Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Visitor 1

Legacy Protocol

Hi, according to the documentation for CSP security requirement

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

all the legacy protocol IMAP, SMTP, POP3 are essentially "blocked", meaning we cannot use IMAP and App password? 

Many MSPs out there are using ConnectWise, Autotask etc. as ticketing system. Does that mean we have to use a different tenant or something?

 

61 REPLIES 61
Level 5 Contributor

Will App Passwords (configured while setting up MFA) continue working with legacy protocols like IMAP, SMTP, POP3, etc.?

 

Based on our internal testing, it doesn't appear that these legacy protocols will get blocked when the 2 required baseline policies (Require MFA for admins + End user protection) are enabled.

Microsoft

App passwords can be used when MFA is enabled per user. It is recommended to review again the recommendations: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-mfasettings#considerations-about-app-passwords 

 

If you enable the baseline policy, app passwords can not be used. You could e.g. configure a custom conditional access rule where you make exceptions for those users where you directly enabled MFA (with app passwords).

 

Note that currently the end user protection baseline policy does not enforce MFA for every access but only when a risk is detected, this is why you see no legacy protocols blocked yet. But this is about to change and MFA will be triggered every time. If you want to test the impact create your own conditional access rule targeting all users, all apps and require MFA as the only control.

 

Kind regards,
Janosch
Level 3 Contributor

@JanoschUlmer  You mentioned

 

"Note that currently the end user protection baseline policy does not enforce MFA for every access but only when a risk is detected, this is why you see no legacy protocols blocked yet. But this is about to change and MFA will be triggered every time."

 

Can you elaborate on WHEN this change might occur? We've enforced MFA as per Identity Protection Sign in Risk policies to align with the existing Baseline policies, and i'm not going to flip this over until i'm aware of what you're going to be doing with the baseline policy changes, and most importantly "when"?

Microsoft

Currently I have no specific date to share - will update this thread as soon as I know (I have also asked multiple times for an ETA)

Kind regards,
Janosch
Level 2 Contributor

I was recently at Microsoft Inspire and spoke to several Microsoft Employees directly involved with this topic.  They assured us that app passwords will bypass MFA and legacy protocols will not be blocked.  This was also confirmed by the engineering team based on my conversation.

 

Were we provided with incorrect information?

Microsoft

@Lfortson No, this is correct, the details matter 🙂

App passwords can be used, but you can not use an app password if you enforce MFA via the baseline policy or conditional access.

 

So e.g. if you enable MFA for user1 and set an app password it is fine. If user1 is also targeted within a conditional access policy that enforces MFA, app passwords will no longer work.

Solution is to exclude the user accounts where you have set app passwords from conditional access policies.

Kind regards,
Janosch
Level 2 Contributor

Hello @JanoschUlmer,

Thank you for the details. From my understanding and clarification at Inspire with Microsoft employees, the app password will work indefinitely and there are no plans to block legacy protocols for this scenario (MS employee confirmed with AD engineering team).

Can you confirm?
Microsoft

@Lfortson : This is also how it was told to me.

"Indefinitely" is a word I would use with caution because all things may change over time 🙂 -  I have not heard of any plans to remove app passwords, no did I hear from any plan to generally block legacy protocols for CSP Partners. 

It was always clear that app passwords are a general option to allow legacy protocols to work when user account has MFA enabled, the question here was if this will still work once enforcement of the security requirements for CSP Partners start - and this was now confirmed.

 

And yes, when you use app passwords this fulfills the contractual requirement to enable MFA for all user accounts in the tenant, I would not have posted this as solution if this is not true.

Kind regards,
Janosch
Level 5 Contributor

Thank you for the confirmation about App Passwords. That will allow us to continue integrating DevOps with Dynamics Lifecycle Services (LCS), emailing from Dynamics GP, and integrate our email marketing tool with Dynamics 365 CE.

Level 2 Contributor

@JanoschUlmer, do you know when the app password option will be posted to the CSP requirements so its crystal clear for partners?

 

Leif

Microsoft

Level 5 Contributor

@JanoschUlmer: Thank you for that! Will the Program Guide for CSPs be updated to reflect this new information?

 

Why I Ask: As of today, paragraph 3 of section 1.4 in the Program Guide states:

 

The requirement to enable a multifactor authentication service may be fulfilled by either (i) Company’s enablement of both the “Baseline policy: Require MFA for admins” and the “Baseline policy: End user protection” in the “Azure Portal” for all users; (ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example, “Azure Active Directory Premium”); or (iii) Company’s purchase of a third-party “on-premises” multi-factor authentication service that supports Azure Active Directory federated services.

 

Meaning the contractual language doesn't seem to match with the language in the FAQ that states "The only requirement is that you enforce MFA for each user, including service accounts, in your partner tenant." In fact, the contractual language strongly implies that partners must either enable the two mentioned Baseline Policies or purchase an additional offer from Microsoft.

 

Regarding App Passwords: You previously mentioned that partners would need "to exclude the user accounts where you have set app passwords from conditional access policies". As of today, I'm not seeing any option to exclude users from the Baseline Policies. Does this mean partners who need to continue using App Passwords are not able to enable the two mentioned Baseline Policies?

Level 2 Contributor

@JanoschUlmer ,

 

Do you know when the CSP program guide will be updated to match the partner security requirements FAQ?

 

Leif

Microsoft

@Lfortson Have not seen any ETA. Where specifically do you see a mismatch? 

Kind regards,
Janosch
Level 5 Contributor

@JanoschUlmer: The mismatch is between language in the Partner Security Requirements and the Program Guide for CSPs.

 

As of today, paragraph 3 of section 1.4 in the Program Guide states:

 

The requirement to enable a multifactor authentication service may be fulfilled by either (i) Company’s enablement of both the “Baseline policy: Require MFA for admins” and the “Baseline policy: End user protection” in the “Azure Portal” for all users; (ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example, “Azure Active Directory Premium”); or (iii) Company’s purchase of a third-party “on-premises” multi-factor authentication service that supports Azure Active Directory federated services.

 

Meaning the contractual language doesn't seem to match with the language in the FAQ that states "The only requirement is that you enforce MFA for each user, including service accounts, in your partner tenant." In fact, the contractual language strongly implies that partners must either enable the two mentioned Baseline Policies or purchase an additional offer from Microsoft.

Moderator

@cjmod I would like to provide some additional information. The language in the contract states that partners are required to enforce MFA for each user in their partner tenant. This can be accomplished in one of the following ways 

  • Implementation of the baseline policies
  • Azure AD P1/2
  • Third party solution that is compatible with Azure AD

The documentation you are referencing is stating the same thing but in a differnt way. I can confirm if a partner has a third party solution that enforces MFA for each user in their partner tenant, when accessing Microsoft commerical cloud services, then they do not need to enable the baseline policies or purchase Azure AD P1/2. We will take your feedback into consideration as we continue to enhance our documentation.

Visitor 1

The Partner Security Requirements indicate that you will have to enable the "Baseline policy: End user protection" option, but there is a confusing item in the description regarding Legacy Protocols:

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-end-users#deployment-considerations

 

"To ensure that MFA is required when logging into an account and bad actors aren’t able to bypass MFA, this policy blocks all authentication requests made to administrator accounts from legacy protocols."

 

The assumption from that statement is that the policy will only block legacy protocols for administrator accounts rather than all user accounts. In other places, it is unclear or implies all user accounts are affected. It would be nice for someone to clarify if the implication is that with the baseline policy enabled that it specifically will allow app passwords and legacy protocols to be used for user accounts which are NOT administrators.

 

Microsoft

@positroncs :

End user baseline policy will impact legacy protocols also for normal users. 

In order to use app passwords, AzureAD premium Plan1 is needed and MFA need to be enabled on the user account (not via any conditional access rules).

Kind regards,
Janosch
Level 1 Contributor


@JanoschUlmer wrote:

@positroncs :

In order to use app passwords, AzureAD premium Plan1 is needed and MFA need to be enabled on the user account (not via any conditional access rules).


AzureAD Premium is not necessary to enable app passwords.  We do so just fine on our plan with the free version.

Microsoft

@firefox15 Only MFA for global admins or baseline policies are free, for all other scenarios a license is required. See also this overview: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Also when Office 365 Enterprise licenses are available in the tenant, MFA can be enabled per user.

 

Note that once you have a single license that includes MFA features in the tenant, it is possible to enable MFA for all users. Still there is a licensing requirement that each user needs to have a license (if he is not a global admin - of course it is not recommended to make every user a global admin to lower licensing costs).

Kind regards,
Janosch