Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 3 Contributor

Break the Glass Admin no longer compliant?

At Microsoft Ignite 2018 (see attached) they recommended that we setup a "Break the glass" admin in case MFA should be unavalible. With the new requierments to the Partner Portal requiering ALL users to have MFA enabled do we no longer have the option for a break the glass admin for partners? We can still set this up for client domain but the question is for partners.

33 REPLIES 33
Moderator

Hi @MVolker,

 

I can confirm that you can use app passwords for devices and services that do not support modern authentication. However, when using app password you should consider the important points documented here

 

Thank you for sharing the feedback regarding the documentation. I am currently working on incorporating information regarding the support for app passwords and various other topics. As the updates are being made I will work to remove the ambiguity that you mentioned.

Level 2 Contributor

@idwilliams 

 

You said that App Passwords are allowed but I know they are not able to be used with Conditional Access policies. Am I correct in assuming that we are allowed to enforce MFA by changing user states in the Azure Multi-Factor Authentication portal, provided that we enforce for all users?

 

Link for what I am talking about: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#enable-azure-mfa-by-changing-user-state

Microsoft

@TomR : Yes, MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules.

Kind regards,
Janosch
Level 2 Contributor

So to be clear, we do not need to use the Baseline CA policies to meet these requirements? Are we still allowed to use Trusted Locations in the MFA settings, or will those go away or need to be turned off?

 

I'm really curious to know how Microsoft will be confirming that we are "compliant", because even though I have had a CA policy for months that requires MFA for All Apps for All Guests in our tenant, my Secure Score is still really low because it apparently doesn't recognize that as enforcing MFA, even though it is.

Microsoft

@kcears : No, baseline policies are not needed if you use other means to enforce MFA. Trusted locations exclusion is not allowed.

See also here for an updated FAQ:  https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

No info on how technical compliance will be enforced yet.

Kind regards,
Janosch
Level 1 Contributor

Jason, A few weeks ago you wrote "MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules."  

 

Does this require an Azure Premium license?  If not, how do you mix given that conditional access exclusions are not available?

Microsoft

@simplepowerit : Yes, creating your own conditional access rules requires AAD Premium Plan1, MFA per user is also available when licensing Office365 E3. So in this scenario you would not use the baseline policies, but only create CA rules yourself where you are able to set exclusions and choose MFA as control.

 

Kind regards,
Janosch
Level 1 Contributor

Sorry, that last question was intended for 

Level 1 Contributor

We're planning to implement a CA policy requiring MFA for all users (including Guests), except the accounts that we need to use app passwords for (e.g. our ticketing system and our multi-functional printers). Those accounts will have their user state set to Enabled in the Azure MFA portal, and will be using an app password to authenticate.

 

This way we'll still have the 100% coverage the new security requirement calls for and be in compliance (I hope).

Level 4 Contributor
Visitor 1

We have the exact same problem... From the baseline policy documentation, it seems like there should be an exclude functionality there, but it's not present in any of our tenants. 

We have made two new policies that does the same thing as the baseline policies... 

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-administrators 

Level 2 Contributor

Can you provide a quick guide/screenshots of which settings you chose to setup 2 policies equiliant to the PREVIEW policies - but with EXCLUSION possibilities

Level 3 Contributor

Definitely good point. We use at least CA rule to only allow from emergency location. But it seems that this will also not satisfy this.