Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Re: Question regarding MFA compliance

According to the FAQ, every authentication attempt will have to be met with an MFA challenge, so that would mean that you couldn't add a trusted location and bypass MFA through that. Microsoft says that enabling the enduser and admin baseline policies would suffice though. The conflict there is that the end user policy only requires the MFA challenge for risky sign ons. Which one is it? Do you have to have an MFA challenge each time, or is the baseline enduser policy which bypasses MFA except for risky signins enough?

Microsoft

Re: Question regarding MFA compliance

@kevinwilso05, trusted locations or other whitelisting solutions available in Azure AD P1/P2 or 3rd party MFA solutions do not fulfill the MFA requirements.  Enabling the admin and end-user baseline protection policies does fulfill the MFA requirements.  I understand the confusion regarding the conflict between the requirement for each sign on to receive a challenge and the risk-based nature of the end-user baseline protection policy.  While today end-users only need to complete an MFA challenge based on risk with the baseline protection policy, in the future, end-users may be prompted to complete an MFA challenge for every sign on, regardless of risk.

Visitor 1

Re: Clarification on new CSP MFA security requirements

Tim,

This is the way I read it but I'm waiting on clarification from our CSP vendor.  Did you find an answer?

Level 1 Contributor

Re: Question regarding MFA compliance

If that's the case where the baseline end-user protection policy is compliant, and location based conditional access is not, then the FAQ is wrong. By definition then, if you use the baseline policy, you are using conditional access to circumvent the MFA challenge. If these requirements are really about making the enviornment secure, I'd actually argue that location based conditonal access is actually way more strict than the baseline policy. It's way less likely that you're going to have a risky sign-in from inside your own network, so to play it on the safe side, you force the MFA challenge for every sign-in thats not coming from your intranet. It looks like Microsoft hasn't fully figured out what they want for this yet, but even your last sentence contradicted itself. When you said that "While today end-users only need to complete an MFA challenge based on risk with the baseline protection policy, in the future, end-users may be prompted to complete an MFA challenge for every sign on, regardless of risk.", you admitted that the MFA challenge every time is definitely a step up security-wise than the baseline policy. If today end-users only need to complete an MFA challenge based on risk, then why does the FAQ and article say differently? And then saying "in the future, end-users may be prompted to complete an MFA challenge for every sign on, regardless of risk." The way you said it sounds like it hasn't been determined if Microsoft will make it a requirement to have an MFA challenge every time, and may be implemented in the future, yet the FAQ for these security requirements says that you have to have the MFA challenge everytime. There is just constant going back and fourth even in Microsofts published articles which is making this a confusing mess. 

Highlighted
Microsoft

Re: Question regarding MFA compliance

@kevinwilso05 Thank you for the feedback and sorry for the confusion caused.

We need to differentiate between the contract and technical enforcement. Indeed it would be great if the end user baseline policies would already work like they should, for various reasons the technical change in the policy was not implemented before the annoucement on security requirements was published.

 

The contract (CSP Program Guide) does explicitely call out baseline policies as one way being compliant. The FAQ is still correct in its guidance that no exclusions can be configured - because once technical enforcement starts authentication will not be successful if no MFA has been done. And before this technical enforcement will start, the baseline policy will incorporate this required change to trigger MFA every time.

 

Level 1 Contributor

Re: Clarification on new CSP MFA security requirements

Hi @Phogfan ,

 

The only clarification I have received is by reading this message board.  My CSP gave us little clarification at best.  The only way forward so far seems to be applying the baseline policies to just ourselves and not our customers which we are not happy about applying to ourselves as it very limiting.  I am looking at when we MUST apply the policies.

 

Thanks,

Tim Earl

Microsoft

Re: Clarification on new CSP MFA security requirements

@timearl :

From contract perspective you need to apply MFA by August 1st.

Technical enforcement will not happen on August 1st, there is no ETA yet on when this happens.

Beneath baseline policies you can alternatively enable MFA for each user and/or use your own conditional access policies (AzureAD Premium Plan1 required). When enabling MFA per user some of of the limitations might be resolved by leveraging app passwords.

 

Level 1 Contributor

Re: Clarification on new CSP MFA security requirements

It sounds like the baseline policies would be great for many of us if it allowed exclusions for those "special" accounts like the one used by Connectwise for syncing tickets and calendars at Managed Service Providers.  Is there any plan to put the option back in place for the baseline policies to exclude certain users so we could setup per-user MFA for those unique accounts with app passwords? 

 

If not, can we make a request for this and upvote it?  I would imagine putting that one feature back would help a large swath of partners to be compliant quickly.  Isn't that what everyone wants?  

 

Baseline policies won't work for most partners because they can only be applied universally.  That leaves us with manually setting up per-user MFA exclusively, which is error prone, or setting up conditional access policies which require Azure AD Premium P1 licenses that many of us do not have.  Even AAD P1 does not include all the features of the user baseline policy unless you upgrade to P2.  Very few partners and customers can implement baseline policies without some kind of exceptions.  Even the recommended break the glass account cannot be used if you implement both baseline policies.  If we could exclude a user, group, and IP address/location from a baseline policy, we could then actually use baseline policies for ourselves and implement them for our customers to improve security, reduce risk, and reduce credential compromise breaches.

 

As a partner, our ideal scenario would be to implement the baseline policies with exceptions for a few special accounts and then setup per user MFA for those special accounts with App Passwords.  Then we could move on to revenue generating activities.

 

It seems like Microsoft could significantly help partners meet the spirit of the requirement by simply putting the feature back in place that allowed a baseline policy to be excluded from specific accounts.  Then we could setup per user MFA and app passwords on those excluded accounts.  It would probably save everyone a lot of time and effort, as well as hundreds of blog postings...

 

Josh

Visitor 1

Re: Question regarding MFA compliance

It seems that using app passwords doesn't work for admins. So, if our user account has any of the admin roles, they aren't able to use Outlook. Should we setup an account for admin duties under the .onmicrosoft.com accounts or is there another method to continue using Outlook that I have missed? 

While having two accounts for our admins would be an inconvenience, it is something we can live with. 

Visitor 1

Re: Question regarding MFA compliance

You can use 'modern' authentication instead of app paswords to have MFA on Outlook. If you have an older tenant (like most partners) it's something you need to enable. In newer Office 365 tenants it's on by default. If you open Outlook, you get the Office 365 login window where you can enter your pasword and complete MFA.  link to docs

Visitor 1

Re: Clarification on new CSP MFA security requirements

Hi Janosch,

 

Where you finish by saying 'When enabling MFA per user some of of the limitations might be resolved by leveraging app passwords', does this mean that the use of app passwords are still completely accetpable in the case of the new requirements?

 

My own use case is being able to schedule a runbook in Azure Automation which creates a CSV file and uploads it to a document library in Sharepoint Online. That runbook must authenticate to SP Online as part of the process.

 

I referenced some official documentation (source: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread) to create an app-only azure ad identity for the purposes of this automated process - specifically the authentication piece. However, this is not a secure enough alternative in my opinion, since the only four available permissions are too broadly scoped, and, at best, still results in the Automation Account/runbook identity having the ability to read data in "all" site collections within our tenant (please refer to screenshot).

 

Thus I would very much like to execute the runbook under the context of a user which I then can define granular enough permissions for in Sharepoint Online. Since the script is not run interactively, 'app passwords' would be a good solution to our problem.

 

Please clarify.

 

Thanks

Microsoft

Re: Clarification on new CSP MFA security requirements

@mortalwombats Sorry for not replying earlier, I was in vacation and it took some while to catch up.

 

For Sharepoint Online - for this type of access I do not think app passwords will work, app passwords only work when the protocol does not support modern authentication. But you can try and I can confirm that app passwords are a valid option (also confirmed in the FAQs now)

App only model does work and is not affected by the MFA requirements - see also the FAQ. While the 4 predefined permissions do not allow for much customization, app only is secure enough for the purpose of securing the account in the CSP tenant (user credentials are not used to get access tokens).

 

What might work is to leverage the same workaround mentioned for Exchange Online Powershell in the official guidance - however, this will not be a long term solution and I would recommend to use app only.