Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Take the survey
Reply
alorenzen
Level 3 Contributor
‎06-27-2019 12:07 PM
Level 3 Contributor
‎06-27-2019 12:07 PM

Break the Glass Admin no longer compliant?

At Microsoft Ignite 2018 (see attached) they recommended that we setup a "Break the glass" admin in case MFA should be unavalible. With the new requierments to the Partner Portal requiering ALL users to have MFA enabled do we no longer have the option for a break the glass admin for partners? We can still set this up for client domain but the question is for partners.

Labels:
Preview file
506 KB
Preview file
285 KB
33 REPLIES 33
idwilliams
Moderator
‎07-13-2019 07:07 AM
Moderator
In response to MVolker
‎07-13-2019 07:07 AM

Hi @MVolker,

 

I can confirm that you can use app passwords for devices and services that do not support modern authentication. However, when using app password you should consider the important points documented here

 

Thank you for sharing the feedback regarding the documentation. I am currently working on incorporating information regarding the support for app passwords and various other topics. As the updates are being made I will work to remove the ambiguity that you mentioned.

TomR
Level 2 Contributor
‎07-15-2019 10:18 AM
Level 2 Contributor
In response to idwilliams
‎07-15-2019 10:18 AM

@idwilliams 

 

You said that App Passwords are allowed but I know they are not able to be used with Conditional Access policies. Am I correct in assuming that we are allowed to enforce MFA by changing user states in the Azure Multi-Factor Authentication portal, provided that we enforce for all users?

 

Link for what I am talking about: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#enable-azure-mfa-by-changing-user-state

0 Kudos
JanoschUlmer
Microsoft
‎07-16-2019 02:52 AM
Microsoft
In response to TomR
‎07-16-2019 02:52 AM

@TomR : Yes, MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules.

kcears
Level 2 Contributor
‎07-19-2019 02:21 PM
Level 2 Contributor
In response to JanoschUlmer
‎07-19-2019 02:21 PM

So to be clear, we do not need to use the Baseline CA policies to meet these requirements? Are we still allowed to use Trusted Locations in the MFA settings, or will those go away or need to be turned off?

 

I'm really curious to know how Microsoft will be confirming that we are "compliant", because even though I have had a CA policy for months that requires MFA for All Apps for All Guests in our tenant, my Secure Score is still really low because it apparently doesn't recognize that as enforcing MFA, even though it is.

0 Kudos
JanoschUlmer
Microsoft
‎07-22-2019 12:50 AM
Microsoft
In response to kcears
‎07-22-2019 12:50 AM

@kcears : No, baseline policies are not needed if you use other means to enforce MFA. Trusted locations exclusion is not allowed.

See also here for an updated FAQ:  https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

No info on how technical compliance will be enforced yet.

0 Kudos
simplepowerit
Level 1 Contributor
‎07-30-2019 03:56 PM
Level 1 Contributor
In response to JanoschUlmer
‎07-30-2019 03:56 PM

Jason, A few weeks ago you wrote "MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules."  

 

Does this require an Azure Premium license?  If not, how do you mix given that conditional access exclusions are not available?

0 Kudos
JanoschUlmer
Microsoft
‎07-31-2019 12:20 AM
Microsoft
In response to simplepowerit
‎07-31-2019 12:20 AM

@simplepowerit : Yes, creating your own conditional access rules requires AAD Premium Plan1, MFA per user is also available when licensing Office365 E3. So in this scenario you would not use the baseline policies, but only create CA rules yourself where you are able to set exclusions and choose MFA as control.

 

0 Kudos
simplepowerit
Level 1 Contributor
‎07-30-2019 05:35 PM
Level 1 Contributor
In response to simplepowerit
‎07-30-2019 05:35 PM

Sorry, that last question was intended for 

0 Kudos
ghvanderweg
Level 1 Contributor
‎07-16-2019 01:17 AM
Level 1 Contributor
In response to TomR
‎07-16-2019 01:17 AM

We're planning to implement a CA policy requiring MFA for all users (including Guests), except the accounts that we need to use app passwords for (e.g. our ticketing system and our multi-functional printers). Those accounts will have their user state set to Enabled in the Azure MFA portal, and will be using an app password to authenticate.

 

This way we'll still have the 100% coverage the new security requirement calls for and be in compliance (I hope).

0 Kudos
ziesemer
Level 3 Contributor
‎06-28-2019 08:37 AM
Level 3 Contributor
‎06-28-2019 08:37 AM

See also: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access

0 Kudos
Mreinha
‎07-01-2019 12:55 AM
Visitor 1
In response to ziesemer
‎07-01-2019 12:55 AM

We have the exact same problem... From the baseline policy documentation, it seems like there should be an exclude functionality there, but it's not present in any of our tenants. 

We have made two new policies that does the same thing as the baseline policies... 

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-administrators 

Morten_Knudsen
Level 2 Contributor
‎07-03-2019 05:30 AM
Level 2 Contributor
In response to Mreinha
‎07-03-2019 05:30 AM

Can you provide a quick guide/screenshots of which settings you chose to setup 2 policies equiliant to the PREVIEW policies - but with EXCLUSION possibilities

WolfKPCS
Level 3 Contributor
‎06-28-2019 01:38 AM
Level 3 Contributor
‎06-28-2019 01:38 AM

Definitely good point. We use at least CA rule to only allow from emergency location. But it seems that this will also not satisfy this.

0 Kudos
Follow Us
    Share