thecomputerguy
Well-Known Member
- Reaction score
- 1,366
I'm so confused. This seems like such a basic function that should be available.
New clients MFA is all out of whack and not sure how to fix it.
- Thread starter thecomputerguy
- Start date
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,546
- Location
- Englewood Florida
Believe me, CA gives you sooo much more than the "manual way" of doing the MFA under the old 365 admin portal, users section.
With CA, you have such GRANULAR CONTROL of the MFA. You can really customize policies, combinations of certain types, eliminate other types. Multiple Auth method policies and apply to different users groups or to different user devices. Better yet, deny access unless the device is registered or AzureAD joined! Think about that one for a minute!
Not to mention, the absolutely WONDERFUL additions of using "trusted locations" to bypass MFA. And Geo Blocking. Oh the list of benefits goes on and on.
...and then...the list of benefits from other aspects of Biz Prem, such as InTune, and AzureAD P1, and Advanced Threat Protection/Defender....oh my...have a seat for a few hours while we go over those benefits. Cuz once you include those, the price of 13 to 23 bucks per is now justified a bunch of times. Ease of management, thus saves the client money, unless you volunteer your time. Ease of a user signing into other computers and their user profile auto configures. Less time you're spend doing manual things...less manual bills. Alerting from risky activity. Being able to point to "conditional access being used" for compliance policies. Many insurance agencies want proof of security being implemented. The huge advantages of the additional Defender policies..safe attachments, safe links, much better anti phishing and anti spam measures.
With CA, you have such GRANULAR CONTROL of the MFA. You can really customize policies, combinations of certain types, eliminate other types. Multiple Auth method policies and apply to different users groups or to different user devices. Better yet, deny access unless the device is registered or AzureAD joined! Think about that one for a minute!
Not to mention, the absolutely WONDERFUL additions of using "trusted locations" to bypass MFA. And Geo Blocking. Oh the list of benefits goes on and on.
...and then...the list of benefits from other aspects of Biz Prem, such as InTune, and AzureAD P1, and Advanced Threat Protection/Defender....oh my...have a seat for a few hours while we go over those benefits. Cuz once you include those, the price of 13 to 23 bucks per is now justified a bunch of times. Ease of management, thus saves the client money, unless you volunteer your time. Ease of a user signing into other computers and their user profile auto configures. Less time you're spend doing manual things...less manual bills. Alerting from risky activity. Being able to point to "conditional access being used" for compliance policies. Many insurance agencies want proof of security being implemented. The huge advantages of the additional Defender policies..safe attachments, safe links, much better anti phishing and anti spam measures.
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
Ok so I upgraded one of my test users to Business Premium to enable conditional access and test it out.
It looks like this setup is working as I EXPECT it to work under the old legacy MFA tool. New logins are requiring MFA as I expect them to.
Is this a good starting ground for conditional access? Is there anything else I should add that should be BASIC conditional access?
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,546
- Location
- Englewood Florida
You have this...
And then can play with specific, such as click into Microsoft Authenticator....enable,apply to all, click into "Configure"....and enable all those 4 settings...
And then you can go into Authentication Strengths....and...oh wow...go to town here....create your own recipies from the list of ingredients...
Also go into CA policies...and look at the policy templates available to you...
And then can play with specific, such as click into Microsoft Authenticator....enable,apply to all, click into "Configure"....and enable all those 4 settings...
And then you can go into Authentication Strengths....and...oh wow...go to town here....create your own recipies from the list of ingredients...
Also go into CA policies...and look at the policy templates available to you...
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
Alright look so the main reason why I am trying to learn this is because I was under the impression that this is going away soon.... per user multi-factor authentication:
Which I believe is the same as this right?
I called MS and spoke with someone and he said he was not aware that MS was doing away with this Per-user MFA, only doing away with Legacy protocols like POP, SMTP, and IMAP. (Via security defaults being enabled?)
Is this true?
A lot of what I support are EXTREMELY simple clients, mostly older clients, a lot of these clients have money but barely know how to use the computer, some don't speak english, some call me bi-weekly for me to remind them to reboot their computer. Which is why for a lot of them I have used the above, simple, non-azure Per-user MFA.
A lot of these clients are between 2-10 users, a lot of them have an in house server, none are joined to M365 Azure AD. These setups are mostly VERY simple. I understand the benefits of moving to Azure but these are the types of people that are incapable of downloading an app from the app store. They are incapable of basic troubleshooting when things don't go exactly as they always do. And some of these clients I'd rather drive out to their business than try and help them over the phone because it's impossible.
I just need SIMPLE. Yes it's more work to click Enable/Enforce manually but I rarely have to modify these. Moving them to Azure MFA with Business premium licenses doesn't make sense to me.
So ... am I understanding this correctly? Are they removing per-user MFA?
If they aren't I'm fine with most of these people just getting security defaults as long as I can continue to enable per-user MFA.
Some of these people don't know how to multi-task on their phone and have to be sent several SMS codes and they have to write it down because it disappears from the pop-up window on their phone.
Migrating them to Azure AD MFA sounds like an absolute nightmare!
Last edited:
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,546
- Location
- Englewood Florida
I have not ready anything suggesting MS is doing away with the "per user MFA box". Then again, I haven't kept my eye out for it, so could have just flew over it.
Microsofts most recent article about per user MFA is here..and it's date stamped 03/2023...so it's fairly current, and it doesn't suggest it's going away, https://learn.microsoft.com/en-us/a...nitoring/recommendation-turn-off-per-user-mfa
Microsofts most recent article about per user MFA is here..and it's date stamped 03/2023...so it's fairly current, and it doesn't suggest it's going away, https://learn.microsoft.com/en-us/a...nitoring/recommendation-turn-off-per-user-mfa
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
Ok if they aren't getting rid of it then I'm done for the day. I totally understand the benefits of all this azure stuff but a lot of my clients are in their 60's and are only still working because they don't want to be stuck at home with their spouses or they can't stop working because we're in California and you have to make $250k a year on two incomes just to survive with a family.
My older clients are all on MSP and pay REALLY well. My younger clients just wing it themselves as best as they can and call me when needed.
My plan as a one man MSP is to make this work as well as I can until I'm around 45 which is right around where I'll probably start losing some of those clients due to age... make enough money to float my family for awhile and get out of this. I'm 38 and I've already been doing this for 21 years! To say I'm burned out is an understatement.
All of that was really off topic but I'm trying to paint the picture. I just recently got into the MSP gravy train and I'm gunna ride it as long as I can without complicating mine, or my clients lives.
My older clients are all on MSP and pay REALLY well. My younger clients just wing it themselves as best as they can and call me when needed.
My plan as a one man MSP is to make this work as well as I can until I'm around 45 which is right around where I'll probably start losing some of those clients due to age... make enough money to float my family for awhile and get out of this. I'm 38 and I've already been doing this for 21 years! To say I'm burned out is an understatement.
All of that was really off topic but I'm trying to paint the picture. I just recently got into the MSP gravy train and I'm gunna ride it as long as I can without complicating mine, or my clients lives.
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
Spoke with someone at M365 regarding this
Answer: Unsure
Spoke with someone at Azure regarding this
Answer: Need to ask someone else
Azure guy called back with one of his people on chat
Answer: Unsure, but probably will need to move to P1
Clear as mud
Answer: Unsure
Spoke with someone at Azure regarding this
Answer: Need to ask someone else
Azure guy called back with one of his people on chat
Answer: Unsure, but probably will need to move to P1
Clear as mud
Sky-Knight
Well-Known Member
- Reaction score
- 5,407
- Location
- Arizona
It's not a step backwards, your testing is faulty.
The fact is Security Defaults requires MFA for every login from an "untrusted device".
That means a device that's not associated with the tenant.
So if you logged in from a machine that has a TPM module in good working order the security ID of the machine is passed via the auth process. This ID if associated with another successful login can at times allow you to bypass the MFA requirement. However, if you attempt to muck with the security settings of the account, change password, enroll an authenticator etc, those events will always trigger an MFA check.
Stoncate is right though, if you want full control to say ALL LOGINS MUST, you have to have Conditional Access. I'm not willing to say that Security Defaults isn't secure. However I can fully understand why it would get people's hackles up.
Also, there's a further wrinkle... the auth migration process itself plays with all of this and I've seen it take a couple of days to settle down.
The fact is Security Defaults requires MFA for every login from an "untrusted device".
That means a device that's not associated with the tenant.
So if you logged in from a machine that has a TPM module in good working order the security ID of the machine is passed via the auth process. This ID if associated with another successful login can at times allow you to bypass the MFA requirement. However, if you attempt to muck with the security settings of the account, change password, enroll an authenticator etc, those events will always trigger an MFA check.
Stoncate is right though, if you want full control to say ALL LOGINS MUST, you have to have Conditional Access. I'm not willing to say that Security Defaults isn't secure. However I can fully understand why it would get people's hackles up.
Also, there's a further wrinkle... the auth migration process itself plays with all of this and I've seen it take a couple of days to settle down.
Sky-Knight
Well-Known Member
- Reaction score
- 5,407
- Location
- Arizona
Per User MFA is deprecated and announced to be removed next Jan.
Forced migration to the new auth methods will start in September.
Forced migration to the new auth methods will start in September.
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
That's kind of what I experienced ... I could login to the account using Single-Factor Auth even with MFA enabled through Azure but any "change" to the account itself resulted in an MFA requirement.
But being able to access Outlook from a foreign device using Single-Factor Auth (which is what I experienced) even when MFA is enabled is unacceptable.
It's also unacceptable that conditional MFA already WAS a thing using per-user MFA, and their taking that option away, and selling it back to you under a P1/Biz Prem license.
Using a Business standard license ... this isn't true
I was able to log in to OWA and access Outlook from a different device on a different IP in a different city using single-factor authentication. Only when I attempted to make changes in "My Profile" was a prompted for MFA.
Edit: I know you both are saying "but all the extra stuff you get!" I get it. But for right now I just want MFA.
Sky-Knight
Well-Known Member
- Reaction score
- 5,407
- Location
- Arizona
You need to open a ticket with Microsoft, because that's not normal behavior.
One thing I can suggest for right now is get your users to enroll in and use phone signon. It's "single factor", but requires a phone unlock, and the phone itself to get the sign-in process done. And as such, the account cannot not prompt for the phone.
Once that's done you can reset their password to something huge they'll never know, because they never need it.
Passwords suck... get a helmet!
So yeah, it doesn't MFA all the time unless it detects a risk. You can eliminate passwords and force the issue, or you can upgrade to Azure AD P1. That call is ON THE CLIENT TO MAKE. As my CISSP training clearly states, and something I've not used NEARLY OFTEN ENOUGH IN MY LIFE.
Information Security (Cybersecurity) is the responsibility of the business owners and stake holders. It is NOT an IT concern, it is a BUSINESS concern.
If the business doesn't care, nor should you. Running on Basic / Standard to some degree should indicate they do not care.
THAT BEING SAID.
I do have a ticket open with Microsoft on this issue. Because they ARE "taking a feature away", and it's an "easy up sell" to tell a business owner well... you have "Security Defaults" and now you have this thing that needs an exception, an exception is a CONDITION and therefore you need Conditional Access.
Sadly this is one of those left not talking to the right problems... because the MFA for single user stuff that's going away is an M365 feature, wheras everything else we're talking about is an AZURE feature. And never the twain shall meet... except when they're the same thing... but not... but are...
One thing I can suggest for right now is get your users to enroll in and use phone signon. It's "single factor", but requires a phone unlock, and the phone itself to get the sign-in process done. And as such, the account cannot not prompt for the phone.
Once that's done you can reset their password to something huge they'll never know, because they never need it.
Passwords suck... get a helmet!
Providing a default level of security in Microsoft Entra ID - Microsoft Entra
Get protected from common identity threats using Microsoft Entra security defaults.
learn.microsoft.com
So yeah, it doesn't MFA all the time unless it detects a risk. You can eliminate passwords and force the issue, or you can upgrade to Azure AD P1. That call is ON THE CLIENT TO MAKE. As my CISSP training clearly states, and something I've not used NEARLY OFTEN ENOUGH IN MY LIFE.
Information Security (Cybersecurity) is the responsibility of the business owners and stake holders. It is NOT an IT concern, it is a BUSINESS concern.
If the business doesn't care, nor should you. Running on Basic / Standard to some degree should indicate they do not care.
THAT BEING SAID.
I do have a ticket open with Microsoft on this issue. Because they ARE "taking a feature away", and it's an "easy up sell" to tell a business owner well... you have "Security Defaults" and now you have this thing that needs an exception, an exception is a CONDITION and therefore you need Conditional Access.
Sadly this is one of those left not talking to the right problems... because the MFA for single user stuff that's going away is an M365 feature, wheras everything else we're talking about is an AZURE feature. And never the twain shall meet... except when they're the same thing... but not... but are...
Last edited:
lan101
Well-Known Member
- Reaction score
- 555
Slightly off topic: Just curious what your work plan is after 45? Or maybe you've earned enough to retire? Probably unlikely in California lol. I'm just curious. I'm around your age and I see the same thing you mentioned with clients. I think I have at best another 5-10 years of good decent work and then it's going to taper off because a lot of these folks will either be retired or unfortunately no longer amongst us.
I don't get a ton of work from people my age range. Certainly not enough to make a living from that's for sure. A lot of my business clients are in their 60's now like you mentioned. I believe most will retire by 70 or before. Maybe I'll be wrong and things will still be going strong but I'd definitely need to pickup a lot of new clients in the next decade to keep rolling. I have no idea what other kind of work I'd even want to do at this time.
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
Honestly no idea.
I've have a plan since I started in this 21 years ago at 17 years old and it's worked out really well for me and my family. It's also been a burden. I've been working my butt off since I was a very young adult... I'd even say I missed out on a lot of experiences because I just went straight to work.
No pity party but I'd be lying if I said I had a plan. And to not have one, sounds terrifying ... and exciting.
britechguy
Well-Known Member
- Reaction score
- 4,414
- Location
- Staunton, VA
While I think it's helpful to have "a mental rough sketch" of what one's options might be, I long ago decided that the idea that we can plan life in the way we plan many other things is just patently false. Too much can and does change both external to the individual and to their internal landscape as time and experiences progress for any plan to remain meaningful over the long term.
One of my former coworkers back in the mid-1980s and I both agreed that, when asked the question, "Where do you see yourself in 5 years?," (which was a standard interview question then, I hope it's died the death it so justly deserved) that we both wanted to respond, "Preferably on a beach somewhere, sipping a drink and never having to think about work again." Believing you can know or even have a rough idea of where you might be in an organization five years hence is folly.
John Lennon put it best, "Life is what happens to you while you’re busy making other plans."
Sky-Knight
Well-Known Member
- Reaction score
- 5,407
- Location
- Arizona
@thecomputerguy My MSP Intouch has 5 customers left, and is in effect closed.
I did this because during the pandemic I slowed down enough to step back and take stock, and it became immediately apparent that a one man shop was going to be infeasible to operate given the incoming regulatory changes impacting the industry.
So as of a month ago, I'm now a full time Solutions Architect for a larger firm that has its own SOC. It's been a wild ride, but I have to say... being 8-5 only and getting my weekends back too has been WONDERFUL. Not to mention the extra money I'm bringing in.
Anyone that's looking to get out I suggest you find a nice mid sized MSP like I did, no more than 300 employees. They'll give you a good home and a place to either grow so you can get a better position later, or help them grow with your INCREDIBLY VALUABLE skills in running the entire sales cycle that aren't present with other "engineers" or "architects" out there.
I'm basically this place's Sr Engineer that lives with the Sales team here, and I love it. They go get the leads, I work with them and the clients to hammer out a plan, write it up, and hand it off to our deployment teams to get crap done. The quality of life improvement is bonkers, and I have enough spare time I'm now working on my CISSP. If all goes well by the end of the year I'll have AZ-104, AZ-500, AZ-700, AZ-305, and my CISSP. At which point I can go anywhere and command a nearly $300k / year salary.
Doing all that on my own would have required at least $2 million in capital to fire up a massive marketing engine, hire lawyers, and do all sorts of work on my MSP to get it where it wouldn't get buried in the court room later, just for me to continue working 24/7 for yet another two decades to make it work. My oldest is graduating high school next month, I've already missed her growing up... I can't do that, I WON'T continue to make that mistake.
So yeah, do please take stock and think HARD. The game is changing and while the market can seem tight, now is a great time to get out. If that decision makes sense to you.
I may fire Intouch back up in 5 years... we'll see how things unfold. With my CISSP I can change its mission to exclusively helping organizations survive SOC audits and implement Zero Trust methods. Huge money there, and nowhere near the stress of being responsible for 24/7 care of all those endpoints on the cheap.
I did this because during the pandemic I slowed down enough to step back and take stock, and it became immediately apparent that a one man shop was going to be infeasible to operate given the incoming regulatory changes impacting the industry.
So as of a month ago, I'm now a full time Solutions Architect for a larger firm that has its own SOC. It's been a wild ride, but I have to say... being 8-5 only and getting my weekends back too has been WONDERFUL. Not to mention the extra money I'm bringing in.
Anyone that's looking to get out I suggest you find a nice mid sized MSP like I did, no more than 300 employees. They'll give you a good home and a place to either grow so you can get a better position later, or help them grow with your INCREDIBLY VALUABLE skills in running the entire sales cycle that aren't present with other "engineers" or "architects" out there.
I'm basically this place's Sr Engineer that lives with the Sales team here, and I love it. They go get the leads, I work with them and the clients to hammer out a plan, write it up, and hand it off to our deployment teams to get crap done. The quality of life improvement is bonkers, and I have enough spare time I'm now working on my CISSP. If all goes well by the end of the year I'll have AZ-104, AZ-500, AZ-700, AZ-305, and my CISSP. At which point I can go anywhere and command a nearly $300k / year salary.
Doing all that on my own would have required at least $2 million in capital to fire up a massive marketing engine, hire lawyers, and do all sorts of work on my MSP to get it where it wouldn't get buried in the court room later, just for me to continue working 24/7 for yet another two decades to make it work. My oldest is graduating high school next month, I've already missed her growing up... I can't do that, I WON'T continue to make that mistake.
So yeah, do please take stock and think HARD. The game is changing and while the market can seem tight, now is a great time to get out. If that decision makes sense to you.
I may fire Intouch back up in 5 years... we'll see how things unfold. With my CISSP I can change its mission to exclusively helping organizations survive SOC audits and implement Zero Trust methods. Huge money there, and nowhere near the stress of being responsible for 24/7 care of all those endpoints on the cheap.
Last edited:
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
I wrote out this MFA migration process maybe someone can take a look at it:
I still have a couple of questions
1.) Add SMS as an option of MFA in Azure. Even though it is listed as an option in Azure it is not an option when a user first logs on. The only option is to use the Microsoft Authenticator with PUSH for ALLOW when login is attempted. I see this as a problem since people will inevitably click allow when they shouldn't.
2.) Is there an option to require a OTP as opposed to PUSH and ALLOW via the Microsoft authenticator WITHOUT the user having to click "Use a different authenticator app"
This will not happen, users are dumb
I see this as a problem since people will inevitably click allow when they shouldn't.
3.) Is there an option to revoke all authenticators from a user?
4.) What are the best practice, basic conditional policies that would protect the tenant from bad logins, currently I have:
Some of these are redundant as I had defender automatically create some of them when I was addressing the security score.
5.) I typically insert myself as a backdoor admin for the tenant. In the past I would create my account, add myself as global admin then enable Legacy Multi-Factor authentication
Does this mean that my backdoor admin account now requires an Azure AD Premiem P1 license OR Business Premium License to match the tenant?
I know I can probably get around this by using the MS Partner portal which I have an account for but do not currently use. I typically login to the tenant I am managing per my backdoor tenant login.
I still have a couple of questions
1.) Add SMS as an option of MFA in Azure. Even though it is listed as an option in Azure it is not an option when a user first logs on. The only option is to use the Microsoft Authenticator with PUSH for ALLOW when login is attempted. I see this as a problem since people will inevitably click allow when they shouldn't.
2.) Is there an option to require a OTP as opposed to PUSH and ALLOW via the Microsoft authenticator WITHOUT the user having to click "Use a different authenticator app"
This will not happen, users are dumb
I see this as a problem since people will inevitably click allow when they shouldn't.
3.) Is there an option to revoke all authenticators from a user?
4.) What are the best practice, basic conditional policies that would protect the tenant from bad logins, currently I have:
Some of these are redundant as I had defender automatically create some of them when I was addressing the security score.
5.) I typically insert myself as a backdoor admin for the tenant. In the past I would create my account, add myself as global admin then enable Legacy Multi-Factor authentication
Does this mean that my backdoor admin account now requires an Azure AD Premiem P1 license OR Business Premium License to match the tenant?
I know I can probably get around this by using the MS Partner portal which I have an account for but do not currently use. I typically login to the tenant I am managing per my backdoor tenant login.
1 - Users can setup Mobile#/SMS under their account when they are logged in or you can do it in Azure for them. We do it in Azure to take the work off of the end user.
2 - You can enable number matching with MS Authenticator app
3 - I know there is some powershell commands based on old MSOL module to reset a users MFA but I havent used it in a while so I do not recall if it deletes their registered mfa devices or not.
4 - See the template policies in Azure portal:
But honestly if you're not familiar with CA policies and you need to get some form of MFA enforced for all users, just enable secdefs. That's the quickest way to do it. You can always come back and work on CA after you learn more about it.5 - we've never licensed admin or management accounts. I dont think it's required but I dont have any official reference on that.
thecomputerguy
Well-Known Member
- Reaction score
- 1,366
Here's the problem.
In my test tenant I enabled security defaults for my tenant.
Then I registered a test user with security defaulted azure based MFA with Legacy MFA disabled (no business premium or conditional access enabled, only business standard).
Even after registration I was able to login to the account from a different computer/IP/location using single factor.
Why?
I did this by logging into a test computer in incognito I have at my uncle's company.
Why?
Sky-Knight
Well-Known Member
- Reaction score
- 5,407
- Location
- Arizona
Yeah the problem is Security Defaults does NOT enforce MFA on all users. It only enforces MFA on ADMINS. It uses MFA on users only at specific times, like accessing the security section of the account. It's not great...
BUT from what I've seen if the user takes the time to do phone signon, it'll consistently enforce MFA for the account.
And again if you see this behavior on the tenant open a ticket with Microsoft. They need to know people are upset they're taking away a feature to sell another $3 / month / user, and that isn't OK.
Docs for Security Defaults here: https://learn.microsoft.com/en-us/a...-do-multifactor-authentication-when-necessary
This is what's enforced on users
BUT from what I've seen if the user takes the time to do phone signon, it'll consistently enforce MFA for the account.
And again if you see this behavior on the tenant open a ticket with Microsoft. They need to know people are upset they're taking away a feature to sell another $3 / month / user, and that isn't OK.
Docs for Security Defaults here: https://learn.microsoft.com/en-us/a...-do-multifactor-authentication-when-necessary
This is what's enforced on users
Similar threads
