Hero Banner

Microsoft Partner Network

Where Microsoft's CSP, MSP, SI, and ISV partners seek new opportunities and learn from each other

Reply
YCD-EP
Level 2 Contributor

Multifactor Authentication management at Partner level

If we log into a client's tenant account as a global admin then we are able to administer MultiFactor Authentication. However, if we do the same thing via our Partner CSP account, then we get the following error when trying to change the status from enabled to disabled or vice versa.

 

 

There was a problem with processing your request
 The service is temporarily offline for scheduled maintenance or we're investigating a problem. We're working to get it back online as quickly as possible.
 Support information
 Correlation ID: 9c846930-b923-42d6-97a1-1fa115fd881d
 Error code: 0x1000
4 REPLIES 4
JanoschUlmer
Microsoft

Yes, and as mentioned  there should be no issue for accessing the MFA configuration. So it is not a general issue that this does not work, generally it works (and thus it is something specific to your scenario).

They way you are accessing this could be the problem - do you try to directly enter the URL to the portal? E.g. logging on to the customers Azure Portal, the open the MFA Admin portal from there works all the time in my tests.

 

For 2 you could set up an MFA app on an environment your IT team has joint access to - .e.g Authy client running on virtual machine. However, sharing global admin accounts itself is not recommended at all, some would say this idea alone is a compliance issue.

For 1 the specific scenario on why you can't configure this via policies/remote Scripting/admin accounts would be interesting, but this is a longer discussion for sure.

 

For both 1 & 2 Conditional Access may again solve the problem indirectly - by exempting the MFA for the specific scenario (e.g. exclude MFA controls for the Network your admins are using for this). 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
YCD-EP
Level 2 Contributor

I should add, that the reason we're doing this is so that we can do two things:

1. Temporarily remove MFA from a user so that we can configure their PC remotely without bothing them for MFA requests.

2. Temporarily remove MFA from our own global admin account on each tenant so that we can log in and do the things that we don't have access to at CSP level. Our techs work remotely and we have no realistic option for responding to MFA requests as a team. MFA, while very secure, is becoming a pain from a support team perspective.

YCD-EP
Level 2 Contributor

Thanks for your reply, but sorry - this hasn't helped.

This isn't browser specific, and it's not tenant specific either.

JanoschUlmer
Microsoft

This would be a topic for technical support, generally accessing the MFA admin portal via Partner user accounts that have delegated admin permissions works quite well, just tested it. Might also be something for the specific tenant - and I recommend to use an inprivate/incognito browser window, and not use multiple user accounts in the the same browser session, this old legacy portal can be beast when switching between accounts.

 

Note that per-user MFA is considered to be legacy, so if possible I would recommend to switch to Conditional Access or Security Defaults, respectiviely recommend the customer to do this.

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices