Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

CSP MFA requirement for Meeting Room Accounts and Microsoft HUBs

Hi,

 

What would be the recommended approach regarding enabling MFA for meeting room accounts and Microsoft HUBs. I thought that the Teams Product Team would have a solution in Q4 2019, but I'm unable to find this solution on the docs website.

 

In the Teams documentation, the following statement is made:

Because of this, Microsoft Teams Rooms resource accounts shouldn't be configured to use multi-factor authentication (MFA), smart card authentication, or client certificate-based authentication (which are all available for end users).

 

Does anybody have a recommended approach for these accounts for Microsoft services?

 

Thanks!

 

Regards,

Sven

3 REPLIES 3
Microsoft

As it stands now, if you create the user accounts for Teams devices via powershell as documented and never use them for an interactive login, enabling AzureAD Security Defaults should not impact those accounts, you would even never be prompted register those accounts for MFA.

 

If you create custom conditional access policies, you would need to configure an exception because teams engineering has obviously decided not to support this scenario (even though Modern authentication was now implemented, this is what shoud have happened with the update in Q4 2019, which was then released and of Q1 2020) - from Partner(MPA) perspective exceptions would not be in compliance with the security requirements though.

 

Some Partners have tried to request an exception, but afaik the exception process is not applicable to this scenario since Teams Rooms devices are not impacted by the technical enforcement: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa#request-for-technical-exception

Kind regards,
Janosch
Level 1 Contributor

Hi Janosch,

 

Thanks for the feedback. We're using conditional access policies so we'll exclude the accounts from any policy. Am I correct to say that we will not be compliant with the Microsoft Partner Requirements since a Microsoft product won't be made compliant with MFA?

 

We were initially thinking about registering the accounts with MFA and excluding trusted networks to still have some kind of protection for these accounts.. 

 

Thanks!

Microsoft

Am I correct to say that we will not be compliant with the Microsoft Partner Requirements since a Microsoft product won't be made compliant with MFA?

 

Well, you could argue to see it like that, I personally would tend to disagree. It should be noted that requirements for CSP Partners play an important role for security and there there was a good reason not to allow exceptions, regardless if it is a Microsoft product that is affected or a 3rd party. Of course I can understand that it is irritating that Microsoft sets rules that cannot be fulfilled with some Microsoft product in your specific tenant setup, but in reality there are totally different teams/business groups involved that each made a decision. In other words - the topic was so important that CSP team did not wait for all product groups to confirm they have a patch at hand - with the exception that for AAD Security Defaults where some engineering was done based on feature requests from CSP side. The MPA terms do not say however that you need to configure MFA only when Microsoft does technically make it possible - so this will not be a valid "excuse" from contract perspective.

 

I personally think that that strong operational and administrative boundaries and thus a high level of security can generally not be fulfilled if CSP management and internal production are on the same tenant, I think they should be separate. 

 

So one could also argue that you can not become compliant because you have chosen to have end customer management and internal production on the same AzureAD tenant. Of course I do not want to put the blame on somebody else - please do not get me wrong here  - it is just because I have strong personal believe that regardless of the MFA topic having those separate would be good security practice anyway (which I also said in many other threads here in the community). 

 

We were initially thinking about registering the accounts with MFA and excluding trusted networks to still have some kind of protection for these accounts.. 

Yes, if you decide to set up an exception, I would 100% agree you should tailor exception specifically to those accounts only and add additional conditions like only allow for access to ExO/SpO/Teams, restrict source network it can connect from, restrict to modern auth (which should now work with MTR), so harden this as far as possible. This will not really make you more "compliant" but this is the best thing to do in this scenario without a migration of your CSP tenant somewhere else.

Kind regards,
Janosch