Exclude Service Account and Whitelist VM IP from MFA and EUP Baseline Policy
As we have to enable Baseline Policy by 1st Aug 19. We have following questions before enabling it on our tenant:
1. We are having few service accounts to use for automation jobs . These accounts would not have MFA enabled because It will brake everything and who will provide MFA token every time whenever a job is executing.
2. We have few Azure VMs also and want to whitelist the IPs. Please let me know how to achieve this.
3. What will happen if any of the admin is not able to login using MFA (Due to any reason like MFA app is down or worst case every admin lost the password)? Can we exempt few users to enable MFA who could be admin as well.
We are not able to achieve above mentioned points if we would enabe the baseline policies. Kindly please suggest what need to do here.
Re: Exclude Service Account and Whitelist VM IP from MFA and EUP Baseline Policy
1. For service accounts look if it is possible to adopt the secure app model.
2. For what purpose do you want to whitelist the IPs of AzureVMs? Do user work on those AzureVMs remotely and access cloud services from these VMs? Generally whitelisting is not allowed - and once technical enforcement starts users will not be able to access cloud services unless they have gone through MFA.
3. Once technical enforcement starts the admin wont be able to log on if he does not use MFA. If the admin lost his password, it does not matter if he uses MFA or not, he will not even get a chance to use MFA if the password (1st factor) is not available.
Since the baseline policies do not alow to set exceptions for users, the only way to configure any exceptions would be to have AzureAD Premium Plan1 licenses or Office365 E3 to enable MFA without help of baseline policies. With AAD Premium you can create your own conditional access rules or enable MFA per user. With Office 365 licenses you can enable MFA per user. However, as mentioned above exclusions for accounts are not allowed & will block users from accessing services in the future. So these alternative options only allow for a better scoped configuration, enables to use app passwords and enables to use phone/SMS/Hardware token as alternative method for the 2nd factor.
This can then be also an answer for 3. - guidance for emergency accounts would be to consider using two different MFA services. E.g. AzureMFA and a 3rd party MFA solution.