1. Hybrid Authentication Topologies

  • Password Hash Synchronization (PHS) + Seamless SSO: The Microsoft-recommended standard for 90% of enterprises. Syncs a hash of the on-premises AD password hash to Entra ID. Provides cloud-auth resilience even if on-premises domain controllers go down.
  • Pass-Through Authentication (PTA): Validates passwords directly against on-premises Active Directory via lightweight agents. Used when strict security policies prohibit any form of password hash leaving the on-premises network.
  • Federation (e.g., AD FS, Ping, Okta): Entra ID redirects the authentication request to a third-party Identity Provider (IdP).
    • Consultant Note: Many large organizations are actively migrating away from AD FS to PHS/Seamless SSO to reduce infrastructure overhead and mitigate on-premises vulnerabilities.

2. MFA & Modern Authentication Methods

  • The Authentication Methods Policy: Microsoft has deprecated the legacy per-user MFA portal and legacy SSPR policies. All authentication methods must be managed centrally via the Entra ID > Security > Authentication methods blade.
  • Method Hierarchy (Weakest to Strongest):
    1. SMS / Voice Call: Highly susceptible to SIM swapping. Strongly advocate for deprecation.
    2. Microsoft Authenticator (Push): Number Matching is now mandatory globally to prevent MFA fatigue attacks.
    3. Phishing-Resistant MFA: FIDO2 Security Keys (YubiKey) and Windows Hello for Business (WHfB). The gold standard for privileged administrative accounts.
  • System-Preferred Multifactor Authentication: Enable this tenant-wide. If a user has both SMS and the Authenticator app registered, Entra ID will automatically prompt them with the most secure method available.

3. Self-Service Password Reset (SSPR) & Registration

  • Combined Registration: Users register for both MFA and SSPR in a single workflow (aka.ms/mfasetup).
  • SSPR Configuration:
    • Targeting: Target a specific Entra ID Security Group before rolling out to “All Users.”
    • Methods Required: The enterprise standard is requiring 2 methods to reset a password (e.g., Authenticator App + Mobile App Code).
  • Password Writeback: If the organization is hybrid (using Entra Connect), Password Writeback must be enabled in the sync engine so cloud resets are written back to on-premises Active Directory.

4. Legacy Authentication (A Prime Attack Vector)

  • What it is: Older protocols (POP3, IMAP4, SMTP Auth, older Office 2013 clients) that cannot interpret Modern Authentication (OAuth 2.0) and therefore bypass MFA.
  • Remediation:
    • Exchange Online has disabled Basic Auth at the tenant level, but it can still be a risk in other areas.
    • Explicitly block legacy auth via Conditional Access.
    • Exception: SMTP Auth is often still required for on-premises multi-function printers or legacy application relay. Restrict SMTP Auth to specific service accounts and lock those accounts down by IP address in Conditional Access.

5. Troubleshooting & Diagnostics

  • Sign-in Logs (The Source of Truth):
    • Interactive vs. Non-Interactive: Interactive means the user physically typed a password or clicked an MFA prompt. Non-interactive means a client app used a refresh token to get a new access token seamlessly.
  • Common Error Codes to Memorize:
    • 50126: Invalid username or password (Check if the password recently changed on-premises and hasn’t synced, or if PTA agents are down).
    • 500121: User didn’t complete the MFA prompt (This error can appear if the user hasn’t completed setting up MFA).
    • 50074: Strong authentication is required and the user did not pass the MFA challenge (A Conditional Access policy may have blocked the seamless token and forced an interactive MFA prompt).
    • For more: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes.
  • Entra ID Protection (Risk-Based Auth): If the tenant has Entra ID P2, users flagged with “High User Risk” (e.g., leaked credentials found on the dark web) can be forced to securely reset their password via SSPR before logging in.

6. Essential PowerShell Cmdlets (Microsoft Graph)

  • Connection: Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "AuditLog.Read.All"
  • Manage User Authentication Methods:
    • Get-MgUserAuthenticationMethod -UserId user@domain.com (Lists registered methods)
    • New-MgUserAuthenticationPhoneMethod -UserId user@domain.com -phoneType "mobile" -phoneNumber "+1 5555555555" (Pre-populate phone numbers for users, though Authenticator app is preferred).
  • Troubleshooting Password Sync:
    • Get-MgUser -UserId user@domain.com -Property LastPasswordChangeDateTime (Check when Entra ID thinks the password was last changed).