded what Mark said, if there's something in the guide we can make clearer please let me know
December 5, 2024 at 4:29 PM
@crh.bsky.social and seconded what Mark said, if there's something in the guide we can make clearer please let me know
@crh.bsky.social totally hear you on the need for this and its something we'll resolve. Broad FIDO coverage on clients has some interesting technical challenges. But if you're using PSSO why do you have users re-authing in Outlook anyways? Generally they should be getting an SSO experience.
December 5, 2024 at 4:28 PM
@crh.bsky.social totally hear you on the need for this and its something we'll resolve. Broad FIDO coverage on clients has some interesting technical challenges. But if you're using PSSO why do you have users re-authing in Outlook anyways? Generally they should be getting an SSO experience.
Today your options are use full MDM rather than MAM controls (auth app can satisfy full MDM compliance checks) or give the users temporary exemptions from the all apps policy that requires MAM
November 27, 2024 at 11:39 PM
Today your options are use full MDM rather than MAM controls (auth app can satisfy full MDM compliance checks) or give the users temporary exemptions from the all apps policy that requires MAM
Not sure what you mean by safeguarded, that isn’t a concept we have in CA. MAM and passkeys can coexist on the same device just fine, but if you have an overly broad MAM CA policy then registration can be blocked, since you’re covering the reg endpoint with the overly broad CA policy.
November 27, 2024 at 8:24 PM
Not sure what you mean by safeguarded, that isn’t a concept we have in CA. MAM and passkeys can coexist on the same device just fine, but if you have an overly broad MAM CA policy then registration can be blocked, since you’re covering the reg endpoint with the overly broad CA policy.
This problem doesn't exist if you are using full MDM compliance as one of the checks instead, Authenticator can satisfy that grant control in CA. But if you are mandating app protection policy then you need to adjust your policy so that this scenario is not in scope.
November 27, 2024 at 3:52 PM
This problem doesn't exist if you are using full MDM compliance as one of the checks instead, Authenticator can satisfy that grant control in CA. But if you are mandating app protection policy then you need to adjust your policy so that this scenario is not in scope.
This experience is expected if you have policies that require app protection policies for all cloud apps. Microsoft Authenticator doesn't support MAM policies, so you are getting the expected outcome, which is users cannot register due to not passing the app protection policy check
November 27, 2024 at 3:52 PM
This experience is expected if you have policies that require app protection policies for all cloud apps. Microsoft Authenticator doesn't support MAM policies, so you are getting the expected outcome, which is users cannot register due to not passing the app protection policy check
I have exactly this problem, always too lazy to dig into it
November 23, 2024 at 9:34 PM
I have exactly this problem, always too lazy to dig into it
Correct, assuming these are device-bound passkeys. If they are synced, then the user can recover them through the sync process (on consumer devices, where Windows is adding sync support soon)
November 22, 2024 at 5:31 PM
Correct, assuming these are device-bound passkeys. If they are synced, then the user can recover them through the sync process (on consumer devices, where Windows is adding sync support soon)
Inside the Windows Hello container, which is protected by the TPM
November 22, 2024 at 5:17 PM
Inside the Windows Hello container, which is protected by the TPM
Excellent! That’s what we like to hear!
November 21, 2024 at 5:06 PM
Excellent! That’s what we like to hear!
Happy to help if you’ve got questions!
a man with a beard says hello there in a star wars scene
ALT: a man with a beard says hello there in a star wars scene
media.tenor.com
November 18, 2024 at 4:25 PM
Happy to help if you’ve got questions!
We also recently recorded an episode of the 425 Show to talk about our new deployment guidance, so check it out to get the latest and greatest info: www.youtube.com/watch?v=5J03...
425 Show | Phishing-Resistant Passwordless Deployment Guide
YouTube video by Microsoft Security Community
www.youtube.com
November 11, 2024 at 11:11 PM
We also recently recorded an episode of the 425 Show to talk about our new deployment guidance, so check it out to get the latest and greatest info: www.youtube.com/watch?v=5J03...