APP Passwords - initial setup of service accounts that should be app password only vs authenticator app, etc.
For service accounts and similar that we need to generate app passwords….we’re forced to do another authentication method setup too (ie, authenticator app). Any way to avoid this since really unnecessary and now you’re tying a service account to a particular user/device that is setting this up?
Or do we just set it up and ..... what? Delete it from the device, but have it linger on the service account?
We use Microsoft Teams heavily within our organization, so what we've done for these shared/service accounts is just added a channel to one of our NOC focused Teams, and then registered a Google Voice number. We setup MFA to use that Google Voice number, and have it send an e-mail which goes into that MFA channel in Teams and is converted to a message. This keeps us from having to tie the account to a particular device, and also can provide notice to the team if an account gets compromised and we start seeing unexpected MFA prompts in that channel.
I've also come across this. Would appreciate a response from Microsoft.
It seems completely backward to have to configure MFA on an account where you have no intention/ability to use it because the systems using the account will only support an App Password.
The way Azure MFA works is that only the user himself can create an app password, so there is no alternative to using the service account once for logging on to aka.ms/mfasetup and thereby also registering it for MFA.
It is a logical security requirement though that, before creating an app password, some form of MFA needs to be done - it would not be adviseable from security perspective that creating app passwords that allow to bypass MFA can be created without verifying the user identity.
The MFA registration info for this account can easily be reset by the admin - so if an admin sets this up and then leaves the company together with the device/phone number used for the 2nd factor, it is not a big issue to delete the security info and register again. Another option would be to have a process that for service accounts always multiple devices need to be registered, so that this is not dependent on a single person.