Microsoft Entra identity verification for account recovery and what a near miss revealed about our recovery flow
Posted by Only_Helicopter_8127@reddit | sysadmin | View on Reddit | 10 comments
A social engineering attempt on a senior account nearly made it through our M365 recovery flow last month. The attacker had enough personal information to pass knowledge-based verification and the attempt only failed because someone on the helpdesk escalated instead of processing it.
After that I went looking at what Microsoft offers for account recovery beyond knowledge-based fallbacks and found that Microsoft Entra has started integrating with identity verification vendors for biometric-backed recovery as a replacement.
I had not seen this in production anywhere and cannot find guidance on how enrollment works for an existing user base that never went through biometric verification at onboarding. If anyone in enterprise M365 environments has deployed this, the real production experience is what I want to understand.
Gullible_Nectarine20@reddit
We had a similar social engineering attempt recently, and it was eye-opening. We're exploring more robust identity verification and have been looking at solutions like Risotto to automate some of the more common, lower-risk identity-related tasks, freeing up our helpdesk to focus on the trickier cases.
ImpressiveProduce977@reddit
Before you deploy anything run a tabletop on your current recovery flow with your helpdesk team playing attacker. May find where the gaps are and probably change what you decide to prioritize fixing first.
Glad-Watercress4677@reddit
The enrollment flow for existing users on through Entra works on a challenge at next login basis rather than requiring a separate enrollment event.
User gets prompted during their normal authentication flow, completes biometric verification once, credential gets issued to their Entra profile.
Reduces the adoption problem considerably compared to running a separate enrollment campaign.
Similar_Cantaloupe29@reddit
The enrollment flow for existing users on au10tix through Entra works on a challenge at next login basis rather than requiring a separate enrollment event. User gets prompted during their normal authentication flow, completes biometric verification once, credential gets issued to their Entra profile.
Reduces the adoption problem considerably compared to running a separate enrollment campaign.
Asleep_Spray274@reddit
John saville has a good video on it
https://youtu.be/WYji1oV7GQI?si=k09vFBiS-LmUCKZt
Only_Helicopter_8127@reddit (OP)
Appreciated 🙏
Due-Philosophy2513@reddit
Worth asking whether biometric backed recovery is the right control for your entire user base or just your tier one accounts. The operational overhead of running this at scale is real and most environments do not need it everywhere.
Only_Helicopter_8127@reddit (OP)
Privileged accounts only changes the operational math significantly.
Has anyone actually done the enrollment retrofit on that subset without it becoming a separate project?
EquivalentBear6857@reddit
Do not try to roll this out across your entire user base, start with privileged accounts and service accounts only.
That is where the social engineering exposure is concentrated and it is a small enough group to do properly without the enrollment adoption problem.
Only_Helicopter_8127@reddit (OP)
That scopes the enrollment problem down to something manageable. The near miss was on a senior account so that tier is where to start anyway.