MFA and Whitelisting Question
I have Security Defaults enabled in Azure AD and a whitelist created for the static IP address of the business. MFA is working well and the whitelisting works great within the business. We also have an on-premise AD server that is syncing to Azure AD.
Now for the fun part
We have a local ad user setup on your counter computer for sales that come in the door. This user never uses any of the cloud services provided by microsoft but with the AD sync to the cloud the account is sitting waiting for MFA to be setup.
Is there any way to expire MFA on these accounts in say 30 days so MFA cannot be setup after that period?
Theoretically a hacker could steal the credentials, login to the account, and setup MFA on there own device and have control of that account.
Is the idea that if there is nothing important in the cloud account that securing it is unnecessary?
Thanks in advance for any feedback or suggestions you may have.
Why not put the account into an OU and then configure AADC to not sync that OU? If there is no need for the account to be in Azure AD, then don't sync it. I've seen too many implementations of AADC where they just chose the default sync the entire structure option and they have a bunch of junk in Azure AD.
While that is definitely an option I was hoping for something that was more "globally locked down". While I can implement this I know for a fact that someone down the road will add another user to AD and forget to put them in this group causing it to sync to AD leaving the account vulnerable again.
Unlike corporate where you only manage one AD we are an MSP that manages hundreds of AD infrastructures so I am still looking for a better alternative.