Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Gajoll
Level 1 Contributor

MFA reports for customers as partner

Hi,

 

We´re taking the usage of MFA seriously for our customers and want to have an automated report for every customer we have to lookup which users are enforced for MFA and which don´t.

 

Have you guys done anything like this? How could we do it in a good way where we get every customer and the users which don´t have MFA enforced. We would like to have a comparison from last month as well.

 

//Martin

3 REPLIES 3
Gajoll
Level 1 Contributor

Hi and thanks for the answer.. This is kind of interesting topic.

 

We have a couple of customers which uses Business Premium and on those we use Conditional Access to manage the MFA-experience which works fine.

However, the majority of our customers does not have access to Azure AD Premium features in form of Conditional Access so we´re activating MFA per user in the Multifactor-feature but now you´re saying it´s about to be considered as legacy.

Are you referring to Security defaults as the standard solution to activate MFA then? Security Defaults do alot more than activating only MFA which does not fits some of our customer.. Some customer has legacy applications which can´t connect using Security Defaults and some customers need to use SMS as the MFA-option(yes, we know we should migrate the legacy applications and not have SMS but it´s not possible for some customers yet)

 

But on you it sounds like we should NOT activate the MFA per user in the MFA-portal - Correct? What should we do instead if we can´t use security defaults?

 

However, back to my topic.. I´m aware that we can connect through PowerShell or search the log-in logs for every customer but we have 100+ customer which makes that work not a feasible way. I was looking for a solution either through PowerShell or PowerBI to collect information about ALL our customers  in one report so we could work with one file/report instead of 100+ files, one for every customer. Is that possible?

 

//Martin

JanoschUlmer
Microsoft

Yes, Security Defaults will become the primary solution.

That CA or SecDefaults are the recommended solutions is also reflected in more and more places in the documentation, e..g https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates or more directly here: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-worldwide#legacy-per-person-mfa-not-recommended

 

Also note that Exchange Online will also disable Basic Auth. in the coming year - so by this point in time there would be no app that works using basic auth. 

Of course, if this is currently the only option, it is better to use per-user than nothing. 

 

To your main topic - yes, this is what I meant also above. For each customer you manage as a CSP, so where you have delegated admin capabilities, you can query this info across all customer tenants using a single script and s single account that is admin agent in your Partner. E.g. you get a list of all customer with Partner Center Powershell (Get-PartnerCustomer, the use MsOnline module (e.g. within a for-each loop) to query this information from each user in those tenants - and export this information e.g. to a CSV. 

And the same way you can query the sign-in logs using some filtering for sign-ins without MFA.

 

I'm pretty sure using some custom connectors you might be able to even directly query this in PowerBI, though I'm not an expert in this. At least you can use Partner Center API and Graph API to get the same kind of information across all managed customers.

 

And afaik getting an overview across security over all customers is something where over long term M365 Lighthouse will also come handy ,though I'm pretty sure that legacy per-user MFA will not be in scope for this 🙂

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
JanoschUlmer
Microsoft

Checking on the per-user configuration would not be recommended (Since the whole per-user MFA method is no longer recommended considered to be legacy), better check the sign-in logs if MFA was done. There is cmdlet in AzureAD powershell that might be handy:https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureadauditsigninlogs?view=azureadps-2.0-preview E.g. you could filter sign-in events without MFA.

And AzureAD powershell can be used as a CSP Partner within customer tenant context using delegated admin rights.

 

Also you should consider checking if AAD Security Defaults are enabled in the tenant - then MFA might not be triggered all of the time. So reading sign-in logs can be skipped if the defaults have been activated - see here for some scripting approaches for this: https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/ 

Have not checked in Security Defaults can also be set using this way:https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureaddirectorysetting?view=azureadps-2.0-preview 

 

 

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices