New clients MFA is all out of whack and not sure how to fix it.

Believe me, CA gives you sooo much more than the "manual way" of doing the MFA under the old 365 admin portal, users section.
With CA, you have such GRANULAR CONTROL of the MFA. You can really customize policies, combinations of certain types, eliminate other types. Multiple Auth method policies and apply to different users groups or to different user devices. Better yet, deny access unless the device is registered or AzureAD joined! Think about that one for a minute!
Not to mention, the absolutely WONDERFUL additions of using "trusted locations" to bypass MFA. And Geo Blocking. Oh the list of benefits goes on and on.

...and then...the list of benefits from other aspects of Biz Prem, such as InTune, and AzureAD P1, and Advanced Threat Protection/Defender....oh my...have a seat for a few hours while we go over those benefits. Cuz once you include those, the price of 13 to 23 bucks per is now justified a bunch of times. Ease of management, thus saves the client money, unless you volunteer your time. Ease of a user signing into other computers and their user profile auto configures. Less time you're spend doing manual things...less manual bills. Alerting from risky activity. Being able to point to "conditional access being used" for compliance policies. Many insurance agencies want proof of security being implemented. The huge advantages of the additional Defender policies..safe attachments, safe links, much better anti phishing and anti spam measures.
 
Believe me, CA gives you sooo much more than the "manual way" of doing the MFA under the old 365 admin portal, users section.
With CA, you have such GRANULAR CONTROL of the MFA. You can really customize policies, combinations of certain types, eliminate other types. Multiple Auth method policies and apply to different users groups or to different user devices. Better yet, deny access unless the device is registered or AzureAD joined! Think about that one for a minute!
Not to mention, the absolutely WONDERFUL additions of using "trusted locations" to bypass MFA. And Geo Blocking. Oh the list of benefits goes on and on.

...and then...the list of benefits from other aspects of Biz Prem, such as InTune, and AzureAD P1, and Advanced Threat Protection/Defender....oh my...have a seat for a few hours while we go over those benefits. Cuz once you include those, the price of 13 to 23 bucks per is now justified a bunch of times. Ease of management, thus saves the client money, unless you volunteer your time. Ease of a user signing into other computers and their user profile auto configures. Less time you're spend doing manual things...less manual bills. Alerting from risky activity. Being able to point to "conditional access being used" for compliance policies. Many insurance agencies want proof of security being implemented. The huge advantages of the additional Defender policies..safe attachments, safe links, much better anti phishing and anti spam measures.

Ok so I upgraded one of my test users to Business Premium to enable conditional access and test it out.

It looks like this setup is working as I EXPECT it to work under the old legacy MFA tool. New logins are requiring MFA as I expect them to.

1681936050810.png

Is this a good starting ground for conditional access? Is there anything else I should add that should be BASIC conditional access?
 
You have this...
1681937359230.png
And then can play with specific, such as click into Microsoft Authenticator....enable,apply to all, click into "Configure"....and enable all those 4 settings...
1681937426010.png

And then you can go into Authentication Strengths....and...oh wow...go to town here....create your own recipies from the list of ingredients...
1681937506585.png

1681937547467.png

Also go into CA policies...and look at the policy templates available to you...
1681937626581.png
 
You have this...
View attachment 14521
And then can play with specific, such as click into Microsoft Authenticator....enable,apply to all, click into "Configure"....and enable all those 4 settings...
View attachment 14522

And then you can go into Authentication Strengths....and...oh wow...go to town here....create your own recipies from the list of ingredients...
View attachment 14523

View attachment 14524

Also go into CA policies...and look at the policy templates available to you...
View attachment 14525

Alright look so the main reason why I am trying to learn this is because I was under the impression that this is going away soon.... per user multi-factor authentication:

1681938907986.png

Which I believe is the same as this right?

1681938960799.png

I called MS and spoke with someone and he said he was not aware that MS was doing away with this Per-user MFA, only doing away with Legacy protocols like POP, SMTP, and IMAP. (Via security defaults being enabled?)

Is this true?

A lot of what I support are EXTREMELY simple clients, mostly older clients, a lot of these clients have money but barely know how to use the computer, some don't speak english, some call me bi-weekly for me to remind them to reboot their computer. Which is why for a lot of them I have used the above, simple, non-azure Per-user MFA.

A lot of these clients are between 2-10 users, a lot of them have an in house server, none are joined to M365 Azure AD. These setups are mostly VERY simple. I understand the benefits of moving to Azure but these are the types of people that are incapable of downloading an app from the app store. They are incapable of basic troubleshooting when things don't go exactly as they always do. And some of these clients I'd rather drive out to their business than try and help them over the phone because it's impossible.

I just need SIMPLE. Yes it's more work to click Enable/Enforce manually but I rarely have to modify these. Moving them to Azure MFA with Business premium licenses doesn't make sense to me.

So ... am I understanding this correctly? Are they removing per-user MFA?

If they aren't I'm fine with most of these people just getting security defaults as long as I can continue to enable per-user MFA.

Some of these people don't know how to multi-task on their phone and have to be sent several SMS codes and they have to write it down because it disappears from the pop-up window on their phone.

Migrating them to Azure AD MFA sounds like an absolute nightmare!
 
Last edited:
Ok if they aren't getting rid of it then I'm done for the day. I totally understand the benefits of all this azure stuff but a lot of my clients are in their 60's and are only still working because they don't want to be stuck at home with their spouses or they can't stop working because we're in California and you have to make $250k a year on two incomes just to survive with a family.

My older clients are all on MSP and pay REALLY well. My younger clients just wing it themselves as best as they can and call me when needed.

My plan as a one man MSP is to make this work as well as I can until I'm around 45 which is right around where I'll probably start losing some of those clients due to age... make enough money to float my family for awhile and get out of this. I'm 38 and I've already been doing this for 21 years! To say I'm burned out is an understatement.

All of that was really off topic but I'm trying to paint the picture. I just recently got into the MSP gravy train and I'm gunna ride it as long as I can without complicating mine, or my clients lives.
 
Spoke with someone at M365 regarding this
Answer: Unsure

Spoke with someone at Azure regarding this
Answer: Need to ask someone else

Azure guy called back with one of his people on chat
Answer: Unsure, but probably will need to move to P1

Clear as mud
 
It's not a step backwards, your testing is faulty.

The fact is Security Defaults requires MFA for every login from an "untrusted device".

That means a device that's not associated with the tenant.

So if you logged in from a machine that has a TPM module in good working order the security ID of the machine is passed via the auth process. This ID if associated with another successful login can at times allow you to bypass the MFA requirement. However, if you attempt to muck with the security settings of the account, change password, enroll an authenticator etc, those events will always trigger an MFA check.

Stoncate is right though, if you want full control to say ALL LOGINS MUST, you have to have Conditional Access. I'm not willing to say that Security Defaults isn't secure. However I can fully understand why it would get people's hackles up.

Also, there's a further wrinkle... the auth migration process itself plays with all of this and I've seen it take a couple of days to settle down.
 
It's not a step backwards, your testing is faulty.

The fact is Security Defaults requires MFA for every login from an "untrusted device".

That means a device that's not associated with the tenant.

So if you logged in from a machine that has a TPM module in good working order the security ID of the machine is passed via the auth process. This ID if associated with another successful login can at times allow you to bypass the MFA requirement. However, if you attempt to muck with the security settings of the account, change password, enroll an authenticator etc, those events will always trigger an MFA check.

Stoncate is right though, if you want full control to say ALL LOGINS MUST, you have to have Conditional Access. I'm not willing to say that Security Defaults isn't secure. However I can fully understand why it would get people's hackles up.

Also, there's a further wrinkle... the auth migration process itself plays with all of this and I've seen it take a couple of days to settle down.

That's kind of what I experienced ... I could login to the account using Single-Factor Auth even with MFA enabled through Azure but any "change" to the account itself resulted in an MFA requirement.

But being able to access Outlook from a foreign device using Single-Factor Auth (which is what I experienced) even when MFA is enabled is unacceptable.

It's also unacceptable that conditional MFA already WAS a thing using per-user MFA, and their taking that option away, and selling it back to you under a P1/Biz Prem license.

Using a Business standard license ... this isn't true

The fact is Security Defaults requires MFA for every login from an "untrusted device".

I was able to log in to OWA and access Outlook from a different device on a different IP in a different city using single-factor authentication. Only when I attempted to make changes in "My Profile" was a prompted for MFA.

Edit: I know you both are saying "but all the extra stuff you get!" I get it. But for right now I just want MFA.
 
You need to open a ticket with Microsoft, because that's not normal behavior.

One thing I can suggest for right now is get your users to enroll in and use phone signon. It's "single factor", but requires a phone unlock, and the phone itself to get the sign-in process done. And as such, the account cannot not prompt for the phone.

Once that's done you can reset their password to something huge they'll never know, because they never need it.

Passwords suck... get a helmet!


We tend to think that administrator accounts are the only accounts that need extra layers of authentication. Administrators have broad access to sensitive information and can make changes to subscription-wide settings. But attackers frequently target end users.

After these attackers gain access, they can request access to privileged information for the original account holder. They can even download the entire directory to do a phishing attack on your whole organization.

One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete registration, they'll be prompted for another authentication whenever necessary. Azure AD decides when a user will be prompted for multifactor authentication, based on factors such as location, device, role and task. This functionality protects all applications registered with Azure AD including SaaS applications.

So yeah, it doesn't MFA all the time unless it detects a risk. You can eliminate passwords and force the issue, or you can upgrade to Azure AD P1. That call is ON THE CLIENT TO MAKE. As my CISSP training clearly states, and something I've not used NEARLY OFTEN ENOUGH IN MY LIFE.

Information Security (Cybersecurity) is the responsibility of the business owners and stake holders. It is NOT an IT concern, it is a BUSINESS concern.

If the business doesn't care, nor should you. Running on Basic / Standard to some degree should indicate they do not care.

THAT BEING SAID.

I do have a ticket open with Microsoft on this issue. Because they ARE "taking a feature away", and it's an "easy up sell" to tell a business owner well... you have "Security Defaults" and now you have this thing that needs an exception, an exception is a CONDITION and therefore you need Conditional Access.

Sadly this is one of those left not talking to the right problems... because the MFA for single user stuff that's going away is an M365 feature, wheras everything else we're talking about is an AZURE feature. And never the twain shall meet... except when they're the same thing... but not... but are...
 
Last edited:
Ok if they aren't getting rid of it then I'm done for the day. I totally understand the benefits of all this azure stuff but a lot of my clients are in their 60's and are only still working because they don't want to be stuck at home with their spouses or they can't stop working because we're in California and you have to make $250k a year on two incomes just to survive with a family.

My older clients are all on MSP and pay REALLY well. My younger clients just wing it themselves as best as they can and call me when needed.

My plan as a one man MSP is to make this work as well as I can until I'm around 45 which is right around where I'll probably start losing some of those clients due to age... make enough money to float my family for awhile and get out of this. I'm 38 and I've already been doing this for 21 years! To say I'm burned out is an understatement.

All of that was really off topic but I'm trying to paint the picture. I just recently got into the MSP gravy train and I'm gunna ride it as long as I can without complicating mine, or my clients lives.

Slightly off topic: Just curious what your work plan is after 45? Or maybe you've earned enough to retire? Probably unlikely in California lol. I'm just curious. I'm around your age and I see the same thing you mentioned with clients. I think I have at best another 5-10 years of good decent work and then it's going to taper off because a lot of these folks will either be retired or unfortunately no longer amongst us.

I don't get a ton of work from people my age range. Certainly not enough to make a living from that's for sure. A lot of my business clients are in their 60's now like you mentioned. I believe most will retire by 70 or before. Maybe I'll be wrong and things will still be going strong but I'd definitely need to pickup a lot of new clients in the next decade to keep rolling. I have no idea what other kind of work I'd even want to do at this time.
 
Slightly off topic: Just curious what your work plan is after 45? Or maybe you've earned enough to retire? Probably unlikely in California lol. I'm just curious. I'm around your age and I see the same thing you mentioned with clients. I think I have at best another 5-10 years of good decent work and then it's going to taper off because a lot of these folks will either be retired or unfortunately no longer amongst us.

I don't get a ton of work from people my age range. Certainly not enough to make a living from that's for sure. A lot of my business clients are in their 60's now like you mentioned. I believe most will retire by 70 or before. Maybe I'll be wrong and things will still be going strong but I'd definitely need to pickup a lot of new clients in the next decade to keep rolling. I have no idea what other kind of work I'd even want to do at this time.

Honestly no idea.

I've have a plan since I started in this 21 years ago at 17 years old and it's worked out really well for me and my family. It's also been a burden. I've been working my butt off since I was a very young adult... I'd even say I missed out on a lot of experiences because I just went straight to work.

No pity party but I'd be lying if I said I had a plan. And to not have one, sounds terrifying ... and exciting.
 
And to not have one, sounds terrifying ... and exciting.

While I think it's helpful to have "a mental rough sketch" of what one's options might be, I long ago decided that the idea that we can plan life in the way we plan many other things is just patently false. Too much can and does change both external to the individual and to their internal landscape as time and experiences progress for any plan to remain meaningful over the long term.

One of my former coworkers back in the mid-1980s and I both agreed that, when asked the question, "Where do you see yourself in 5 years?," (which was a standard interview question then, I hope it's died the death it so justly deserved) that we both wanted to respond, "Preferably on a beach somewhere, sipping a drink and never having to think about work again." Believing you can know or even have a rough idea of where you might be in an organization five years hence is folly.

John Lennon put it best, "Life is what happens to you while you’re busy making other plans."
 
@thecomputerguy My MSP Intouch has 5 customers left, and is in effect closed.

I did this because during the pandemic I slowed down enough to step back and take stock, and it became immediately apparent that a one man shop was going to be infeasible to operate given the incoming regulatory changes impacting the industry.

So as of a month ago, I'm now a full time Solutions Architect for a larger firm that has its own SOC. It's been a wild ride, but I have to say... being 8-5 only and getting my weekends back too has been WONDERFUL. Not to mention the extra money I'm bringing in.

Anyone that's looking to get out I suggest you find a nice mid sized MSP like I did, no more than 300 employees. They'll give you a good home and a place to either grow so you can get a better position later, or help them grow with your INCREDIBLY VALUABLE skills in running the entire sales cycle that aren't present with other "engineers" or "architects" out there.

I'm basically this place's Sr Engineer that lives with the Sales team here, and I love it. They go get the leads, I work with them and the clients to hammer out a plan, write it up, and hand it off to our deployment teams to get crap done. The quality of life improvement is bonkers, and I have enough spare time I'm now working on my CISSP. If all goes well by the end of the year I'll have AZ-104, AZ-500, AZ-700, AZ-305, and my CISSP. At which point I can go anywhere and command a nearly $300k / year salary.

Doing all that on my own would have required at least $2 million in capital to fire up a massive marketing engine, hire lawyers, and do all sorts of work on my MSP to get it where it wouldn't get buried in the court room later, just for me to continue working 24/7 for yet another two decades to make it work. My oldest is graduating high school next month, I've already missed her growing up... I can't do that, I WON'T continue to make that mistake.

So yeah, do please take stock and think HARD. The game is changing and while the market can seem tight, now is a great time to get out. If that decision makes sense to you.

I may fire Intouch back up in 5 years... we'll see how things unfold. With my CISSP I can change its mission to exclusively helping organizations survive SOC audits and implement Zero Trust methods. Huge money there, and nowhere near the stress of being responsible for 24/7 care of all those endpoints on the cheap.
 
Last edited:
I wrote out this MFA migration process maybe someone can take a look at it:

MFA Migration Process

Enable Security Defaults

Azure AD > Overview > Properties > Enable Security Defaults

Make note of Legacy MFA options
  • Admin Center > Users > Multi-Factor Authentication > Service Settings
  • Make note of all Service Settings
Buy Azure Active Directory Premium P1 OR Business Premium and assign the license to backdoor Admin.

Match Legacy MFA Options in Azure
  • Azure AD > Authentication Methods > Match Legacy MFA options.
  • Microsoft Authenticator
  • SMS
  • OATH
  • Microsoft Authenticator Settings > Configure > Allow use of Microsoft Auth OTP
Begin Migration
  • Azure AD > Authentication Methods > Policies > Manage Migration
  • Migration In Progress
NOTE: This allows Legacy MFA options to Migrate to Azure AD Authentication Methods

Disable Legacy MFA options
  • Admin Center > Users > Multi-Factor Authentication
  • Disable All Accounts
  • Service Settings
  • Disable all Service Settings
  • Disable Allow app passwords to sign in
Disable Password reset options

Azure AD > Protect & Secure > Password Reset > Disable all options

Complete Migration

Azure AD > Protect & Secure > Authentication Methods > Manage Migration > Migration Complete

NOTE: Legacy MFA options are now unavailable

Enable Basic Conditional Access Policies
  • Azure AD > Overview > Properties > Disable security Defaults
  • Azure AD > Protect & Secure > Conditional Access
  • Require multifactor authentication for admin
  • Block legacy authentication
  • Require multifactor authentication for all users
OPTIONAL: Check authentication methods for users
  • Azure AD > Users > Select user > Verify Authentication methods
  • Delete if Necessary
OPTIONAL: Revoke Authentication methods

Azure AD > Users > Select user > Authentication methods

OPTIONAL: Require re-register multifactor authentication

Azure AD > Users > Select user > Require re-register multifactor authentication

OPTIONAL: Password resets

BEGIN THE ONSLAUGHT

Other Conditional Policies (ALL):
  • Require multifactor authentication for admins
  • Require multifactor authentication for all users
  • Block legacy authentication
  • Require MFA for admins
  • Require MFA for external and guest users
  • Block all legacy sign-ins that don’t support MFA
  • Require MFA for internal users (admins not included) – Basic
Clean up Microsoft defender
  • Admin center > Security > Improve your score
  • Address Scoring issues
NOTE: Safelinks, Anti-spam, Anti-phishing, Safe attachments, Safe links
Default policies enabled by default

I still have a couple of questions

1.) Add SMS as an option of MFA in Azure. Even though it is listed as an option in Azure it is not an option when a user first logs on. The only option is to use the Microsoft Authenticator with PUSH for ALLOW when login is attempted. I see this as a problem since people will inevitably click allow when they shouldn't.
1682014602648.png

2.) Is there an option to require a OTP as opposed to PUSH and ALLOW via the Microsoft authenticator WITHOUT the user having to click "Use a different authenticator app"
This will not happen, users are dumb

I see this as a problem since people will inevitably click allow when they shouldn't.

3.) Is there an option to revoke all authenticators from a user?

4.) What are the best practice, basic conditional policies that would protect the tenant from bad logins, currently I have:
  • Require multifactor authentication for admins
  • Require multifactor authentication for all users
  • Block legacy authentication
  • Require MFA for admins
  • Require MFA for external and guest users
  • Block all legacy sign-ins that don’t support MFA
  • Require MFA for internal users (admins not included) – Basic

Some of these are redundant as I had defender automatically create some of them when I was addressing the security score.

5.) I typically insert myself as a backdoor admin for the tenant. In the past I would create my account, add myself as global admin then enable Legacy Multi-Factor authentication

Does this mean that my backdoor admin account now requires an Azure AD Premiem P1 license OR Business Premium License to match the tenant?

I know I can probably get around this by using the MS Partner portal which I have an account for but do not currently use. I typically login to the tenant I am managing per my backdoor tenant login.
 
I wrote out this MFA migration process maybe someone can take a look at it:



I still have a couple of questions

1.) Add SMS as an option of MFA in Azure. Even though it is listed as an option in Azure it is not an option when a user first logs on. The only option is to use the Microsoft Authenticator with PUSH for ALLOW when login is attempted. I see this as a problem since people will inevitably click allow when they shouldn't.
View attachment 14531

2.) Is there an option to require a OTP as opposed to PUSH and ALLOW via the Microsoft authenticator WITHOUT the user having to click "Use a different authenticator app"
This will not happen, users are dumb

I see this as a problem since people will inevitably click allow when they shouldn't.

3.) Is there an option to revoke all authenticators from a user?

4.) What are the best practice, basic conditional policies that would protect the tenant from bad logins, currently I have:


Some of these are redundant as I had defender automatically create some of them when I was addressing the security score.

5.) I typically insert myself as a backdoor admin for the tenant. In the past I would create my account, add myself as global admin then enable Legacy Multi-Factor authentication

Does this mean that my backdoor admin account now requires an Azure AD Premiem P1 license OR Business Premium License to match the tenant?

I know I can probably get around this by using the MS Partner portal which I have an account for but do not currently use. I typically login to the tenant I am managing per my backdoor tenant login.
1 - Users can setup Mobile#/SMS under their account when they are logged in or you can do it in Azure for them. We do it in Azure to take the work off of the end user.

2 - You can enable number matching with MS Authenticator app

3 - I know there is some powershell commands based on old MSOL module to reset a users MFA but I havent used it in a while so I do not recall if it deletes their registered mfa devices or not.

4 - See the template policies in Azure portal:
1682030100031.pngBut honestly if you're not familiar with CA policies and you need to get some form of MFA enforced for all users, just enable secdefs. That's the quickest way to do it. You can always come back and work on CA after you learn more about it.

5 - we've never licensed admin or management accounts. I dont think it's required but I dont have any official reference on that.
 
1 - Users can setup Mobile#/SMS under their account when they are logged in or you can do it in Azure for them. We do it in Azure to take the work off of the end user.

2 - You can enable number matching with MS Authenticator app

3 - I know there is some powershell commands based on old MSOL module to reset a users MFA but I havent used it in a while so I do not recall if it deletes their registered mfa devices or not.

4 - See the template policies in Azure portal:
View attachment 14533But honestly if you're not familiar with CA policies and you need to get some form of MFA enforced for all users, just enable secdefs. That's the quickest way to do it. You can always come back and work on CA after you learn more about it.

5 - we've never licensed admin or management accounts. I dont think it's required but I dont have any official reference on that.

Here's the problem.

In my test tenant I enabled security defaults for my tenant.

Then I registered a test user with security defaulted azure based MFA with Legacy MFA disabled (no business premium or conditional access enabled, only business standard).

Even after registration I was able to login to the account from a different computer/IP/location using single factor.

Why?

I did this by logging into a test computer in incognito I have at my uncle's company.

Why?
 
Yeah the problem is Security Defaults does NOT enforce MFA on all users. It only enforces MFA on ADMINS. It uses MFA on users only at specific times, like accessing the security section of the account. It's not great...

BUT from what I've seen if the user takes the time to do phone signon, it'll consistently enforce MFA for the account.

And again if you see this behavior on the tenant open a ticket with Microsoft. They need to know people are upset they're taking away a feature to sell another $3 / month / user, and that isn't OK.

Docs for Security Defaults here: https://learn.microsoft.com/en-us/a...-do-multifactor-authentication-when-necessary

This is what's enforced on users
Require users to do multifactor authentication when necessary

We tend to think that administrator accounts are the only accounts that need extra layers of authentication. Administrators have broad access to sensitive information and can make changes to subscription-wide settings. But attackers frequently target end users.

After these attackers gain access, they can request access to privileged information for the original account holder. They can even download the entire directory to do a phishing attack on your whole organization.

One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete registration, they'll be prompted for another authentication whenever necessary. Azure AD decides when a user will be prompted for multifactor authentication, based on factors such as location, device, role and task. This functionality protects all applications registered with Azure AD including SaaS applications.
 
Back
Top