Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Microsoft

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@MVolker : Creating your own risk-based conditional access policies would require to get AzureAD Premium Plan2 - and even then, if a risk is detected, Teams on Surface Hub would fail. Creating your own risk-based policy would also not directly help to achieve compliance since it does not trigger MFA every time (Yes, baseline policy also does not trigger MFA all of the time currently, but this will change)

 

And when technical enforcement starts, if there was no MFA - because no risk was detected - the device would not be able to authenticate. So your own risk-based policy would really not give you much.

 

So currently the only working solution is to exclude this account from MFA - which is, to be very clear on this, not in compliance with the contractual requirements. This will at least work until technical enforcement starts.

 

 

 

Level 2 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

Thanks @JanoschUlmer for clarifying that we have no way to get these devices working under the current contractual requirements. We will raise this with our contacts at Microsoft.

 

Micheal

 

Level 1 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

Hi @JanoschUlmer, have the Microsoft legal team responsible for the partner contracts been made aware of this issue and do they have any guidance as what partners are meant to do here?

Highlighted
Microsoft

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@bedwells This is currently being discussed on a technical level, afaik there are no plans to make service-specific exclusions in the the contract/program guide. 

Level 1 Contributor

Re: Implementing Baseline policy: End user protection ;Does this impact Roomaccounts for SRS/MTR and SurfaceHub accounts?

@JanoschUlmerI would suggest it still be made aware to those that manage the partner program/contracts that it is impacting the ability for partners to both use and demonstrate the latest Microsoft technologies to customers and if this is to continue for months without a technical solution then that's a real problem.

We have raised from our side, if it is possible for you to reach out as well that would be appreciated

Level 3 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Not to Muddy the waters on this topic, but from what i understand the way forward with accounts like this one is to user MFA per User activation. If you enable the user for enforced status in MFA this will allow the creation of an application password to user to feed to SRS. However, it seems SRS is modern authentication ready so some folks are having issues with Teams/SRS (Myself included). I am looking for an answer on this one myself.

 

From what i have seen on the meetings and other discussions i have had on these forums, you cannot exlude IP addresses any longer for trusted locations in CA. Each log in has to be MFA on every log in and conditional access will not allow the user of application passwords.

 

I had a few third party applications that i enabled per user MFA for such as voicemail to email, click Dimensions to satisfy the MFA claim and these are working just fine. I took the road of having the appliance or application owner register the MFA for the account, maintain ownership, and the applciation password that comes with it.

Microsoft

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

@dferrell : I have done some testing in the meantime, some small clarifications:

 - App passwords can be created when user status is set to be "enabled", it does not need to be "enforced" (even though it should switch to enforce once registration is done)

 - If app passwords have been created, they can be used even though user is also targeted the same time by conditional access or baseline policy. Maybe this was a bit misleading in some of my answers - userA can have MFA enabled on his user account, and there can be a conditional access policy for userA requiring him to use MFA. App passwords will then still work, in azureAD sign-in logs you can see that MFA requirements have been bypassed since app password was used. Only if you use only conditional access to enforce MFA, and not set MFA for the user account no app passwords can be created.

 

I can confirm that using IP-based exclusions from MFA are not allowed (not possible once technical enforcement starts). For Teams Rooms/SRS it was mentioned to me that the team is working on a solution, but I currently can't give any details on how exactly this will look like.

Level 3 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Thank you for the clarification on that piece. So it will work how i have it set up as well then. I have excluded the accounts from conditional access and just set them to enforced status. It is good to know that the combination will work that way.

 

I wanted to also ask what is the stance on shared mailboxes, resource room accounts, and blocked users? I have made sure to include licensing and conditional access on any user account that needs to log in. Will blocked accounts simply be ignored in the technical requirements? We are in the process of some cleanup and what to know if we would remain in complaince for these items.

 

Howerver, I do not have CA or MFA set on the resource rooms, shared mailboxes, or blocked accounts. Any info or guidance on this would be appreciated.

Microsoft

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

For Shared Mailboxes - usually it should not be a problem to enable MFA for them. Per default shared mailboxes have a disabled user account. Even if this user account is still enabled, enabling MFA for this account - which is required - should not cause issues with user access since users will authenticate using their own user account and not log in with the user account of the shared mailbox. If you have a scenario where people are logging in with credentials of the shared mailbox, this will be a problem.

Same applies to resource rooms - I do not see an issue enabling MFA for those accounts per se - but it depends on how these accounts are used. E.g. if there is a meeting room display device using this account to get calendar info, this would certainly be affected.

 

For blocked users - from contract perspective there are no exclusions, so generally the recommendation is to enable MFA for all accounts.

From technical perspective - once technical enforcement starts the user account would need to be enabled for MFA once it will be activated again, otherwise authentication would not be successful. They are not exactly "ignored" - if user account is disabled or blocked from sign-in there will be no authentication happening, so any technical enforcement will simply not apply. It would be recommend to define CA policies for MFA in a way that once those accounts are enabled again, the will be automatically targeted by a policy that enforces usage of MFA.

Level 3 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

For the Shared mailbox and resource rooms would you recommend per user MFA activation? I do not believe i have enough licensing to cover all of these with CA.

 

The blocked accounts i have will most likly be removed from Office 365, however what about the shared mailboxes that are cloud only vs on-prem and synced? Will MFA impact those any differently?

 

I have other CA policy in play such as country blocking etc. if would enable the baseline policy and i have a few accounts that are using app passwords. Will the baseline policy break those accounts. I know that you told me app pw will work with CA as long as the user is set to enabled status etc. I just want to make sure the baseline wont have an adverse impact on the accounts i have already taken time to fix.

Microsoft

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

For the licensing part - general rule is that only users can be licensed - so if only licensed users are using shared mailboxes or resource accounts it should be fine (Disclaimer: Official, legally binding licensing statements can only be found in the licensing documents, in this case the Online Services Terms).

Also technically the system does not require to have licenses assigned to those user accounts, so I do not see issues with the number of licenses.

 

MFA on shared mailboxes do not behave differently if they come via synced accounts or cloud-only accounts - at least not in a way that I see relevant for enabling MFA. As said, usually the user account is not active anyway.

 

Baseline policies + users with app passwords can also be combined.

Level 3 Contributor

Re: The new MFA for Partners requirements - what will that do to our Skype/Teams room system?

Thank you for the clarification. I ended up adding the accounts to CA and testing. I did not appear to need a license to add those to the CA i already have created that enforces MFA on each logon. I did this for all resource accounts and sharedmailboxes. So this should cover them under CA that enforcces MFA.