Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

MFA For 365 users

Hi,

 

I need to setupMFA for all 365 accounts in line with the new microsoft csp guidlines. Is what I am doing enough:-

 

I have enabled MFA for all admin accounts so that along with the username and password we have to input a code that is a txt to a mobile, this process also creates an application password. Once done I am then one at a time enabling and enforcing MFA for all users so that they get the challenge from a mobile txt message and I am also creating the app password and inputting that into desktop apps like Outlook if I am prompted to.

 

Is the above enough to become comliant if I do the same for all of my customers accounts?.

 

Regards

 

Jason

 

5 REPLIES 5
Level 2 Contributor

Re: MFA For 365 users

Hi Jason,


I have not seen anything requiring this for customer accounts/tenants, although it's certainly a good practice. This CSP requirement is only for tenants that contain any accounts used to manage customer accounts through the Partner Center. As long as you are enforcing MFA for every account in your own O365 tenant either via the baseline policies, custom Conditional Access policies, or by explicitly enforcing MFA on each account via the MFA management page, you should be compliant.

 

Also note that you can't use Trusted Locations or anything to bypass MFA, but app passwords are considered to be compliant.

Level 1 Contributor

Re: MFA For 365 users

Hi Many Thanks for your reply.

I am really confused here and till your response I am struggling to get any response that I can understand.

In short I use a distributor to buy my office 365 licences via csp. When I create a new account I get an admin login for that new tenant, I have around 50 of these for separate companies. I have last night for all of these admins accounts manually enforced MFA so that it will txt my mobile and have also generated an application password. So I use these accounts to administer the various tenants, not my own through any delegation. My own 365 has an admin and my account and both have been manually setup to use MFA.

I Have been lead to believe that I should have had a correspondence from Microsoft and or my distributor some weeks ago saying that I should set this for all users via base line policies as far as I can tell and that it should have been completed by August the 1st this year and failure to do could lead to me not being able to still work within CSP. I have been questioning this since last week when I had the email from Microsoft telling me to do it, which arrived after August the 1st.

As you can imagine I am confused and also worries that I may loose my customers as a result of this not being communicated to me in time?

Regards,

Jason Gough
Microsoft Certified Systems Engineer
Microsoft Registered Partner
Microsoft Small Business Specialist
Microsoft Authorised Education Reseller
HP Business Partner
AVG Gold Certified Reseller
AVG CloudCare Partner
Trend Micro Bronze Accredited Partner

[http://icons.iconarchive.com/icons/walrick/openphone/32/Phone-icon.png] 01694 724752 [http://icons.iconarchive.com/icons/dailyoverview/contemporary-mail/32/mail-16-icon.png] jason.gough@jg-compservices.com [http://icons.iconarchive.com/icons/saki/nuoveXT/32/Filesystems-www-icon.png] http://www.jg-compservices.com

This email and any attachments are sent in confidence and are not intended to be read by any person other than an intended recipient. The recipient is responsible for conducting the appropriate virus checks and whilst appropriate security measures are in place, we give no warranty, express or implied, that this email is free of viruses or that its transmission has been secure.
If you receive this in error please contact us on Jason.gough@jg-compservices.com. Any use, copying or dissemination of this email or any information contained in it to anyone other than an intended recipient is prohibited.
Internet communications are not secure and we accept no liability for any abuse of such communications by third parties nor for any alteration or corruption during transmission nor for any damage or loss caused by any virus or other defect.
Any and all communications sent to us may be monitored and/or stored by us to ensure compliance with relevant legislation, rules and policies. All communications are handled in full compliance with the Data Protection Act 1998.
Level 1 Contributor

Re: MFA For 365 users

Hi Many Thanks for your reply.

 

I am really confused here and till your response I am struggling to get any response that I can understand.

 

In short I use a distributor to buy my office 365 licences via csp. When I create a new account I get an admin login for that new tenant, I have around 50 of these for separate companies. I have last night for all of these admins accounts manually enforced MFA so that it will txt my mobile and have also generated an application password. So I use these accounts to administer the various tenants, not my own through any delegation. My own 365 has an admin and my account and both have been manually setup to use MFA.

 

I Have been lead to believe that I should have had a correspondence from Microsoft and or my distributor some weeks ago saying that I should set this for all users via base line policies as far as I can tell and that it should have been completed by August the 1st this year and failure to do could lead to me not being able to still work within CSP. I have been questioning this since last week when I had the email from Microsoft telling me to do it, which arrived after August the 1st.

 

As you can imagine I am confused and also worries that I may loose my customers as a result of this not being communicated to me in time?

Highlighted
Level 2 Contributor

Re: MFA For 365 users

Yes, this has certainly been a rushed process by all accounts, but the potential negative impact of having an account with delegated admin credentials via CSP to a lot of customer tenants is huge, so I understand the urgency. As a direct CSP the first communication I saw regarding the August 1st deadline was sometime in June.

 

The correspondence you received should only be in regards to your own specific O365 tenant that contains accounts used to authenticate to Partner Center to manage customer licensing and subscriptions, or if you use any 3rd party apps, you're supposed to use the new Secure Application Model from Microsoft.


It sounds like you're doing the right thing from a best practice standpoint of enabling MFA for any dedicated admin accounts you're creating directly in the customers' O365 tenants. We do this as well, because even with delegated permissions via CSP we can't access some things like the Security & Compliance center, so at times we need to use these dedicated accounts.

 

Beyond that, while I highly recommend it, it's not required for all accounts in every customer tenant to have MFA enforced. This could be done via the baseline policies, or through Conditional Access or explicit enforcement per account, but generally requires some handholding to deal with MFA on older versions of Office, or 3rd party mail apps on mobile devices.

 

At this point, the August 1st deadline was contractual only. Microsoft has yet to announce a technical enforcement date. Only once that unannounced date passes will you lose access to managing customer licensing/subscriptions via CSP if you aren't "compliant" in Microsoft's eyes. 

Level 1 Contributor

Re: MFA For 365 users

Many Thanks again for your detailed reply. I really hope that my distributor agrees with your explanation in the morning when I speak to them. It will make me smile if they do, as I tried to explain almost exactly what you did to them and a microsoft employee in a converance call this morning and they both told me that I had to do this for all users of all accounts that I administered.

 

I will out of courtesy to you let you know the outcome.

 

Many thanks once again.