Login

u/Any_Educator1315

Outlook - Office 365 Business Apps - "Open hyerlinks from Outlook in to "Default Browser"?
▲ 6 r/Intune

Outlook - Office 365 Business Apps - "Open hyerlinks from Outlook in to "Default Browser"?

Does anyone have a holy key for setting Outlook options file and browser prefrences "Open hyerlinks from Outlook in to "Default Browser"?

here screenshot of what i'm talking about https://ibb.co/4R5ntnd6

there is GPO/Intune/Web Settings options for this but it only works in Office 365 Enterprise. Doesn't work in "Microsoft 365 apps for business". I reached out to microsoft support and it sounded like it was a bug and not a license thing.

https://learn.microsoft.com/en-us/microsoft-365-apps/outlook/message-body/view-emails-and-web-links-in-browser

there is a purple Note thing saying
"If your organization uses the Microsoft 365 for business plan, then you can use the Choose Which Browser Opens Web Links policy to manage the feature for Teams. However, the policy is unavailable for Outlook with this plan. Your users will need to manage the feature by using Outlook settings as described in the following section."

maybe its just not possible which would be a big joke.

u/Any_Educator1315 — 14 hours ago
▲ 5 r/Intune

sad about hybrid joined smart cards with no conditional access

Customer is using Entra Free (no Conditional Access licensing). Workstations are hybrid/on-prem AD joined. Some users move between multiple computers, there’s an RDS/terminal server environment, and some remote users RDP in from personal/workgroup PCs using smart cards.

I deployed smart card login both on-prem and in Entra. One thing I realized is that Entra Certificate-Based Authentication (CBA) has to be enabled if you want users to receive an Azure/Entra SSO PRT when logging into a domain-joined workstation with a certificate. Without that, things like Windows Hello enrollment and cloud SSO break.

I also deployed Remote Credential Guard so users who log into Windows with a smart card can SSO into the terminal server without typing credentials again.

My concern is around phishing resistance. Smart cards/PIV are strong for replay resistance and credential theft, but Entra CBA itself is still vulnerable to AiTM/Evilginx-style phishing because the authentication can be proxied. So while the workstation logon is strong, cloud auth via CBA is not truly phishing resistant the same way FIDO2 is.

We are also issuing YubiKeys with both PIV + FIDO2 enabled. Entra “system preferred authentication” seems to favor FIDO2, but I’m not fully sure how that behaves in real-world phishing scenarios if users hit an Evilginx proxy.

I'm feeling bad not locking smart cards down to hybrid joined computers in Entra. I feel like everything I want to do ends up requiring Entra P1 and all users needing licensed because everyone ends up benefitting I guess.

At the same time, if I already have gaps in phishing-resistant auth because of Entra CBA, part of me feels like it’s dumb not to push harder toward Business Premium + cloud-native/FIDO2-first instead of trying to make this weird hybrid setup perfect.

Anyone have some wisdom/thoughts?

EDIT MIGHT HAVE FOUND MY ANSWER:

You can set Certificate Based Authentication as a single factor so it will require another method if two factor is turned on. The Yubikey's are being configured with Smart Card PIV AND FIDO2 so I think it will ask the user to sign-in with FIDO2 after using the smart card. Will test further and report back.

reddit.com
u/Any_Educator1315 — 14 days ago