Actually it is not. 1:1 and group chats in Teams are stored in each participants mailbox.
Ignore this if you’re using exchange server or other onprem or cloud solution for email than exchange online :^)
Also both are stored in clear text due to compliance reasons.
While SMS is rather insecure protocol, it’s still generally the best way of delivering a new password to users as long as the username is delivered in a different way. This is mainly because it’s one of the only methods generally available that is completely separate from your other communication methods besides calling (but try delivering password via call haha)
Also the SMS should not contain any context to which system it is meant for, this info should be delivered together with the username. It’s sometimes rather easy to guess a username (such as first.lastname or shortened) but gets harder when you need to guess the system as well.
Self-Service Password Reset. You can use MFA to verify your identity to reset a password and those MFA methods can be predefined by admins.
So you can allow user to reset their initial passwords using SMS OTP and some another factor such as location (approved public IP ranges at offices for example)
I have to admit I have not implemented or even seen SSPR configured for initial password before, but this talk actually made me want investigate it further. Lab project for the weekend!
Ok, but could you imagine trying to get this user to get a password from SMS? They’d probably get a text from their friend at the same time and not understand.
“I tried every variation of ‘miss you ttys’ for the password, but nothing is working!”
Super fair, but it’s at least across two channels for a 3 day login with very limited permissions, not something I’m worried about in this situation.
Actually it is not. 1:1 and group chats in Teams are stored in each participants mailbox. Ignore this if you’re using exchange server or other onprem or cloud solution for email than exchange online :^)
https://learn.microsoft.com/en-us/purview/ediscovery-teams-workflow#where-teams-content-is-stored
Also both are stored in clear text due to compliance reasons.
While SMS is rather insecure protocol, it’s still generally the best way of delivering a new password to users as long as the username is delivered in a different way. This is mainly because it’s one of the only methods generally available that is completely separate from your other communication methods besides calling (but try delivering password via call haha)
Also the SMS should not contain any context to which system it is meant for, this info should be delivered together with the username. It’s sometimes rather easy to guess a username (such as first.lastname or shortened) but gets harder when you need to guess the system as well.
Of course even better way would be to not deliver password at all and let the user reset their passed themselves if there’s a system in place for it. SSPR if you’re in m365. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
Edit: not sorry for rant these are very interesting topics I love to talk about.
Edit2: formatting + more rant about sms
That was a very educational rant, thank you!
I’ve heard of SSBL; Single Sign on Before Log on, but I’ve never heard of SSPR what’s that one do?
Self-Service Password Reset. You can use MFA to verify your identity to reset a password and those MFA methods can be predefined by admins.
So you can allow user to reset their initial passwords using SMS OTP and some another factor such as location (approved public IP ranges at offices for example)
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
I have to admit I have not implemented or even seen SSPR configured for initial password before, but this talk actually made me want investigate it further. Lab project for the weekend!
Ok, but could you imagine trying to get this user to get a password from SMS? They’d probably get a text from their friend at the same time and not understand.
“I tried every variation of ‘miss you ttys’ for the password, but nothing is working!”
(Hopefully obvious it’s just joking)