This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
We have this issue. Certain users need to access to a external website using just one email address and password instead of their own.
We don't want this account to access any applications/resources within our Azure tenant - Basically a Service Account
We have MFA enabled for all users
This is what we did - Is it correct or completely wrong
Created a security group
Created a std Azure user and added the user to the group
Created an Conditional Access Policy which blocked the security group from all Cloud Apps (Future we want to only enable mail so it will be able to send emails)
Added the group to the excluded from MFA policy
Tested and the user could not sign in or access any O365 applications
The user could access the external website which is fine.
Question
As we blocked the user from all Cloud Apps, it will not be able to access any azure resource of our tenant or hybrid environment?
As we have broken our MFA security rule by excluding it from that policy.
Is there a better way of creating this account to only have access to one external website, nothing else and no access to any resources within our Azure and to make it more secure.
Hope this is clear
Ok, Im a bit confused then how this all relates to Azure then if the user doesnt need to auth to Azure now.
If you are wondering if you should force the user to auth to Azure by creating an associated app that allows it to auth to the external website and force MFA , then I would say yes do that if that provides better security and auditing then what you are using now.
Sorry it's all confusing - my bad :(
If I create an associated app that allows it to auth to the external website and force MFA how will the MFA apply to the multiple users using that email address when logging into the website? Sorry I know I sound stupid I'd rather ask.
If we e.g. at a later stage want to enable email access for this account, we would only have to add the Exchange Online to exclusions in the CA or would we need to enable other o365 apps as well. Basically it might turn into a service account. Are we then better looking into User assigned managed identity?
Some of this it new to me so that's why all the questions - Was involved in the Active Directory mainly so slight change in the Azure for me and I have been out of it for a few years (took a long holiday)
So essentially this user authenticates to Azure but doesnt actually need to access anything within it?
If so , yes block all apps via CA policy for that account ( Doest the external website have a service principal in azure associated with it?)
and require MFA.
If this works now, then I am not wondering why at least you do not require MFA for this account. I would.
Hi,
Yes - The user doesn't actually need to authenticate to Azure at all because the only reason we needed the generic email address and password was so multiple users could access a specific website using the same credentials (I know is not secure on external website but it's for developers) to get information.
The external website doesn't have a service principal in Azure - We didn't set it up...
Would it be advisable to setup the external website with a service principal in Azure and then enable MFA?