Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 2 Contributor

MFA and Azure AD Connect

With the new requirement for MFA to be enabled for all accounts in the domain, this will break Azure AD Connect synchronization using the auto-generated account.

 

Additionally, we're deploying a .net core solution for one of our customers deployed using containers whereby service account connects to Exchange Online APIs to manipulate free/busy calendaring. With this requirement from MS for all partners, access to Exchange Online API is essentially cut off.

 

What's the guidance from MS regarding these?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Microsoft

Re: MFA and Azure AD Connect

@desmondkung you are correct that the baseline policies will impact the service account used by your application. Fortunately EWS does support OAuth authentication you can find more information on this here. You should be able to implement the Secure Application Model framework for your application, and that will allow it to continue to function. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
7 REPLIES 7
Microsoft

Re: MFA and Azure AD Connect

For the AAD Connect sync account engineering does ensure it will not be impacted, this was also added to the recently updated FAQ: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#will-the-service-account-used-by-azure-ad-connect-be-impacted-by-the-partner-security-requirements

 

For the 2nd question: Is my understandin correct that you are deploying this solution in you are using you CSP delegated permissions to call the APIs in the customer tenant?

I guess also you are not using the ExO powershell module?

Level 2 Contributor

Re: MFA and Azure AD Connect

Understood for the AAD Connect sync account.

 

As for 2nd question, I'd like to rephrase it into the following scenario so that it's easier to understand as there's no CSP permission delegration involved. Take it that it's running in our own environment.

 

So we have a containerized .Net Core solution whereby a service account uses EWS 2013 (Exchange Web Services) API to update calendar entries. With the required implementation of MFA for all service accounts, the solution is broken with the baseline policy "Block legacy authentication" preventing the access. We are not using ExO PowerShell module.

Highlighted
Microsoft

Re: MFA and Azure AD Connect

@desmondkung you are correct that the baseline policies will impact the service account used by your application. Fortunately EWS does support OAuth authentication you can find more information on this here. You should be able to implement the Secure Application Model framework for your application, and that will allow it to continue to function. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: MFA and Azure AD Connect

Thank you. We'll take a look into that.

Level 2 Contributor

Re: MFA and Azure AD Connect

Just to have a clear understanding. The FAQ states that the azure ad sync account should not be impacted. We have azure ad connect installed and the account was automatically created. I have enabled MFA via CA, but not baseline policy. The CA i have in place is MFA on every log in.

 

I have a support ticket open however. The event logs from my server show me this, as stated previously in this thread are you saying that is now not the case and we have to look at the security framework? I appreciate any information to help guide here.

 

The extensible extension returned an unsupported error.

"System.InvalidOperationException: The ADSync service is not allowed to interact with the desktop to authenticate xxx@contoso.onmicrosoft.com. This error may occur if multifactor or other interactive authentication policies are accidentally enabled for the synchronization account.

Level 2 Contributor

Re: MFA and Azure AD Connect

Hi dferrell, If you've created custom conditional access policies, then you'll need to manually exclude the AAD Connect account. That's what I did previously. If you enable the baseline policy, the AAD Connect account will automatically be excluded.
Level 2 Contributor

Re: MFA and Azure AD Connect

I did not think there were any exclusions allowed in this scenario. However is the baseline user protection policy is excluding it, then ok. I appreciate the feedback here desmondkung.