Multi-Factor Authentication (MFA)

@JanoschUlmer JanoschUlmer

So, was there ever an update / change to the End User Baseline Policy to ALWAYS enforce MFA as opposed to "At Risk", i'm being told i'm not in compliance now, based on only MFA "At Risk". Was a change to the baseline rule made? We are not utilizing the Baseline, rather MFA Registration / Identity Protection policies for All User (MFA Low+ Risk).

@cstelzer : No, not yet. When you are usig your own risk based policies which will also not trigger MFA every time it is no surprise that you are not deemed to be compliant - since there are probably still users accessing the tenant without doing MFA.

The report - which was probably sent to you by your account team - will afaik currently check if either authentication was done with MFA or check if baseline policies where enabled. The report is also work in progress, so I have seen false negatives. So if you see in e.g. the AzureAD sign-in reports that every user is in fact doing MFA, and the report says otherwise be sure to give feedback to the account team.

There will also be an improved report available as self-service soon - documentation is already done, because of last minute issues the report will take a few days more to be visible in Partner Center: https://docs.microsoft.com/en-us/partner-center/partner-security-compliance 

Hi, @JanoschUlmer, has the self-service MFA report already been made available in Partner Center, as I am still not able to find it there? If not, what is its ETA?

TIA,

Marcel Domingus

It is already available, at least in all tenants I have access to. The report is in the settings area - there you should find "Security Compliance" - direct link: https://partner.microsoft.com/en-us/pcv/security/compliance

Don't know if the report is also displayed for Partner Center accounts that are not subject  to the MFA requirements (e.g. when only MPN Management is done in this tenant ad not CSP), I guess it is not - if in doubt send me the tenant name (via private message) and I can check for you.

@JanoschUlmer can we not retrieve a copy of the data behind the MFA Compliance report in Partner Center?

We keep being told to "Look at AAD Sign-in logs", which as we all know is full of noise and incredibly difficult to correlate compliance from.

Seems to me if Microsoft should just provide us with the data behind the ACTUAL report that's determining whether or not we're compliant, so we could better understand the issues. I for one have a single CA rule All Users, All Apps, Require MFA, that's it, and I still see wild swings in compliance data for "Through Partner Center Portal" for some reason (100% to 85% back to 97%).

Also, I don't believe any of the API/SDK data is even available in the Azure AD Sign-in's report to validate, where is that data surfaced from so we can review?

@cstelzer & @MarcelDomingus

Sorry for not replying  for a long time.

Some updates - the powershell script to assess if logins happened via MFA was replaced by a new feature in an updated powershell module: https://docs.microsoft.com/en-us/powershell/module/partnercenter/get-partnerusersigninactivity?view=partnercenterps-2.0 

Documentation was also updated on this.

The Compliance report in Partner Center, as far as I was able to confirm:

 - Does not count failed MFA as not-compliant access

 - Does only count access to Partner Center (while it is still true that MFA needs to be enabled for all users & all services in the tenant - so Compliance report might show 100% while there is still non compliant access happening to other services).

 - Documentation was updated explaining some more scenarios where the compliance report does not show the real compliance - e.g. when using Custom Controls in conditional access it can not be detected: https://docs.microsoft.com/en-us/partner-center/partner-security-compliance

 - It is not possible to get the raw data from the report.

Access to API will not be visible in the sign-in reports, the only potential option to identify why API access is not showing 100% is to analyze each token to check if it incorporates the MFA claim. I have seen multiple cases where Partner have implemented Secure App model, but compliance was not 100% because they did forget to enable MFA when doing the app registration and getting the authorization token - and thus the app is seamingly registered correctly, but without MFA claim.

The end user baseline policy will indeed be updated to enforce MFA for all users in a CSP tenant - until this will be done this is another driver why the report will not show 100%, when in fact you are compliant because you enabled this policy. (Sorry, would appreciate a more logical explanation myself, but it is how it is). 

While there is no ETA for this change of behaviour yet, it was already announced that baseline policies will soon change into this: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

Hello every one,

I would like to ask you is there anyone here have implemented MFA for MPN.  Provide steps to implement the same.

I have gone through your discussion threads... but could find not much information as expected.  

I have searched a couple of documents in docs.microsoft.com ... the initial part is fine like enabling   Require for (admins) and End-user protection which is available in Conditional access policy, after enabling by choosing ok it gets saved. 

I need to know further steps involved in it. I would request someone please do reply to this request.

The documentation is all summarized here:

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

Additional info: Baseline policies will become AAD security defaults soon- functionality does not change though: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

Checking compliance:

https://docs.microsoft.com/en-us/partner-center/partner-security-compliance

FAQs:

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

What other specific questions do you have on this? What is not answered in the documentation. Generally, after enabling the baseline policies it is generally only a matter of regularly monitoring the compliance status and educating users how to do the MFA registration

For a more detailed report on which user acccounts did not use MFA I was just made aware that a suitable Powershell script was already published here: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#assessing-your-environment

This will remove some of the "noise" of the full azure ad sign in logs and will make it easier to identify where not-compliant access did happen from users.

For identifying how to identify which API access was not compliant - as it seems there is really no other way then to look at each refresh token which is used, decode it and check for the claims. Issue is  that it might happen that secure app model was used, but if the user then was not doing MFA, the refresh tokens will not incorporate the MFA claim.

Still waiting for answers on the other questions.

@cstelzer & @MarcelDomingus : I'm currently checking for more information on that, this might take some time. Afaik failed access does not count; raw data  for the report is not available; I do not have a timeline reg. potential changes in the end user protection policy - so currently I have no answers.

Hi, @JanoschUlmer , thanks for the tip! I have managed to find the report in PC.

I noticed that compliance of "Through Partner Center portal" is listed at 78% whereas I am certain that all our Partner Center user have MFA enforced. Can it be that technical failures / glitches when authenticating to Partner Center (for instance the Authenticator App crashes when you press the push notification, forcing you to request a subsequent code text message upon which authentication finally ddoes succeed, a frequent occurence for our users) will count towards non-compliance?

I do not expect unsuccessful attempts to enter the 2nd factor change the report - but the report will incorporate data from the last 7 days, so it dsepends on when all user were enabled for MFA.

You can use the AzureAD sign-in logs to check which users did not go through MFA (at least one AAD Premium P1 license required in the tenant to see these logs)

Hi, @JanoschUlmer, actually I am looking at the sign-in report and was wondering if Status codes like Interrupted and Failure would count towards non-compliance (see report snippet below). 

Also, the diagnostic scope of the Compliance Status Report appears to be limited to the actual use of the Partner Center portal and CSP API's, whereas my impression was that compliance is dependent on MFA enforcement of all tenant users, even the ones that do not actually use Partner Center?

StatusSign-in error codeFailure reasonClient appDevice IDBrowserOperating SystemCompliantManagedJoin TypeMFA resultMFA auth methodMFA auth detailConditional access

Question about PIM. We have configured all our users to use PIM when they need to perform any action, yet they have a permanent assignment. in case we switch them to 'Eligable', meaning they will have a 'regular' user on their day 2 day but can be promoted to a power user using PIM, will they be considered as regular user for the purpose of those security requiremtns or admins?

If I do understand the question correctly this should not really matter since the security requirements apply to all user accounts in the tenant, not just those which have admin roles. 

---

@JanoschUlmer wrote:

If I do understand the question correctly this should not really matter since the security requirements apply to all user accounts in the tenant, not just those which have admin roles. 

---

yeah but users with admin rights get special conditions:

"...Once MFA registration is complete, administrators will need to perform MFA every time they sign-in."

End users get a different policy:

"...Once registered for MFA, users will be prompted for MFA only during risky sign-in attempts..."

so lets say all my users are 'normal users' (End users), but have the right to elevate to a more powerfull role (such as Global admin), how will they be treated by those policies? is that compliant with the requirement?

If 'Require MFA for admins' Conditional Access Policy is enabled, and if the admins device is Hybrid AD Joined since the device has PRT it won't prompt for MFA. Can we enforce MFA only for admin users even if they are Hybrid AD Joined.

@hari_kumar : No, you can not force admin go through MFA again if the device already fulfills the MFA requirements by the claim in the token. You can configure Windows Hello with multi-factor unlock though, to force user to enter an additional method when logging in to Windows. Other solution would be to force user to use a browser that does not support this scenario - e.g. Firefox, Opera, Safari - but this does not make a lot of sense imo.

The question is why?

Once those users get an admin role assigned, the baseline policy "Require MFA for admins" would apply automatically to them. 

Note that the end user protection baseline policies apply to both "normal" users and admins - so for admin access the controls of both policies would apply (though the user would not recognize this, he just gets the MFA prompt).

If those two baseline policies are enabled it will be compliant. 

@idwilliams  Some follow up questions:

- In the offical guide for enabling these policies, the user policy have option for exception but when I checked them today in our AAD that exception is missing? Why? What is happening here? Sounds like this was not planned very well if the documentation is not correct?

- What is behind Microsoft commercial cloud services? I am preatty sure that most people will not know the exact scope if you do not explicelty which services/portals/apis are behind that?