Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Microsoft

Re: Break the Glass Admin no longer compliant?

@WilliamsJD : The issue of break-glass accounts has now been included in the FAQ: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#how-do-i-configure-an-emergency-access-break-glass-account 

 

The baseline policy does not allow to set exclusions or implement different MFA providers as suggested in the FAQ, so AzureAD Premium Plan1 is required for this scenario. 

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

Would Azure AD Premium plan be needed for all users or just the "break the glass" account to be excluded from baseline policies?

Microsoft

Re: Break the Glass Admin no longer compliant?

It would be required for all users - since for this scenario baseline policies could not be used at all. 

Baseline policies do not allow to set exclusions, so if you would enforce a 3rd party MFA via a custom control in conditional access for one user, and baseline policy would still be active, this user would need to do fulfill requirements from both policies. 

So instead you need to create your own conditional access policies for all users - one policy for using Azure MFA, one for 3rd party MFA.

You could also work with Office 365 E1/E3 licenses + only a few AAD Premium P1 - for all users with Office365  licenses you could enable MFA per user and only use one conditional access policy with with custom control/3rd party MFA for some of the admins that have an AAD P1 license assigned.

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

Thanks for the reply @JanoschUlmer. So if I turn on the baseline policies without a "Break the Glass" account and then something breaks about MFA what is the recovery procedure?

Microsoft

Re: Break the Glass Admin no longer compliant?

@WilliamsJD : It would be the same "recovery" as if AzureAD itself would break - the only remaining option is to open a support ticket to report problems with MFA and then wait until MFA is restored. 

 

Even when using baseline policies you are still able to use different/multiple authenticator apps (And btw - it was just confirmend that also 3rd party TOTP work like e.g. authy.com) - so at least you can avoid that "something" that breaks is a certain device/account/installation of the token app. But for the service itself there would be no recovery procedure, similar to issues in AzureAD.

 

Level 2 Contributor

Re: Break the Glass Admin no longer compliant?

Hi, @JanoschUlmer

We are a small MSP.  There are some service accounts that are used for helpdesk tickets and other things that are incoming.  Will the baseline polices prevent those from working, and is there additonal setup required for them to function with 2FA?  For example, we use Connectwise, and tickets come through helpdesk@example.com, and another mailbox is set for voicemails.  And just so I understand correctly, to put in place a Break Glass admin, you can't use the baseline policies, but must make your own.  Is that correct?

Highlighted
Microsoft

Re: Break the Glass Admin no longer compliant?

@Dsonnier : Specifically for ConnectWise another user has posted some information from the vendor (Can't find the post currently):

https://docs.connectwise.com/ConnectWise_Documentation/ConnectWise_Unified_Product/Supportability_Statements_for_ConnectWise_Unified_Product/Microsoft_Partner_Security_Requirements_and_Impact_to_ConnectWise_Products_FAQ

 

For access to mailboxes via SMTP/IMAP you can use app passwords as alternative solution. You can enable both baseline policies and configure MFA per user to use app passwords - but you would need to have additional licenses (O365 E3, AAD Premium P1) to enable MFA per user.

 

For emergency accounts - when using the baseline policies all admin would go through the same enforcement. Baseline policies still allow to have multiple Microsoft authenticator registration to not rely on a single mobile phone only (So allows to have a "break glass token device") - but in order to use two different MFA services you would need to create your own conditional access policies or enable MFA per user and not enable baseline policies. 

Generally it is not possible to exclude an admin from MFA altogether, so not all of the recommendations for emergency accounts can be applied when the Partner Center Security requirements apply to this tenant.

 

Level 2 Contributor

Re: Break the Glass Admin no longer compliant?

Thanks for the detailed reply.  That will help tremednously.  I'm looking over the Connectwise documentation now.  As far as AAD P1 regarding MFA, is that a per user license, or does it cover the tenant as a whole?

Microsoft

Re: Break the Glass Admin no longer compliant?

License is per user. Technically a single license in the tenant will make it possible to enable MFA for any/all user(s), but still the licensing requiremnt is that every user that benefits of the service/feature will need a license.