u/ITquestionsAccount40 — reddlx

Hello everyone, I hope this makes sense as this is my first time deeply venturing into PIM/CA.

I recently setup PIM in a test environment and made it to where admins must use FIDO2 Key in order to elevate to a PIM role. This was so that when they MFA with a code in their browser/when they login, it still requires a physical key to actually elevate to admin roles in PIM rather than passing just the session token. Trying to protect against token/session hijacking. This so far I have setup correctly in my testing.

My question now is, I realize that after all this, you can still add an MFA method to the account. When they login to account.microsoft.com and go to security settings to add an MFA option, they can authenticate with just a code. So again, if a hacker hijacks the session/token, they can just add another physical key and then elevate via PIM roles.

I want to avoid this. I already set it up so authentication methods cant be added outside the USA via a CA policy. I know you can use IPs instead to only allow registration from a specific location but our public IP is dynamic.

Any ideas how to close the loophole?

Im not sure what to do at this point and looking for other people’s thoughts. I am extremely early in my career.

I have been in this industry for 3 years and a half almost. About 1 1/2 years of help desk and was given a major learning opportunity at my previous employee of being the sysadmin/network guy (promotion) after the previous team had left at the time, so I did that for 2 years and learned sooo much and got to touch essentially everything. It was a full microsoft shop. I touched every product and system a newbie could ever dream of (Azure, HyperV, Intune, Entra, Defender, Exchange so on and so on).

Throughout my 2 years there as a sysadmin I got my MD-102 certification as I really enjoyed my work especially in Intune managing Windows and iOS devices, Id say I spent 50% of my time in there. I did a migration to Autopilot from using PXE boot and thoroughly enjoyed everything that went into that (app deployment, config profiles, setting up WUfB, etc). I became THE Admin that knew everything and setup up everything.

Flash forward to this week and I started a new job. I was hoping it would be an upgrade (slight pay increase, less responsibilities) but it feels like a downgrade to me. For one my new title kinda sucks: Specialist II, makes it sound like help desk but it is not Helpdesk. This feels like it’s going to limit me when getting a new job as my previous title was Network/System Administrator.

Second, at first I was told I would be doing app support and Intune work, as well as m365 work. But after being told my duties today, app support didn’t mean what I think it meant. I thought they meant like deployment application support and keeping windows 3rd party apps up to date with Intune. But its more like dealing with dated 3rd party app integration. My intune work will also be limited to Apple devices only, because another team takes care of everything windows related. This is a HUGE bummer to me as I was hoping to mostly do Windows Intune work. Unlike a lot of people, Im one of those freaks the genuinely enjoys working with Windows and figuring out all the quirks of Microsoft.

I want to be a full Intune SME in the future (especially on the Windows side) and it feels like this job just aint it. I really do not know what to do at this point. It has only been a few days but so far I am not happy. There is also barely any work to be done since the team is huge and so siloed off. I work in government now as well. I feel my Windows Intune skills will begin to atrophy and whither away and that really worries. I would do Intune at home but the licensing I dont want to pay for/its not in my budget at the moment.

I feel stuck here and I also feel bad because I got this job through connections after applying here and there for nearly a year. I left old employer because I just had too much on my plate for one guy and they also don’t do raises at all and I needed some more money.

The job market is my area especially is awful right now so this all just feels like a perfect storm. I feel extremely stuck now. Not even sure how I would go about applying to new jobs because i cant take time off at my new job just yet to do interviews (if I can even land one in this market, haha).

This was a lot so if you read this thank you for sticking around. Just looking to see other perspectives.