MFA Nightmare for factory
As per our customer.
We set up Office 365 for end users and input the credentials. The end users have no access to O365 portal as they do not know the credentials.
The computers are in a factory where mobile phones are not allowed and there are no desk phones.
There are also numerous users (only one at a time) for each computer who all use the same login details and Office account.
How can MFA work???????
Interesting - Why does the customer want to use MFA when using a shared account?
Typically MFA is used when you want to verify that a person logging in is who he/she claims to be. When multiple persons share the same account, by design you do not have this ability anymore.
When using a 2nd factor as software on the device all users have access to, what is the value of having MFA?
So it seems to me that in order to increase security other measures, like blocking access from external networks, is the better option.
For compliance purposes I would be sceptical to have a model where people are sharing a single account - if something bad happened, how do you know who did it, who was affected etc.? Maybe another option is to find ways that people can easily use their own login on a shared workstation...
In our cases, they don't care about compliance. It's a bunch of shop workers needing to use a single workstation that has an app controlling inventory, or part of the prodcution line, something like that, and they don't want people signing in and out to use it. So they create an account called Shop1, which usually will have an email address for varying reasons (most shop employees dont' have personal email addresses in these scenarios), and it's just left logged in to that workstation all day. Because it has e-mail, it's synced to Azure AD, and so then we generally will block sign-in from non-trusted IPs as the main security measure.
I think in regards to MFA it's more around trying to standardize across the organizations that all accounts have MFA enabled, not that these accounts in particular are gaining much by having MFA turned on, unless the conditional access rule fails for whatever reason.
Yes, this is a scenario I hear a lot. Sure, most customers may not care about compliance, but almost everybody cares about money 🙂 So the first time when some unidentified employee is messing up with the inventory app or disabling the production line accessible from this PC, they would probably start caring.
E.g. a solution with some FIDO keys that allows for instant login for the shop workes yb instering a USB stick would surely be fancy.
Back to the original scenario- if those shop workstations are on Windows 10 and if they are Hybrid Joined to Azure AD (and have a TPM) and/or use Windows Hello For Business, they will have a MFA claim in the token on the device, so the shop employee would most likely not even see a MFA prompt. This works for Office client and supported browsers like Edge or Chrome (with the MS account add-in).
Beneath that, I would suggest to evaluate using e.g. 3rd party token software like Authy that can run on the shop PC to provide the 2nd factor in case it is still needed.
I hear you, unfortunately we still have some customers that fight enabling MFA for users even after a compromised account in their environment. It's frustrating to say the least.
We've had a few customers with situations like this, and we usually do 2 things. First, we install Authy on the shared desktop, and add the shared O365 account to it. So then any users of that machine are able to provide the MFA response using the code from Authy.
Then we use conditional access to block sign-in from everywhere other than the external IP range those shop machines would use to reach O365, since I've never seen a case where a shared shop-floor account needs to be accessed from outside the building, so it's just another layer of security.