Clients wants to force MFA every time Outlook opens...

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,414
Paranoid client wants to require an authenticator code every single time Outlook is opened company wide.

Is there any way to do this?
 
You can do this, but it requires Conditional Access Policies so you can make the required configuration.

Is your client OK with M365 Premium everywhere?

Also... why are you protecting software? Protect the endpoint... Azure Domain joined Win10 and Hello for Business means MFA on the Windows login to the MACHINE, then Outlook doesn't need to do it again.

So again, M365 Premium, and Conditional Access Policies.
 
thecomputerguy said:
Anyone?
Click to expand...

Probably not.

The best course of action is to dissuade the asker from this grossly unnecessary step. @Sky-Knight has done an excellent job of articulating just why this is so utterly unnecessary.

Giving in to clients demanding the stupid, and this is stupid, is not doing them any favors. But calming them down and educating them about why what they're asking for is contraindicated is doing them a big favor.

What the client is asking for is about as far from "best practices" as one can imagine, and it's to assuage an unjustified paranoia.
 
The other option is to set up DUO hardware tokens so that you can't log in to Outlook without the USB key plugged into the machine.
 
Screw DUO, you can do that with Yubikeys directly against the tenant without having to pay Duo a cent. Duo makes all this junk easier in some contexts, but if you're using it for M365 you're just wasting money. Learn to configure your own FIDO on the tenant, you'll be more secure, safer from supply chain problems, AND saving money all at the same time.

DUO is still my goto for a quick and dirty MFA for RDS platforms, but even that's going away slowly. A properly deployed RDS system can simply use MFA via M365 just like a modern desktop. It IS harder to do though, and requires AD and AAD to be licensed and happy. DUO is cheaper if the client doesn't have AD.
 
nlinecomputers said:
Fair enough. I don't use Yubi or Duo. My phone is secure enough for this and I enable MFA on every service I can.
Click to expand...

Yeah, I'm the same! I forgot to mention that DUO's enrollment process is superior. Setting up MS Authenticator on everyone is a giant chore with my users.

Also, and fair warning to the both of us... I don't see TX or AZ jumping on this wagon very soon, but it'll still likely happen. Some states are requiring business owners to pay employees for ANYTHING that runs on a personal device. Authenitcators are included.

I know IL is in this bucket already, and requires $30 / month rent payed to the employee for business use of a personal device. In these cases it's recommended to use these: https://www.yubico.com/product/yubikey-5-nfc/

$45 / keychain is a ton less money than $30 / month. There's a USB C variant as well, but I usually just ship adapters because C ports aren't as common on laptops as of yet. But these things can be used to authenticate the phone itself, and enrollment is handed via the admin during user creation, so no support calls mucking around with authenticator anymore.
 
Sky-Knight said:
rent payed to the employee for business use of a personal device.
Click to expand...

I'll simply say that's the least they could do.

I saw "the beginning of the end" of work-life balance, except for those who were strong enough to set limits and stick to them, when the on-call pager made its debut.

Once we got to the age of smartphones, it was long gone.

It is unrealistic, and just plain wrong, to believe that employees can be or should be at the beck and call of their employers 24/7/365. But with the advent of the cell phone, and particularly the smartphone, that's become a far too common expectation.

When I'm off the clock, I'm off the clock. Don't dare bother me then. And I treat everyone I work with or who I consult for professional services similarly. "Office hours" (even when there's no office actually involved) exist as the lines of demarcation as to when business is being conducted and when it isn't. [Obviously, none of this applies either to the very occasional true emergency nor to people who are in positions where emergency services are what they supply in their lines of work. But even they are only "on" when they are at work unless they happen to be on call.]
 
@britechguy I will be honest that 24/7/365 expectation is what drove me to where I am I work in a position where I provide my IT knowledge an expertise while not being the IT person. This also frees me up to do IT work on a more freelance schedule and has reduced so much stress as my day to day job has a more strict schedule that generally we are not expected to work outside of.
 
@Blues,

It's what has driven a lot of people from positions, regardless of industry, where 24/7/365 is expected, and often with crappy compensation to boot!

It really has become the burden of the individual employee to set their limits and stick to them these days and let the chips fall where they may. If you don't, in almost any position, you are looking to be steamrolled, whether you're a "burger flipper" in your local short staffed fast food place up through CEO (where 24/7/365 is still a completely unrealistic expectation - even they should have time off when they take vacations, for instance, even if their day-to-day virtually requires 24/7).

The pandemic has really brought things to a head. I am really shocked that it has taken this kind of a shake-up to have triggered what's now being dubbed, The Great Resignation, as it should have happened several decades ago if people had spines. I'm well aware that there are better times to jump ship than others, but the numbers now make it very clear that there were millions upon millions staying in jobs they hated where conditions were (to the individual employee) unbearable and paying the price. In my professional life I have quit on 2 occasions, without any immediate prospects, and have never regretted it. Of course, I had the luxury of a nest egg, but tons of people with that luxury and with good prospects of landing a new position will still stew in misery rather than walk away. It's mystifying. They put themselves, their wellbeing, and their lives overall dead last, and for what?
 
Sky-Knight said:
You can do this, but it requires Conditional Access Policies so you can make the required configuration.

Is your client OK with M365 Premium everywhere?

Also... why are you protecting software? Protect the endpoint... Azure Domain joined Win10 and Hello for Business means MFA on the Windows login to the MACHINE, then Outlook doesn't need to do it again.

So again, M365 Premium, and Conditional Access Policies.
Click to expand...

That's the thing is that the endpoint is protected by DUO MFA authentication upon login. She wants additional MFA after that. Reason being is because with their previous IT person, somehow an outside entity was able to gain remote access to one or all of their systems through a remote access tool. I do not know which one, could have been logmein, teamviewer, remote desktop, who knows.

So I understand that protecting the endpoint should be the goal, and it is.

In almost all hacking cases I've seen it's done by a weak password with no MFA using OWA.
 
If they have a RAT running on the system no amount of MFA will help. I can install keyloggers and just play voyuer and gather whatever information I need.
 
@thecomputerguy Yep, RMM software is dangerous and as long as it's in use all of the above is irrelevant. The RMM software can get at locally stored data without even logging into the machine because it's running as local system.

Worse, if her former IT guy wasn't someone trusted... You now have no choice but to audit the M365 tenant, eliminate EVERY SINGLE admin from the tenant, change all passwords on the tenant, remove all partner relationships on the tenant AND remove all authorized apps in Azure.

Then you get to turn around and format C: the ENTIRE NETWORK, all workstations, servers, and VMs... Each and every VPN tunnel destroyed and redeployed.

That reality is a crypto in scope, just without the damage to the data.

This is why I tell people NEVER install any remote software outside of your RMM and you make darned sure all your RMM tools are MFA'd, because any access to them at all puts your entire client base at risk, and there's jack they can do but sue you for the damage. This is also why all MSPs that have real business are selling stacks of security software, and charging huge monthly fees to cover it all, because they have to defray the liability for all of this.

I'll say it again, protecting Outlook is a waste of time. The OST file is on the machine ready to be taken or manipulated by any process running as admin on the box.
 
False security is, in my observation and experience, by far a worse thing than lax security.

Being convinced that "I'm safe" because I've put all sorts of ineffective (and inconvenient) processes in place that "are seen" is one of the surest ways to allow real vulnerabilities to persist.

If you're aware that your security is lax, you at least try to keep a watchful eye.
 
Sky-Knight said:
@thecomputerguy Yep, RMM software is dangerous and as long as it's in use all of the above is irrelevant. The RMM software can get at locally stored data without even logging into the machine because it's running as local system.

Worse, if her former IT guy wasn't someone trusted... You now have no choice but to audit the M365 tenant, eliminate EVERY SINGLE admin from the tenant, change all passwords on the tenant, remove all partner relationships on the tenant AND remove all authorized apps in Azure.

Then you get to turn around and format C: the ENTIRE NETWORK, all workstations, servers, and VMs... Each and every VPN tunnel destroyed and redeployed.

That reality is a crypto in scope, just without the damage to the data.

This is why I tell people NEVER install any remote software outside of your RMM and you make darned sure all your RMM tools are MFA'd, because any access to them at all puts your entire client base at risk, and there's jack they can do but sue you for the damage. This is also why all MSPs that have real business are selling stacks of security software, and charging huge monthly fees to cover it all, because they have to defray the liability for all of this.

I'll say it again, protecting Outlook is a waste of time. The OST file is on the machine ready to be taken or manipulated by any process running as admin on the box.
Click to expand...

1.) Yeah my RMM is heavily passworded and 2-Factored.

2.) Good thing (or not so good thing) is I came onboard when their previous IT guy passed away and immediately swapped out all Networking equipment (mainly to modernize), he previous had them remoting in using open RDP ports. Currently no ports are open.

3.) Good thing is the tenant is brand new, I just finished a Migration for this client last week as she had been on AppRiver hosted exchange up till this point and we discovered their 2-factor wasn't really 2-factor as one of the mailboxes was compromised.
 
nlinecomputers said:
I find a 2x4 to the side of the head really works wonders...
Click to expand...

Indeed. And is often necessary.

If "the big kahuna" doesn't want to listen to the technical experts he or she has hired, if a contract is not signed, make it clear you'll walk away. If it's already in place, make it clear that your judgment is what will hold sway.

I don't get to tell my doctor, plumber, lawyer, or other experts that they must do my bidding. They will, when pushed, tell someone to take a hike and find someone else. I am not hired to do the bidding of someone who doesn't even know what they're asking for nor the ramifications of same. If you don't want my technical expertise, I'm happy to let you find someone else to put up with your s*&t.

Another case where setting limits, and sticking to them, is required.
 
You must log in or register to reply here.

Similar threads

HCHTech
Product to print each email in a selected folder in Outlook to PDF
Replies
3
Views
126
britechguy
britechguy
HCHTech
What hardware to share dual monitors between desktop and laptop
Replies
5
Views
306
GTP
GTP
autumn
Odd user profile issue
Replies
0
Views
246
autumn
autumn
Velvis
Suggestions on why Outlook would be missing chunks of email?
Replies
12
Views
367
GTP
GTP
callthatgirl
How to import calendars from Outlook Classic to New Outlook
Replies
0
Views
58
callthatgirl
callthatgirl
Back
Top