Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Re: Legacy Protocol

I have spent the last week trying to get answers for this, but so far not got anywhere. 

 

We can enable 2FA for all our accounts, but we like many other partners use a service desk that uses IMAP to check for tickets and SMTP to send out replies and notifications. So we need IMAP access to our help@ email address. 

 

From my interactions with Kaseya they have no knowlege of these requirements or any plans to implement any changes to their system, they just said if you can't use IMAP you wouldn't be able to use their product. I know that Connectwise also uses the same approach as do many other systems. 

 

Unless our software providers update their systems to use Exhange API and token authentication, then we have to use IMAP and you can't expect us all to swtich helpdesk systems after the 1st of August, or set up new 365 tenants with different domains and change our support email addresses. 

 

Can we not enable 2FA manually, create an app password for the service email address and then restrict that IMAP login with a policy to only be allowed from a certain IP address and lock it down to the service desk IP?

Level 2 Contributor

Re: Legacy Protocol

@cstelzer 

 

I have not tried enabling MFA and setting up an app password because I have been trying to get confirmation from Microsoft on the compliance of that option first. As I mentioned, they have wavered between "Maybe" and "No". The following links are just to illustrate the confusion and to help serve as a reference for Microsoft on communication breakdown.

 

Maybe:

https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/The-new-MFA-for-Partners-requirements-what-will-that-do-to-our/m-p/11267/highlight/true#M128

https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/SMTP/m-p/11318/highlight/true#M159

https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/How-the-quot-Baseline-policy-End-user-protection-quot-will/m-p/11323/highlight/true#M164

 

No:

https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/How-the-quot-Baseline-policy-End-user-protection-quot-will/m-p/11412/highlight/true#M201

Partner Office Hours for Security Requirements: Option 5

 

Additionally, @JanoschUlmer has mentioned that MFA enforced through Conditional Access does not allow App Passwords (this appears to be true from my research). So they would need to confirm that either a per-user enabling of MFA would be allowed or App Password support would be brought to Conditional Access.

Level 2 Contributor

Re: Legacy Protocol

@TomR Yeah, i'm aware of the short comings of App Passwords and CA rules, totally understand. My intent would be to toggle enforced MFA on the service accounts, and put in App Passwords in place in Connect Wise. We're going to give this a whirl this week with some less used e-mail connectors in Connect Wise and i'll report back if it works.

Level 4 Contributor

Re: Legacy Protocol

When MFA is setup on a per user basis, the app password works for imap /smtp. That does not mean it is considered in compliance and will continue working when the technical enforcement takes place in the future (when ever that happens, no ETA and all)
Level 4 Contributor

Re: Legacy Protocol

Keep in mind, a domain can only exist in one tenant. We are talking about,
1) Forwarding the mail to a mailbox in another tenant (or an address managed by the help desk vendor)
2) moving all mail enabled objects for that domain to a different tenant
3) setting up and using a different domain in another tenant (support@mail.contoso.com)
4) using a solution that supports ews / modern authentication / secure app model.

Zendesk for example supports pop, imap and forwarding. Forwarding has some drawbacks and benefits. But it is an option, and real time ingestion over polling is definitely a pro.
Level 1 Contributor

Re: Legacy Protocol

@JonW 

 

Hopefully the policy will just get updated to allow for restricted use of legacy protocols and save us all a huge headache. 

 

Either that or the technical enforcement will be delayed for long enough for vendors to make changes to their systems so that we can continue to use them. I doubt many will even know anything about these new requirements, but I'm sure once the knowlege gets out there and they learn that may have to lose any Microsoft partner customers because their helpdesk software is not compliant with their policies, then they will soon update their software.

 

Just hope for some clarity soon. We're just at then end of two month implementation of Kaseya BMS so would be a huge pain to change systems and do that again. 

Level 4 Contributor

App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

Will App Passwords (configured while setting up MFA) continue working with legacy protocols like IMAP, SMTP, POP3, etc.?

 

Based on our internal testing, it doesn't appear that these legacy protocols will get blocked when the 2 required baseline policies (Require MFA for admins + End user protection) are enabled.

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

App passwords can be used when MFA is enabled per user. It is recommended to review again the recommendations: https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-mfasettings#considerations-about-app-passwords 

 

If you enable the baseline policy, app passwords can not be used. You could e.g. configure a custom conditional access rule where you make exceptions for those users where you directly enabled MFA (with app passwords).

 

Note that currently the end user protection baseline policy does not enforce MFA for every access but only when a risk is detected, this is why you see no legacy protocols blocked yet. But this is about to change and MFA will be triggered every time. If you want to test the impact create your own conditional access rule targeting all users, all apps and require MFA as the only control.

 

Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

I was recently at Microsoft Inspire and spoke to several Microsoft Employees directly involved with this topic.  They assured us that app passwords will bypass MFA and legacy protocols will not be blocked.  This was also confirmed by the engineering team based on my conversation.

 

Were we provided with incorrect information?

Influencer

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

I, too, am struggling with getting specific scenarios approved.  It would be great if there were a consistent FAQ around scenarios.  If we knew where those were (and what is/is not in compliance) we could help spread the word in the Partner Community.

 

I am returning from Inspire and 3 out of 5 partners that I spoke with were totally unaware of the scope of this requirement.  Most partners just assumed they could turn on MFA for their Partner Center users and meet the requirement.  

 

Few understood that it had implications for all users (such as Guest Accounts or non-Partner Center users).

 

We received this notice from one of our line of business application vendors that doesn't support modern auth and is a technical blocker.  While the enforcement date isn't clear, it's pretty clear that we are responsible for meeting this requirement by 1 August.  Vendors aren't helping the case with spreading incorrect information.  Capture.PNG

Level 4 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@sreedwilson: Microsoft has two different dates for the Partner Security Requirements.

- A contractual Effective Date: August 1, 2019
- A technical Enforcement Date: TBD
Influencer

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@cjmod Yes, I am aware that there is a contractual deadline (1 Aug) and technical enforcement (TBD) - I was sharing that others are confused as to the difference and are spreading misinformation to the partner community.  Sorry if I wasn't clear on that.

 

For partners who aren't engaged in this community they will definitely be confused.

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@Lfortson No, this is correct, the details matter :-)

App passwords can be used, but you can not use an app password if you enforce MFA via the baseline policy or conditional access.

 

So e.g. if you enable MFA for user1 and set an app password it is fine. If user1 is also targeted within a conditional access policy that enforces MFA, app passwords will no longer work.

Solution is to exclude the user accounts where you have set app passwords from conditional access policies.

Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

Hello @JanoschUlmer,

Thank you for the details. From my understanding and clarification at Inspire with Microsoft employees, the app password will work indefinitely and there are no plans to block legacy protocols for this scenario (MS employee confirmed with AD engineering team).

Can you confirm?
Highlighted
Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@JanoschUlmer 

 

In addition, does the above app password scenario allow partners to remain in compliance with the CSP requirements?

 

Leif

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@Lfortson : This is also how it was told to me.

"Indefinitely" is a word I would use with caution because all things may change over time :-) -  I have not heard of any plans to remove app passwords, no did I hear from any plan to generally block legacy protocols for CSP Partners. 

It was always clear that app passwords are a general option to allow legacy protocols to work when user account has MFA enabled, the question here was if this will still work once enforcement of the security requirements for CSP Partners start - and this was now confirmed.

 

And yes, when you use app passwords this fulfills the contractual requirement to enable MFA for all user accounts in the tenant, I would not have posted this as solution if this is not true.

Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@JanoschUlmer, do you know when the app password option will be posted to the CSP requirements so its crystal clear for partners?

 

Leif

Level 5 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

Thank you for the confirmation about App Passwords. That will allow us to continue integrating DevOps with Dynamics Lifecycle Services (LCS), emailing from Dynamics GP, and integrate our email marketing tool with Dynamics 365 CE.

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

Level 4 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@JanoschUlmer: Thank you for that! Will the Program Guide for CSPs be updated to reflect this new information?

 

Why I Ask: As of today, paragraph 3 of section 1.4 in the Program Guide states:

 

The requirement to enable a multifactor authentication service may be fulfilled by either (i) Company’s enablement of both the “Baseline policy: Require MFA for admins” and the “Baseline policy: End user protection” in the “Azure Portal” for all users; (ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example, “Azure Active Directory Premium”); or (iii) Company’s purchase of a third-party “on-premises” multi-factor authentication service that supports Azure Active Directory federated services.

 

Meaning the contractual language doesn't seem to match with the language in the FAQ that states "The only requirement is that you enforce MFA for each user, including service accounts, in your partner tenant." In fact, the contractual language strongly implies that partners must either enable the two mentioned Baseline Policies or purchase an additional offer from Microsoft.

 

Regarding App Passwords: You previously mentioned that partners would need "to exclude the user accounts where you have set app passwords from conditional access policies". As of today, I'm not seeing any option to exclude users from the Baseline Policies. Does this mean partners who need to continue using App Passwords are not able to enable the two mentioned Baseline Policies?

Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@JanoschUlmer  You mentioned

 

"Note that currently the end user protection baseline policy does not enforce MFA for every access but only when a risk is detected, this is why you see no legacy protocols blocked yet. But this is about to change and MFA will be triggered every time."

 

Can you elaborate on WHEN this change might occur? We've enforced MFA as per Identity Protection Sign in Risk policies to align with the existing Baseline policies, and i'm not going to flip this over until i'm aware of what you're going to be doing with the baseline policy changes, and most importantly "when"?

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

Currently I have no specific date to share - will update this thread as soon as I know (I have also asked multiple times for an ETA)

Level 2 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@JanoschUlmer ,

 

Do you know when the CSP program guide will be updated to match the partner security requirements FAQ?

 

Leif

Microsoft

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@Lfortson Have not seen any ETA. Where specifically do you see a mismatch? 

Level 4 Contributor

Re: App Passwords and Legacy Protocols (IMAP, SMTP, POP3, etc.)

@JanoschUlmer: The mismatch is between language in the Partner Security Requirements and the Program Guide for CSPs.

 

As of today, paragraph 3 of section 1.4 in the Program Guide states:

 

The requirement to enable a multifactor authentication service may be fulfilled by either (i) Company’s enablement of both the “Baseline policy: Require MFA for admins” and the “Baseline policy: End user protection” in the “Azure Portal” for all users; (ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example, “Azure Active Directory Premium”); or (iii) Company’s purchase of a third-party “on-premises” multi-factor authentication service that supports Azure Active Directory federated services.

 

Meaning the contractual language doesn't seem to match with the language in the FAQ that states "The only requirement is that you enforce MFA for each user, including service accounts, in your partner tenant." In fact, the contractual language strongly implies that partners must either enable the two mentioned Baseline Policies or purchase an additional offer from Microsoft.