Closed merill closed 1 month ago
f-bader
commented
4 months ago @Cloud-Architekt and @merill following your discussion on Twitter (now also knows as X) should we create a separate check in maester or make EIDSCA.AS01 work with maester. Currently the discovery configuration is missing from this section of the JSON
Cloud-Architekt
commented
4 months ago @f-bader and @merill : I would like to cover them as part of the existing EIDSCA.AS01 checks. We need only to decide if we like to test for the state only or in combination of the scope ("all users"). A general check on the state could be valid if there are just (obvious) security concerns (even for frontline workers) and no valid use cases for B2X.
merill
commented
2 months ago I would say SMS-sign in should not be enabled for anyone as the default.
Any tenant that turns it on should have consciously disable this test.
merill
commented
2 months ago @Cloud-Architekt was this added to EIDSCA?
Cloud-Architekt
commented
1 month ago Check has been implemented (AS04): https://github.com/maester365/maester/pull/418
SMS Sign in is a primary sign in factor using SMS (instead of the password which is the default), it is meant for specific front-line worker scenarios that's don't require strong authentication with MFA.
Recommendation: Should be disabled.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-sms-signin
https://x.com/janbakker_/status/1790996204890829104