Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 4 Contributor

How can partners connect to the Exchange Online admin interface using the secure application model?

Hello,

 

How can partners connect to the Exchange Online admin interface using the secure application model? Is this a supported scenario.

 

Admin interfaces that do not support the secure application model or delegated admin access require a tenant admin account. This account does not have MFA enabled when a CSP delegated admin is accessing the interface, so the support for MFA doesn't matter but is there to show maturity. We have the account "Blocked sign-in" when it is not in use for security.

 

As we grown our security practices for O365, the ability to check and update the configuration of Exchange Online, Teams, Security and Compliance Center, Azure Active Directory and Intune is essential.

 

Here's a list of all the interfaces and some notes on what types of connections they support. Please let me know if any of this information is innacurate!

 

Admin Interfaces:

  • PartnerCenter
    SecureAppModel: Yes (Source)
    DelegatedAdmin: Yes
    MultiFactorAuth: Yes
  • AzureAD
    SecureAppModel: Yes (Source)
    DelegatedAdmin: Yes
    MultiFactorAuth: Yes
    p.s. Access to Conditional Access policies (UserVoice) are in the pipeline!
  • MSOL
    SecureAppModel: Yes (Source)
    DelegatedAdmin: Yes
    MultiFactorAuth: Yes
  • Exchange Online (EXOnline)
    SecureAppModel: No
    DelegatedAdmin: Yes (When connecting)
    MultiFactorAuth: Yes (MFA module does not support delegated admin access)
  • Teams
    SecureAppModel: No
    DelegatedAdmin: No
    MultiFactorAuth: Yes
  • Sharepoint
    SecureAppModel: No
    DelegatedAdmin: No
    MultiFactorAuth: Yes
  • Skype (if this still exists, it won't be for much longer)
    SecureAppModel: No
    DelegatedAdmin: No
    MultiFactorAuth: Yes
  • Security & Compliance Center
    SecureAppModel: No
    DelegatedAdmin: No
    MultiFactorAuth: Yes? (I think Connect-IPPSSession counts)
  • Intune
    SecureAppModel: Yes (Graph API)
    DelegatedAdmin: Yes
    MultiFactorAuth: Yes
1 REPLY 1
Level 4 Contributor

According to office hours session on 7/9 at 8PM ET, the Exchange Online powershell module that supports MFA. There is a known issue with the module where it does not support delegated admin access. They are working closely with the exchange team to resolve this issue with a long term solution.

 

I would hope that would include support for the secure application model.