Service Account breaking MFA Policy

Rachel Coles 46 Reputation points


We have this issue. Certain users need to access to a external website using just one email address and password instead of their own.
We don't want this account to access any applications/resources within our Azure tenant - Basically a Service Account
We have MFA enabled for all users

This is what we did - Is it correct or completely wrong
Created a security group
Created a std Azure user and added the user to the group
Created an Conditional Access Policy which blocked the security group from all Cloud Apps (Future we want to only enable mail so it will be able to send emails)
Added the group to the excluded from MFA policy

Tested and the user could not sign in or access any O365 applications
The user could access the external website which is fine.

As we blocked the user from all Cloud Apps, it will not be able to access any azure resource of our tenant or hybrid environment?
As we have broken our MFA security rule by excluding it from that policy.
Is there a better way of creating this account to only have access to one external website, nothing else and no access to any resources within our Azure and to make it more secure.

Hope this is clear

Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
112 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,396 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 141.1K Reputation points MVP

    Ok, Im a bit confused then how this all relates to Azure then if the user doesnt need to auth to Azure now.
    If you are wondering if you should force the user to auth to Azure by creating an associated app that allows it to auth to the external website and force MFA , then I would say yes do that if that provides better security and auditing then what you are using now.

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 141.1K Reputation points MVP

    So essentially this user authenticates to Azure but doesnt actually need to access anything within it?
    If so , yes block all apps via CA policy for that account ( Doest the external website have a service principal in azure associated with it?)

    and require MFA.

    If this works now, then I am not wondering why at least you do not require MFA for this account. I would.