EntraID

I was setting up a Conditional Access policy to block sign ins from outside the country. I created a policy based on IP-based Named Locations, and specifying a country as the trusted region. However, the problem is that users who travel overseas could still sign in if they connected through a VPN or proxy which would then show their IP as being in the country. In some cases, mobile phone roaming plans would assign IP addresses from the country even when the device was physically overseas. The IP-based restriction wasn’t truly enforcing location. This reminds me of how we could get around streaming services like Netflix where you can use a VPN to see movie catalogs from a different country. ...

As I’ve been exploring passwordless authentication like Windows Hello for Business in my previous posts, one concept that has really captured my attention is the idea of phishing-resistant MFA. Traditional MFA methods, like SMS codes or OTP, can still be intercepted or tricked out of users through social engineering. Passkeys, however, are designed to close that gap by relying on cryptographic protocols that make phishing essentially impossible. Let’s say I’m signing into my account. I type in my username and password, and the system asks for a second factor. That could either be a text message with a six‑digit code or a push notification from Microsoft Authenticator on my phone. Both feel secure at first glance. But suppose I click on a fake login page that looks identical to the real one. I enter my username and password, and the fake site instantly relays those details to the real service. The service then sends me the MFA challenge. If it’s SMS, I get the code on my phone and type it into the fake page, not realizing the attacker is capturing it in real time. If it’s Authenticator, I see a push notification and approve it, thinking it’s legitimate but in reality, I’ve just confirmed the attacker’s login attempt. ...