Azure MFA and Office 365 MFA interaction
We have Office 365 MFA enabled for user and service accounts in our tenant. As a CSP Partner we are required to have Azure MFA activated using the Baseline protection policies as a minimum. We do NOT sync our internal domain with Azure. Please advise me on these questions:
1. Did I waste my time setting up O365 MFA now that I have to enable Azure MFA?
2. If I enable Azure MFA will that operate in addition to the O365 MFA so that I have to register all my users again in the Authenticator app? Could I then get 2 MFA verification prompts, 1 for O365 and 1 for Azure? If this is the case should I turn off O365 MFA?
3. Some of our users do not have a smartphone and are using text messages for O365 MFA. Do I have to buy an Azure Premium licence for these users? Can I just buy it for these users?
4. Can I use App passwords with administrator accounts such as one used to backup our O365 with Skykick?
You are required to enfoprce MFA for all user accounts, you are not required to enable the baseline policies if you use other methods to ensure MFA is triggered for every user.
1. No, Office 365 MFA does also work, this is using the same AzureMFA service. The reason why this is not communicated broadly as option, is that Office 365 MFA only allows to enable MFA per user account, so it is the least preferable method since you have to constantly check that MFA is enabled for new user accounts - and enabling MFA for guest accounts, which is also required, is ... difficult (Only works when chossing one disabled internal user, then hit Ctrl and click on the user name for the guest).
"Azure MFA" is not different if you use the option to enable it per user account, actually you will be directed to enable it in the same portal.
Azure AD Premium Plan1 allows for enforcing MFA via Conditional Access, here you can make sure that all users, incluing new users and guest users, are forced to do MFA with a single policy, so this is the recommended option.
2. As mentioned above - it is the same service, and the per-user option is enabled in the same portal - if you enabled it in Office 365 already, clicking on MFA setting in Azure portal will direct you to the same portal where the user is already enabled for MFA. So registration would not be repeated, there would not be multiple prompts. This is also true if you enable MFA in Office 365, and then enforce MFA via COnditional Access.
3. Yes. Note that once the cost-free baseline policy is enabled, the initial registration for MFA has to be done via MS Authenticator (or any other 3rd party authenticator app). So if those users do not have a smartphone, and also don't want to use 3rd party token apps installed on their workstations (e.g. Authy) you should not enable the baseline policies. When you enable the baseline policy the user can add phone/text message as 2nd option after initial registration when you also have set the MFA user state to enabled. You only would need to buy AAD Premium Plan1 if you plan to use conditional access instead of per-user MFA, otherwise the O365 Enterprise plan is sufficient (note that Partners have AAD premium PLan1 in the EM+S E3 internal use right licenses).
4. Yes, you can use App Passwords. No, those don't work for SkyKick - afaik SkyKick is using this account for accessing the tenant via powershell, and powershell does not support authenticating with an app password. SkyKick needs to provide an update for their solution to work with this model, most likely they will ned to incorporate the secure app model.
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
Thank you Janosch for your comprehensive reply. Let me check I have understood you correctly:
1. Since I have setup my users with O365 MFA I can enable the 2 baseline policies and users will not have to do anything since they are already registered for MFA.
2. My users who are already registered for O365 MFA using a text message as the 2nd factor will be ok as they do not need to register again.
3. Future users registered through O365 MFA can still choose the text message option.
4. By enabling the End user protection baseline policy I will gain MFA security for guest users so any guests will have to register for MFA before they can view files etc that we have shared with them.
5. I can use app passwords in most cases but for Skykick I will have to wait for them to support MFA, which they seem to be working on according to their website.
As of March 2020, SkyKick products support MFA. Hope this helps.