Multi-Factor Authentication (MFA)

@kevinwilso05, trusted locations or other whitelisting solutions available in Azure AD P1/P2 or 3rd party MFA solutions do not fulfill the MFA requirements.  Enabling the admin and end-user baseline protection policies does fulfill the MFA requirements.  I understand the confusion regarding the conflict between the requirement for each sign on to receive a challenge and the risk-based nature of the end-user baseline protection policy.  While today end-users only need to complete an MFA challenge based on risk with the baseline protection policy, in the future, end-users may be prompted to complete an MFA challenge for every sign on, regardless of risk.

If that's the case where the baseline end-user protection policy is compliant, and location based conditional access is not, then the FAQ is wrong. By definition then, if you use the baseline policy, you are using conditional access to circumvent the MFA challenge. If these requirements are really about making the enviornment secure, I'd actually argue that location based conditonal access is actually way more strict than the baseline policy. It's way less likely that you're going to have a risky sign-in from inside your own network, so to play it on the safe side, you force the MFA challenge for every sign-in thats not coming from your intranet. It looks like Microsoft hasn't fully figured out what they want for this yet, but even your last sentence contradicted itself. When you said that "While today end-users only need to complete an MFA challenge based on risk with the baseline protection policy, in the future, end-users may be prompted to complete an MFA challenge for every sign on, regardless of risk.", you admitted that the MFA challenge every time is definitely a step up security-wise than the baseline policy. If today end-users only need to complete an MFA challenge based on risk, then why does the FAQ and article say differently? And then saying "in the future, end-users may be prompted to complete an MFA challenge for every sign on, regardless of risk." The way you said it sounds like it hasn't been determined if Microsoft will make it a requirement to have an MFA challenge every time, and may be implemented in the future, yet the FAQ for these security requirements says that you have to have the MFA challenge everytime. There is just constant going back and fourth even in Microsofts published articles which is making this a confusing mess. 

@kevinwilso05 Thank you for the feedback and sorry for the confusion caused.

We need to differentiate between the contract and technical enforcement. Indeed it would be great if the end user baseline policies would already work like they should, for various reasons the technical change in the policy was not implemented before the annoucement on security requirements was published.

The contract (CSP Program Guide) does explicitely call out baseline policies as one way being compliant. The FAQ is still correct in its guidance that no exclusions can be configured - because once technical enforcement starts authentication will not be successful if no MFA has been done. And before this technical enforcement will start, the baseline policy will incorporate this required change to trigger MFA every time.

This is by design. Users must configure MFA per tenant (because each tenant may have configured it differently with different methods etc.)

Authentication to their own tenant has nothing to do with authentication to your tenant. The guest user in your tenant is the key here.

These requirements to enable MFA are for your company's tenant that you use to connect to the CSP portals.  It's highly suggested that you encourage your clients to enable MFA, but that is not this requirment.

Both baseline policies only enable the option to use Microsoft Authenticator app. 

If you enable Azure MFA via your own conditional access policies (Azure AD Premium Plan1 required), then you also got the option to use phone or SMS as verification method.

If you use ADFS or another STS solution for authentication, you can integrate 3rd party MFA solutions on-premises with ADFS/STS - and use any method provided by this 3rd party solution.

If you use conditional access with custom controls to integrate a 3rd party solution for MFA (Does also require AzureAD Premium Plan1), then you can use any method provided by the 3rd party (Note: I'm still seeking out for official confirmation that custom controls will work to fulfill the security requirements and what technical requirements need to be fulfilled by the 3rd party control)

Hi,

Could you confirm this scenario please?

Program guide for Cloud Solution Provider partners says

"The requirement to enable a multifactor authentication service may be fulfilled by either

(i) Company’s enablement of both the “Baseline policy: Require MFA for admins” and the “Baseline policy: End user protection” in the “Azure Portal”for all users;

(ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example,“Azure Active Directory Premium”); or

(iii) Company’s purchase of a third-party “on-premises” multi-factor authentication service that supports Azure Active Directory federated services"

But you wrote previously:

"Making some exceptions for certain locations/IP ranges will not be compliant"

Condition 2 tells:

"(ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example,“Azure Active Directory Premium”)"

If we enable Azure MFA via your own conditional access policies (Azure AD Premium Plan1 required) - so condition 2, but with excluded users (eg API user) would it be compliant?

Thank you

(edited to be more clear)

No, user exclusion is not allowed. If it is for API access, the recommendation is to adopt the secure app model.

"If you use conditional access with custom controls to integrate a 3rd party solution for MFA (Does also require AzureAD Premium Plan1), then you can use any method provided by the 3rd party (Note: I'm still seeking out for official confirmation that custom controls will work to fulfill the security requirements and what technical requirements need to be fulfilled by the 3rd party control)"

We want to use Duo via a Conditional Access Custom Control Policy - So very much looking to know if there is an official confirmation to this ASAP.  

Else we will need to change the way our organisation uses MFa nd switch all our Administrators and Staff user bass across.

Any news welcome! 🙂

Tim,

This is the way I read it but I'm waiting on clarification from our CSP vendor.  Did you find an answer?

Hi @Phogfan ,

The only clarification I have received is by reading this message board.  My CSP gave us little clarification at best.  The only way forward so far seems to be applying the baseline policies to just ourselves and not our customers which we are not happy about applying to ourselves as it very limiting.  I am looking at when we MUST apply the policies.

Thanks,

Tim Earl

@timearl :

From contract perspective you need to apply MFA by August 1st.

Technical enforcement will not happen on August 1st, there is no ETA yet on when this happens.

Beneath baseline policies you can alternatively enable MFA for each user and/or use your own conditional access policies (AzureAD Premium Plan1 required). When enabling MFA per user some of of the limitations might be resolved by leveraging app passwords.

Hi Janosch,

Where you finish by saying 'When enabling MFA per user some of of the limitations might be resolved by leveraging app passwords', does this mean that the use of app passwords are still completely accetpable in the case of the new requirements?

My own use case is being able to schedule a runbook in Azure Automation which creates a CSV file and uploads it to a document library in Sharepoint Online. That runbook must authenticate to SP Online as part of the process.

I referenced some official documentation (source: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread) to create an app-only azure ad identity for the purposes of this automated process - specifically the authentication piece. However, this is not a secure enough alternative in my opinion, since the only four available permissions are too broadly scoped, and, at best, still results in the Automation Account/runbook identity having the ability to read data in "all" site collections within our tenant (please refer to screenshot).

Thus I would very much like to execute the runbook under the context of a user which I then can define granular enough permissions for in Sharepoint Online. Since the script is not run interactively, 'app passwords' would be a good solution to our problem.

Please clarify.

Thanks

@mortalwombats Sorry for not replying earlier, I was in vacation and it took some while to catch up.

For Sharepoint Online - for this type of access I do not think app passwords will work, app passwords only work when the protocol does not support modern authentication. But you can try and I can confirm that app passwords are a valid option (also confirmed in the FAQs now)

App only model does work and is not affected by the MFA requirements - see also the FAQ. While the 4 predefined permissions do not allow for much customization, app only is secure enough for the purpose of securing the account in the CSP tenant (user credentials are not used to get access tokens).

What might work is to leverage the same workaround mentioned for Exchange Online Powershell in the official guidance - however, this will not be a long term solution and I would recommend to use app only.