The Azure Method – Scam or Not

Best Binary Options Brokers 2020:
  • Binarium
    Binarium

    Best Binary Broker!
    Perfect for beginners!
    Free Demo Account! Free Trading Education!

  • Binomo
    Binomo

    Only for experienced traders!

Contents

New tech support scam launches communication or phone call app

(Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, Teaming up in the war on tech support scams.)

A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to call a fake tech support scam hotline.

Figure 1. Tech support scam page launching the default communication app with the fake hotline 001-844-441-4490 ready to be dialed

Most tech support scams rely on social engineering: They use fake error messages to trick users into calling hotlines and paying for unnecessary tech support services that supposedly fix contrived device, platform, or software problems.

To create the impression of a “problem”, tech support scam websites attempt to lock the browser. Some do this using pop-up or dialog loops—they embed malicious code in web pages that cause browsers to continuously display alerts. When the user dismisses an alert, the malicious code invokes another one, essentially locking the browser session.

Most browsers, including Microsoft Edge and Internet Explorer, have released a solution for this behavior, allowing users to stop websites from serving dialog pop-ups. Browsers now can also be closed even with an active dialog box.

Figure 2. Microsoft Edge prompting the user to stop a pop-up dialog loop

This streamlined tech support scam forgoes the use of dialog boxes and instead contains code that has a click-to-call link that it automatically clicks.

Figure 3. Click-to-call code in tech support scam website

When clicked, the link opens the default communication or phone call app, prompting the user to call the fake technical support hotline already prepopulated in the app.

Tech support scam website targets Apple users

With click-to-call links, tech support scams do not have to be as elaborate as many current tech support scam websites. They don’t have to rely on scary messages or pose as legitimate error messages to convince victims to call the phone number.

Figure 4. Recent tech support scam websites with various fake error messages and phone numbers

Instead, scam sites can be very simple, with just a fake hotline number and a simple message like “We’re here to help”, as is used by the actual scam page below.

Figure 5. Tech support scam website before the communication app is launched

Although the page is simple, the scam is aided by an audio file that automatically plays as the website is displayed. This is a common technique used by the Techbrolo family of support scam script malware. The audio message in this new tech support scam website says:

Critical alert from Apple support. Your mac has alerted us that your system is infected with viruses, spywares, and pornwares. These viruses are sending your credit card details, Facebook logins, and personal emails to hackers remotely. Please call us immediately on the toll-free number listed so that our support engineers can walk you through the removal process over the phone. If you close this window before calling us, we will be forced to disable and suspend your Mac device to prevent further damage to our network. Error number 268D3.

Click-to-call optimized for mobile phones

The audio message is characteristic of tech support scams in its use of scare tactics. However, this technique seems to be optimized for mobile phones. The website uses responsive design, and the click-to-call can directly launch the phone function on smart phones.

Figure 6. Tech support scam website launches the phone call app on a mobile phone

This goes to show that the threat of tech support scams affects users of various platforms, devices, and software.

Tech support scam template

Tech support scams heavily use templates so that they can reuse websites to launch campaigns using multiple hotline numbers. Based on our tracking of tech support scams campaigns and methods, we know that scammers frequently change the phone numbers they use. In the August-September timeframe, for example, 33% of tech support scam numbers were used in campaigns that lasted less than a day.

The hotline number on a tech support scam template can be altered simply by swapping out the phone number set as parameter in the URL. The phone number in the URL is displayed in the fake error message on the page and/or the dialog boxes. Most tech support scam templates we’ve seen have a default phone number that is displayed when there is no phone number in the parameter.

Figure 7. A sample tech support scam template used with several phone numbers

The new tech support scam website also uses this method. However, unlike other scam sites, it doesn’t have a default number.

Figure 8. The tech support scam with click-to-call link with no phone number

As of this writing, we’re not seeing widespread campaigns using this new and emerging tech support scam technique. But because the website accepts URL parameters, we can assume it is being sold as a service in the cybercriminal underground. We did find that the website doesn’t validate the parameters, so technically any number can be passed as the phone number, and it can be automatically used by this tech support scam site.

Microsoft solutions for tech support scams

We have been tracking tech support scams, and the click-to-call technique is just the latest innovation from scammers. Unfortunately, this is probably not the last we’ve seen of these threats.

However, at the core, tech support scams are a social engineering attack. Legitimate error and warning messages don’t include a phone number. On the other hand, legitimate technical support websites don’t use scary error messages to convince users to call. In this example, users can avoid being scammed simply by not proceeding with the call. In general, if a site automatically launches your calling app, it is likely malicious. Don’t press Send—you might end up being charged for calls or you might fall victim to a bigger scam once you talk to the criminals behind the scam site.

To help Windows 10 users stay safe from tech support scams, Microsoft Edge blocks tech support scam websites. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block tech support scams and other malicious websites, including phishing sites and sites that host malicious downloads.

Windows Defender Antivirus detects and blocks tech support scam malware and other threats. It leverages protection from the cloud, helping ensure customers are protected from the latest threats in real-time.

Jonathan San Jose
Windows Defender Research team

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Protecting against coronavirus themed phishing attacks

The world has changed in unprecedented ways in the last several weeks due to the coronavirus pandemic. While it has brought out the best in humanity in many ways, as with any crisis it can also attract the worst in some. Cybercriminals use people’s fear and need for information in phishing attacks to steal sensitive information or spread malware for profit. Even as some criminal groups claim they’ll stop attacking healthcare and nursing homes, the reality is they can’t fully control how malware spreads.

While phishing and other email attacks are indeed happening, the volume of malicious emails mentioning the coronavirus is very small. Still, customers are asking us what Microsoft is doing to help protect them from these types of attacks, and what they can do to better protect themselves. We thought this would be a useful time to recap how our automated detection and signal-sharing works to protect customers (with a specific recent example) as well as share some best practices you can use personally to stay safe from phishing attempts.

What Microsoft is doing

First, 91 percent of all cyberattacks start with email. That’s why the first line of defense is doing everything we can to block malicious emails from reaching you in the first place. A multi-layered defense system that includes machine learning, detonation, and signal-sharing is key in our ability to quickly find and shut down email attacks.

If any of these mechanisms detect a malicious email, URL, or attachment, the message is blocked and does not make its way to your inbox. All attachments and links are detonated (opened in isolated virtual machines). Machine learning, anomaly analyzers, and heuristics are used to detect malicious behavior. Human security analysts continuously evaluate user-submitted reports of suspicious mail to provide additional insights and train machine learning models.

Once a file or URL is identified as malicious, the information is shared with other services such as Microsoft Defender Advanced Threat Protection (ATP) to ensure endpoint detection benefits from email detection, and vice versa.

An interesting example of this in action occurred earlier this month, when an attacker launched a spear-phishing campaign that lasted less than 30 minutes.

Attackers crafted an email designed to look like a legitimate supply chain risk report for food coloring additives with an update based on disruptions due to coronavirus. The attachment, however, was malicious and delivered a sophisticated, multi-layer payload based on the Lokibot trojan (Trojan:Win32/Lokibot.GJ!MTB).

Had this payload been successfully deployed, hackers could have used it to steal credentials for other systems—in this case FTP accounts and passwords—which could then be used for further attacks.

Only 135 customer tenants were targeted, with a spray of 2,047 malicious messages, but no customers were impacted by the attack. The Office 365 ATP detonation service, signal-sharing across services, and human analysts worked together to stop it.

And thanks to signal sharing across services, customers not using a Microsoft email service like Office 365, hosted Exchange, or Outlook.com, but using a Windows PC with Microsoft Defender enabled, were fully protected. When a user attempted to open the malicious attachment from their non-Microsoft email service, Microsoft Defender kicked in, querying its cloud-based machine learning models and found that the attachment was blocked based on a previous Office 365 ATP cloud detection. The attachment was prevented from executing on the PC and the customer was protected.

What you can do

While bad actors are attempting to capitalize on the COVID-19 crisis, they are using the same tactics they always do. You should be especially vigilant now to take steps to protect yourself.

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. For Windows 10 devices, Microsoft Defender Antivirus is a free built-in service enabled through Settings. Turn on cloud-delivered protection and automatic sample submission to enable artificial intelligence (AI) and machine learning to quickly identify and stop new and unknown threats.

Enable the protection features of your email service. If you have Office 365, you can learn about Exchange Online Protection here and Office 365 ATP here.

Use multi-factor authentication (MFA) on all your accounts. Most online services now provide a way to use your mobile device or other methods to protect your accounts in this way. Here’s information on how to use Microsoft Authenticator and other guidance on this approach.

MFA support is available as part of the Azure Active Directory (Azure AD) Free offering. Learn more here.

Educate yourself, friends, and colleagues on how to recognize phishing attempts and report suspected encounters. Here are some of the tell-tale signs.

  • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message is fraught with errors, it is likely to be a scam.
  • Suspicious links. If you suspect that an email message is a scam, do not click on any links. One method of testing the legitimacy of a link is to rest your mouse—but not click—over the link to see if the address matches what was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company’s web address.
  • Suspicious attachments. If you receive an email with an attachment from someone you don’t know, or an email from someone you do know but with an attachment you weren’t expecting, it may be a phishing attempt, so we recommend you do not open any attachments until you have verified their authenticity. Attackers use multiple techniques to try and trick recipients into trusting that an attached file is legitimate.
    • Do not trust the icon of the attachment.
    • Be wary of multiple file extensions, such as “pdf.exe” or “rar.exe” or “txt.hta”.
    • If in doubt, contact the person who sent you the message and ask them to confirm that the email and attachment are legitimate.
  • Threats. These types of emails cause a sense of panic or pressure to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
  • Spoofing. Spoofing emails appear to be connected to legitimate websites or companies but take you to phony scam sites or display legitimate-looking pop-up windows.
  • Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, “www.micorsoft.com” or “www.mircosoft.com”.
  • Incorrect salutation of your name.
  • Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.

If you think you’ve received a phishing email or followed a link in an email that has taken you to a suspicious website, there are few ways to report what you’ve found.

If you think the mail you’ve received is suspicious:

  • Outlook.com. If you receive a suspicious email message that asks for personal information, select the checkbox next to the message in your Outlook inbox. Select the arrow next to Junk, and then point to Phishing scam.
  • Microsoft Office Outlook 2020 and 2020 and Microsoft Office 365. While in the suspicious message, select Report message in the Protection tab on the ribbon, and then select Phishing.

If you’re on a suspicious website:

  • Microsoft Edge. While you’re on a suspicious site, select the More(…) icon >Send feedback >Report Unsafe site. Follow the instructions on the web page that displays to report the website.
  • Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the web page that displays to report the website.

If you think you have a suspicious file:

This is just one area where our security teams at Microsoft are working to protect customers and we’ll share more in the coming weeks. For additional information and best practices for staying safe and productive through remote work, community support and education during these challenging times, visit Microsoft’s COVID-19 resources page for the latest information.

Breaking down a notably sophisticated tech support scam M.O.

(Note: Our Tech support scams FAQ page has the latest info on this type of threat, including scammer tactics, fake error messages, and the latest scammer hotlines. You can also read our latest blog, Teaming up in the war on tech support scams.)

The cornerstone of tech support scams is the deception that there is something wrong with your PC. To advance this sham, tech support scams have long abused browsers’ full screen function. Coupled with dialogue loops, the pop-up messages that just won’t go away, and the spoofing of brands like Microsoft, tech support scam websites can be convincing.

The end-goal, of course, is to get you to call a technical support hotline, which then charges you for services you don’t need.

Recently we came across a new tech support scam website that stands out in the way it creatively uses the full screen function and dialogue boxes.

The scam is one of many websites we have discovered and blocked over the years. To achieve its end, the website uses a malicious script belonging to the Techbrolo family of support scam malware. Techbrolo is known for introducing the dialogue loops and audio message, which have now become staple in tech support scam sites.

Anatomy of a support scam website

The scam starts like any other. You are redirected to the website by nefarious ads. When the page loads, you get a pop-up message that says your computer has been locked because of virus infection. It asks you to immediately call a technical support number.

Figure 1. Dialogue box that pops up when the site originiftsnormalpro.xyz is accessed, asking you to call 1-844-313-7003

The website also starts playing an audio message, a tactic to further cause panic, something that we’re seeing more and more in these scams. It says:

Important security alert! Virus intrusions detected on your computer. Your personal data and system files may be at serious risk. All system resources are halted to prevent any damage. Please call customer service immediately to report these threats now.

In usual scam sites, if you click OK or close the pop-up message, a dialogue loop kicks in. The website continues to serve the pop-up messages whatever you do, effectively locking your browser.

In this new site, however, if you click OK, things start to get very interesting.

It loads a page with what appears to be a pop-up message containing the same details, including the technical support hotline. You may think at this point you’re just getting the usual dialogue loop. But, upon closer inspection, it’s not really a pop-up message, but a website element of the scam page.

Figure 2. A fake dialogue box that is really a website element

If you click OK on the fake dialogue box (or basically anywhere on the page), it goes into full screen and brings in another surprise.

At full screen, you get what looks like a browser opened to support.microsoft.com/ru-ru/en. But, alas, just like the pop-up message, the browser is just a website element.

Figure 3. A fake browser that is part of the design of the support scam website

This is how the scam site is able to spoof support.microsoft.com in the fake address bar. It even has the green HTTPS indicator to further feign authenticity. If you didn’t detect the scam at this point, you may think you were redirected to a Microsoft website and it’s serving you some messages about your PC.

Don’t fall for this. Exiting full screen puts things in perspective.

Figure 4. The support scam website outside full screen

Busting the scam

Just like all tech support scams, this new iteration is doing its best to make you think there’s something wrong with your PC. The new techniques are meant to improve its chances of you taking the social engineering bait.

The key to stopping the attack is to immediately recognize and break it. If you’re a Microsoft Edge user, there are a couple of ways to do this.

The first clue that something’s amiss is a message from Microsoft Edge. As the offending site goes into full screen, you get a notification from Microsoft Edge. You can exit the full screen at this point by clicking Exit now, and you stop the attack.

Figure 5. Alert from Microsoft Edge that the site has gone to full screen

The second clue is the change in the interface. Since the page is designed to look like Google Chrome, if you’re a Microsoft Edge user, you may catch the difference. Detecting the change in the interface may be easier said than done, but the opportunity to break the attack is there.

Figure 6. You can detect that the fake browser is different from the real one

Conclusion: Avoiding tech support scams

As this newly discovered support scam website shows, scammers are always on the lookout for opportunities to improve their tools. They can get really creative, motivated by the possibility of avoiding security solutions and ultimately increasing the chances of you falling for their trap.

Avoid tech support scam websites by being more careful when browsing the Internet. As much as you can, visit trusted websites only. Like most tech support scams, you are redirected to offending sites via malvertising (malicious ads). These ads are usually found in dubious websites, such as those hosting illegal copies of media and software, crack applications, and malware.

Get the latest protection from Microsoft by keeping your Windows operating system and antivirus up-to-date. If you haven’t, upgrade to Windows 10.

Use Microsoft Edge when browsing the Internet. It blocks known support scam sites using Microsoft SmartScreen. Microsoft Edge can also stop pop-up dialogue loops used by these sites. It also calls out when a website goes into full screen, giving you a chance to stop the attack.

Figure 7. Microsoft Edge blocks the support scam website using Microsoft SmartScreen

Jonathan San Jose

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Configure Azure Multi-Factor Authentication settings

This article helps you to manage Multi-Factor Authentication settings in the Azure portal. It covers various topics that help you to get the most out of Azure Multi-Factor Authentication. Not all of the features are available in every version of Azure Multi-Factor Authentication.

You can access settings related to Azure Multi-Factor Authentication from the Azure portal by browsing to Azure Active Directory > Security > MFA.

Settings

Some of these settings apply to MFA Server, Azure MFA, or both.

Feature Description
Account lockout Temporarily lock accounts in the multi-factor authentication service if there are too many denied authentication attempts in a row. This feature only applies to users who enter a PIN to authenticate. (MFA Server)
Block/unblock users Used to block specific users from being able to receive Multi-Factor Authentication requests. Any authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they are blocked.
Fraud alert Configure settings related to users ability to report fraudulent verification requests
Notifications Enable notifications of events from MFA Server.
OATH tokens Used in cloud-based Azure MFA environments to manage OATH tokens for users.
Phone call settings Configure settings related to phone calls and greetings for cloud and on-premises environments.
Providers This will show any existing authentication providers that you may have associated with your account. New authentication providers may not be created as of September 1, 2020

Manage MFA Server

Settings in this section are for MFA Server only.

Feature Description
Server settings Download MFA Server and generate activation credentials to initialize your environment
One-time bypass Allow a user to authenticate without performing two-step verification for a limited time.
Caching rules Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress.
Server status See the status of your on-premises MFA servers including version, status, IP, and last communication time and date.

Activity report

The reporting available here is specific to MFA Server (on-premises). For Azure MFA (cloud) reports see the sign-ins report in Azure AD.

Block and unblock users

Use the block and unblock users feature to prevent users from receiving authentication requests. Any authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they are blocked.

Block a user

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory >Security >MFA >Block/unblock users.
  3. Select Add to block a user.
  4. Select the Replication Group. Enter the username for the blocked user as [email protected]. Enter a comment in the Reason field.
  5. Select Add to finish blocking the user.

Unblock a user

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory >Security >MFA >Block/unblock users.
  3. Select Unblock in the Action column next to the user to unblock.
  4. Enter a comment in the Reason for unblocking field.
  5. Select Unblock to finish unblocking the user.

Fraud alert

Configure the fraud alert feature so that your users can report fraudulent attempts to access their resources. Users can report fraud attempts by using the mobile app or through their phone.

Turn on fraud alerts

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory >Security >MFA >Fraud alert.
  3. Set the Allow users to submit fraud alerts setting to On.
  4. Select Save.

Configuration options

Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report, and take appropriate action to prevent future fraud. An administrator can then unblock the user’s account.

Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.

The default voice greetings from Microsoft instruct users to press 0# to submit a fraud alert. If you want to use a code other than 0, record and upload your own custom voice greetings with appropriate instructions for your users.

View fraud reports

  1. Sign in to the Azure portal.
  2. Select Azure Active Directory >Sign-ins. The fraud report is now part of the standard Azure AD Sign-ins report.

Notifications

Configure email addresses here for users who will receive fraud alert emails.

Phone call settings

Caller ID

MFA caller ID number – This is the number your users will see on their phone. Only US-based numbers are allowed.

When Multi-Factor Authentication calls are placed through the public telephone network, sometimes they are routed through a carrier that doesn’t support caller ID. Because of this, caller ID is not guaranteed, even though the Multi-Factor Authentication system always sends it.

In the United States, if you haven’t configured MFA Caller ID, voice calls from Microsoft come from the following numbers: +1 (866) 539 4191, +1 (855) 330 8653, and +1 (877) 668 6536. If using spam filters, make sure to exclude these numbers.

Custom voice messages

You can use your own recordings or greetings for two-step verification with the custom voice messages feature. These messages can be used in addition to or to replace the Microsoft recordings.

Before you begin, be aware of the following restrictions:

  • The supported file formats are .wav and .mp3.
  • The file size limit is 1 MB.
  • Authentication messages should be shorter than 20 seconds. Messages that are longer than 20 seconds can cause the verification to fail. The user might not respond before the message finishes and the verification times out.

Custom message language behavior

When a custom voice message is played to the user, the language of the message depends on these factors:

  • The language of the current user.
    • The language detected by the user’s browser.
    • Other authentication scenarios may behave differently.
  • The language of any available custom messages.
    • This language is chosen by the administrator, when a custom message is added.

For example, if there is only one custom message, with a language of German:

  • A user who authenticates in the German language will hear the custom German message.
  • A user who authenticates in English will hear the standard English message.

Set up a custom message

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory >Security >MFA >Phone call settings.
  3. Select Add greeting.
  4. Choose the type of greeting.
  5. Choose the language.
  6. Select an .mp3 or .wav sound file to upload.
  7. Select Add.

Custom voice message defaults

Sample scripts for creating custom messages.

Message name Script
Authentication successful Your sign in was successfully verified. Goodbye.
Extension prompt Thank you for using Microsoft’s sign-in verification system. Please press pound key to continue.
Fraud Confirmation A fraud alert has been submitted. To unblock your account, please contact your company’s IT help desk.
Fraud greeting (Standard) Thank you for using Microsoft’s sign-in verification system. Please press the pound key to finish your verification. If you did not initiate this verification, someone may be trying to access your account. Please press zero pound to submit a fraud alert. This will notify your company’s IT team and block further verification attempts.
Fraud reported A fraud alert has been submitted. To unblock your account, please contact your company’s IT help desk.
Activation Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.
Authentication denied retry Verification denied.
Retry (Standard) Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.
Greeting (Standard) Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.
Greeting (PIN) Thank you for using Microsoft’s sign-in verification system. Please enter your PIN followed by the pound key to finish your verification.
Fraud greeting (PIN) Thank you for using Microsoft’s sign-in verification system. Please enter your PIN followed by the pound key to finish your verification. If you did not initiate this verification, someone may be trying to access your account. Please press zero pound to submit a fraud alert. This will notify your company’s IT team and block further verification attempts.
Retry(PIN) Thank you for using Microsoft’s sign-in verification system. Please enter your PIN followed by the pound key to finish your verification.
Extension prompt after digits If already at this extension, press the pound key to continue.
Authentication denied I’m sorry, we cannot sign you in at this time. Please try again later.
Activation greeting (Standard) Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.
Activation retry (Standard) Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.
Activation greeting (PIN) Thank you for using Microsoft’s sign-in verification system. Please enter your PIN followed by the pound key to finish your verification.
Extension prompt before digits Thank you for using Microsoft’s sign-in verification system. Please transfer this call to extension …

One-time bypass

The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

Create a one-time bypass

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory >Security >MFA >One-time bypass.
  3. Select Add.
  4. If necessary, select the replication group for the bypass.
  5. Enter the username as [email protected]. Enter the number of seconds that the bypass should last. Enter the reason for the bypass.
  6. Select Add. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires.

View the one-time bypass report

  1. Sign in to the Azure portal.
  2. Browse to Azure Active Directory >Security >MFA >One-time bypass.

Caching rules

You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature. Subsequent authentication attempts for the user within the specified time period succeed automatically. Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress.

The caching feature is not intended to be used for sign-ins to Azure Active Directory (Azure AD).

Set up caching

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory >Security >MFA >Caching rules.
  3. Select Add.
  4. Select the cache type from the drop-down list. Enter the maximum number of cache seconds.
  5. If necessary, select an authentication type and specify an application.
  6. Select Add.

MFA service settings

Settings for app passwords, trusted IPs, verification options, and remember multi-factor authentication for Azure Multi-Factor Authentication can be found in service settings. Service settings can be accessed from the Azure portal by browsing to Azure Active Directory > Security > MFA > Getting started > Configure > Additional cloud-based MFA settings.

The trusted IP address ranges can be private or public.

App passwords

Some applications, like Office 2020 or earlier and Apple Mail before iOS 11, don’t support two-step verification. The apps aren’t configured to accept a second verification. To use these applications, take advantage of the app passwords feature. You can use an app password in place of your traditional password to allow an app to bypass two-step verification and continue working.

Modern authentication is supported for the Microsoft Office 2020 clients and later. Office 2020 clients including Outlook, support modern authentication protocols and can be enabled to work with two-step verification. After the client is enabled, app passwords aren’t required for the client.

App passwords do not work with Conditional Access based multi-factor authentication policies and modern authentication.

Considerations about app passwords

When using app passwords, consider the following important points:

  • App passwords are only entered once per application. Users don’t have to keep track of the passwords or enter them every time.
  • The actual password is automatically generated and is not supplied by the user. The automatically generated password is harder for an attacker to guess and is more secure.
  • There is a limit of 40 passwords per user.
  • Applications that cache passwords and use them in on-premises scenarios can start to fail because the app password isn’t known outside the work or school account. An example of this scenario is Exchange emails that are on-premises, but the archived mail is in the cloud. In this scenario, the same password doesn’t work.
  • After Multi-Factor Authentication is enabled on a user’s account, app passwords can be used with most non-browser clients like Outlook and Microsoft Skype for Business. Administrative actions can’t be performed by using app passwords through non-browser applications, such as Windows PowerShell. The actions can’t be performed even when the user has an administrative account. To run PowerShell scripts, create a service account with a strong password and don’t enable the account for two-step verification.

App passwords don’t work in hybrid environments where clients communicate with both on-premises and cloud auto-discover endpoints. Domain passwords are required to authenticate on-premises. App passwords are required to authenticate with the cloud.

Guidance for app password names

App password names should reflect the device on which they’re used. If you have a laptop that has non-browser applications like Outlook, Word, and Excel, create one app password named Laptop for these apps. Create another app password named Desktop for the same applications that run on your desktop computer.

We recommend that you create one app password per device, rather than one app password per application.

Federated or single sign-on app passwords

Azure AD supports federation, or single sign-on (SSO), with on-premises Windows Server Active Directory Domain Services (AD DS). If your organization is federated with Azure AD and you’re using Azure Multi-Factor Authentication, consider the following points about app passwords.

The following points apply only to federated (SSO) customers.

App passwords are verified by Azure AD, and therefore, bypass federation. Federation is actively used only when setting up app passwords.

The Identity Provider (IdP) is not contacted for federated (SSO) users, unlike the passive flow. The app passwords are stored in the work or school account. If a user leaves the company, the user’s information flows to the work or school account by using DirSync in real time. The disable/deletion of the account can take up to three hours to synchronize, which can delay the disable/deletion of the app password in Azure AD.

On-premises client Access Control settings aren’t honored by the app passwords feature.

No on-premises authentication logging/auditing capability is available for use with the app passwords feature.

Some advanced architectures require a combination of credentials for two-step verification with clients. These credentials can include a work or school account username and passwords, and app passwords. The requirements depend on how the authentication is performed. For clients that authenticate against an on-premises infrastructure, a work or school account username and password a required. For clients that authenticate against Azure AD, an app password is required.

For example, suppose you have the following architecture:

  • Your on-premises instance of Active Directory is federated with Azure AD.
  • You’re using Exchange online.
  • You’re using Skype for Business on-premises.
  • You’re using Azure Multi-Factor Authentication.

In this scenario, you use the following credentials:

  • To sign in to Skype for Business, use your work or school account username and password.
  • To access the address book from an Outlook client that connects to Exchange online, use an app password.

Allow users to create app passwords

By default, users can’t create app passwords. The app passwords feature must be enabled. To give users the ability to create app passwords, use the following procedure:

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory >Users.
  3. Select Multi-Factor Authentication.
  4. Under Multi-Factor Authentication, select service settings.
  5. On the Service Settings page, select the Allow users to create app passwords to sign in to non-browser apps option.

Create app passwords

Users can create app passwords during their initial registration. The user has the option to create app passwords at the end of the registration process.

Users can also create app passwords after registration. For more information and detailed steps for your users, see What are app passwords in Azure Multi-Factor Authentication?

Trusted IPs

The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet. The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators. For details on how to get the full version of Azure Multi-Factor Authentication, see Azure Multi-Factor Authentication.

MFA trusted IPs and Conditional Access named locations only work with IPV4 addresses.

If your organization deploys the NPS extension to provide MFA to on-premises applications note the source IP address will always appear to be the NPS server the authentication attempt flows through.

Azure AD tenant type Trusted IPs feature options
Managed Specific range of IP addresses: Administrators specify a range of IP addresses that can bypass two-step verification for users who sign in from the company intranet. A maximum of 50 Trusted IP ranges can be configured.
Federated All Federated Users: All federated users who sign in from inside of the organization can bypass two-step verification. The users bypass verification by using a claim that is issued by Active Directory Federation Services (AD FS).
Specific range of IP addresses: Administrators specify a range of IP addresses that can bypass two-step verification for users who sign in from the company intranet.

The Trusted IPs bypass works only from inside of the company intranet. If you select the All Federated Users option and a user signs in from outside the company intranet, the user has to authenticate by using two-step verification. The process is the same even if the user presents an AD FS claim.

End-user experience inside of corpnet

When the Trusted IPs feature is disabled, two-step verification is required for browser flows. App passwords are required for older rich client applications.

When the Trusted IPs feature is enabled, two-step verification is not required for browser flows. App passwords are not required for older rich client applications, provided that the user hasn’t created an app password. After an app password is in use, the password remains required.

End-user experience outside corpnet

Regardless of whether the Trusted IPs feature is enabled, two-step verification is required for browser flows. App passwords are required for older rich client applications.

Enable named locations by using Conditional Access

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory >Security >Conditional Access >Named locations.
  3. Select New location.
  4. Enter a name for the location.
  5. Select Mark as trusted location.
  6. Enter the IP Range in CIDR notation like 192.168.1.1/24.
  7. Select Create.

Enable the Trusted IPs feature by using Conditional Access

On the left, select Azure Active Directory > Security > Conditional Access > Named locations.

Select Configure MFA trusted IPs.

On the Service Settings page, under Trusted IPs, choose from any of the following two options:

For requests from federated users originating from my intranet: To choose this option, select the check box. All federated users who sign in from the corporate network bypass two-step verification by using a claim that is issued by AD FS. Ensure that AD FS has a rule to add the intranet claim to the appropriate traffic. If the rule does not exist, create the following rule in AD FS:

c:[Type== “http://schemas.microsoft.com/ws/2020/01/insidecorporatenetwork”] => issue(claim = c);

For requests from a specific range of public IPs: To choose this option, enter the IP addresses in the text box by using CIDR notation.

  • For IP addresses that are in the range xxx.xxx.xxx.1 through xxx.xxx.xxx.254, use notation like xxx.xxx.xxx.0/24.
  • For a single IP address, use notation like xxx.xxx.xxx.xxx/32.
  • Enter up to 50 IP address ranges. Users who sign in from these IP addresses bypass two-step verification.

Select Save.

Enable the Trusted IPs feature by using service settings

On the left, select Azure Active Directory > Users.

Select Multi-Factor Authentication.

Under Multi-Factor Authentication, select service settings.

On the Service Settings page, under Trusted IPs, choose one (or both) of the following two options:

For requests from federated users on my intranet: To choose this option, select the check box. All federated users who sign in from the corporate network bypass two-step verification by using a claim that is issued by AD FS. Ensure that AD FS has a rule to add the intranet claim to the appropriate traffic. If the rule does not exist, create the following rule in AD FS:

c:[Type== “http://schemas.microsoft.com/ws/2020/01/insidecorporatenetwork”] => issue(claim = c);

For requests from a specified range of IP address subnets: To choose this option, enter the IP addresses in the text box by using CIDR notation.

  • For IP addresses that are in the range xxx.xxx.xxx.1 through xxx.xxx.xxx.254, use notation like xxx.xxx.xxx.0/24.
  • For a single IP address, use notation like xxx.xxx.xxx.xxx/32.
  • Enter up to 50 IP address ranges. Users who sign in from these IP addresses bypass two-step verification.

Select Save.

Verification methods

You can choose the verification methods that are available for your users. The following table provides a brief overview of the methods.

When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled. Guidance for the user enrollment process is provided in Set up my account for two-step verification.

Method Description
Call to phone Places an automated voice call. The user answers the call and presses # in the phone keypad to authenticate. The phone number is not synchronized to on-premises Active Directory.
Text message to phone Sends a text message that contains a verification code. The user is prompted to enter the verification code into the sign-in interface. This process is called one-way SMS. Two-way SMS means that the user must text back a particular code. Two-way SMS is deprecated and not supported after November 14, 2020. Administrators should enable another method for users who previously used two-way SMS.
Notification through mobile app Sends a push notification to your phone or registered device. The user views the notification and selects Verify to complete verification. The Microsoft Authenticator app is available for Windows Phone, Android, and iOS.
Verification code from mobile app or hardware token The Microsoft Authenticator app generates a new OATH verification code every 30 seconds. The user enters the verification code into the sign-in interface. The Microsoft Authenticator app is available for Windows Phone, Android, and iOS.

Enable and disable verification methods

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory >Users.
  3. Select Multi-Factor Authentication.
  4. Under Multi-Factor Authentication, select service settings.
  5. On the Service Settings page, under verification options, select/unselect the methods to provide to your users.
  6. Click Save.

Additional details about the use of authentication methods can be found in the article What are authentication methods.

Remember Multi-Factor Authentication

The remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users. Users can bypass subsequent verifications for a specified number of days, after they’ve successfully signed-in to a device by using Multi-Factor Authentication. The feature enhances usability by minimizing the number of times a user has to perform two-step verification on the same device.

If an account or device is compromised, remembering Multi-Factor Authentication for trusted devices can affect security. If a corporate account becomes compromised or a trusted device is lost or stolen, you should Revoke MFA Sessions.

The restore action revokes the trusted status from all devices, and the user is required to perform two-step verification again. You can also instruct your users to restore Multi-Factor Authentication on their own devices with the instructions in Manage your settings for two-step verification.

How the feature works

The remember Multi-Factor Authentication feature sets a persistent cookie on the browser when a user selects the Don’t ask again for X days option at sign-in. The user isn’t prompted again for Multi-Factor Authentication from that same browser until the cookie expires. If the user opens a different browser on the same device or clears their cookies, they’re prompted again to verify.

Best Binary Options Brokers 2020:
  • Binarium
    Binarium

    Best Binary Broker!
    Perfect for beginners!
    Free Demo Account! Free Trading Education!

  • Binomo
    Binomo

    Only for experienced traders!

The Don’t ask again for X days option isn’t shown on non-browser applications, regardless of whether the app supports modern authentication. These apps use refresh tokens that provide new access tokens every hour. When a refresh token is validated, Azure AD checks that the last two-step verification occurred within the specified number of days.

The feature reduces the number of authentications on web apps, which normally prompt every time. The feature increases the number of authentications for modern authentication clients that normally prompt every 90 days. May also increase the number of authentications when combined with Conditional Access policies.

The remember Multi-Factor Authentication feature is not compatible with the keep me signed in feature of AD FS, when users perform two-step verification for AD FS through Azure Multi-Factor Authentication Server or a third-party multi-factor authentication solution.

If your users select keep me signed in on AD FS and also mark their device as trusted for Multi-Factor Authentication, the user isn’t automatically verified after the remember multi-factor authentication number of days expires. Azure AD requests a fresh two-step verification, but AD FS returns a token with the original Multi-Factor Authentication claim and date, rather than performing two-step verification again. This reaction sets off a verification loop between Azure AD and AD FS.

The remember Multi-Factor Authentication feature is not compatible with B2B users and will not be visible for B2B users when signing into the invited tenants.

Enable remember Multi-Factor Authentication

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory >Users.
  3. Select Multi-Factor Authentication.
  4. Under Multi-Factor Authentication, select service settings.
  5. On the Service Settings page, manage remember multi-factor authentication, select the Allow users to remember multi-factor authentication on devices they trust option.
  6. Set the number of days to allow trusted devices to bypass two-step verification. The default is 14 days.
  7. Select Save.

Mark a device as trusted

After you enable the remember Multi-Factor Authentication feature, users can mark a device as trusted when they sign in by selecting Don’t ask again.

Best Binary Options Brokers 2020:
  • Binarium
    Binarium

    Best Binary Broker!
    Perfect for beginners!
    Free Demo Account! Free Trading Education!

  • Binomo
    Binomo

    Only for experienced traders!

Like this post? Please share to your friends:
How To Choose Binary Options Broker
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: