Azure MFA - how to manage shared users and service accounts?
Question
Tuesday, September 11, 2018 6:05 AM
Hi all,
Looking at our Security Score for O365 we have a bunch of user accounts that are not yet enrolled for MFA. On-prem accounts are of course not synced to AAD if not required and we have IP whitelisting from office IP.
Looking for a way to add additional protection to these accounts. Optimally, I would like these to be MFA enrolled and do that without disrupting the account.
Service Accounts - various services, like external connection to 3rd party cloud services connected with our AAD/O365. Many are on-prem service accounts requiring its own mailbox etc.
Shared Acccounts - We have people working 24/7 and employees are working shift and using the same account. (I know, not my decision)
How would you go a head and secure these accounts with MFA?
Thank you.
All replies (8)
Tuesday, September 11, 2018 7:11 AM âś…Answered | 2 votes
No, unless you enforce MFA via the portal settings. As long as you require MFA (or block access) via Conditional access policies, and you have trusted IPs configured, the accounts can login with just username/password, and be totally oblivious about the existence of MFA. Well, generally speaking, there are some endpoint that don't work well with the MFA trusted IPs bypass, such as the Security and Compliance Center PowerShell.
One issue to keep in mind though is that successful first-factor auth will trigger the enrollment process. So if a bad actor guesses the password externally, he can complete the MFA enrollment and the auth process. You can pre-provision the auth details to avoid this, but in general it's poorly handled in the current version of the service, so a better option is to just block access externally.
Tuesday, September 11, 2018 6:46 AM
The service is not really intended to be used in such scenarios, it's deliberately designed to require user input to complete the process.
You can in theory use a shared phone and authorize access where needed, but I imagine most of those are used in some workflows, thus you need automation. In which case you can configure certificate-based auth, or simply get the token directly via client secret.
Tuesday, September 11, 2018 6:49 AM
Hi Vasil and thank you.
All the user accounts in question runs from our office, so they will be whitelisted by IP and MFA should never trigger, except at enrollment.
My thought is to protect these accounts for being stolen and used from external IP addresses. Right now they are accessible from internet, protected with just the password.
Thanks.
/B
Tuesday, September 11, 2018 7:01 AM | 1 vote
Right, so then simply configure a Conditional access policy that will require MFA when accessing the service outside the corp network, from a non-whitelisted IP. Or you can even block external access altogether.
Tuesday, September 11, 2018 7:03 AM
Thanks for fast reply.
Would enrollment of the users still be necessary?
Thanks
Tuesday, September 11, 2018 8:27 AM
Excellent points! Thank you.
One final question. How would a Conditional Access rule look like to give these users access from trusted IP only?
- Users/Groups - Manually add the users in questions (not that many) to the rule
- Cloud apps - all
- Conditions - Locations - Exclude all trusted locations
- Access controls - Block access
Is above correct?
Thank you!
Tuesday, September 11, 2018 10:23 AM | 1 vote
Yup, the location condition should read "all locations and all trusted locations excluded" once configured.
Wednesday, September 12, 2018 8:46 AM
Excellent, works as expected. Thank you!