How do you deal with wide-spread MFA enforcement?

[thecomputerguy]

I have a client on an old O365 tenant and they have about 25 email accounts and I need to get MFA going on these accounts.

I know that using an Authenticator is considered "best practice" but it just sounds like such a nightmare getting people to download an authenticator and then set it up. Not to mention all mobile devices will need to have the email accounts removed and reinstalled after MFA is enabled. I can just see 22 phone calls of people calling to tell me they "forgot" their App Store password and they can't download the authenticator or other sorts of end user braindeaded-ness the comes along with supporting them. I could literally type out a document walking them through it step by step and they still wouldn't be able to figure it out. It's a wonder they let some of these people use computers at all.

I know using SMS authentication is not "as" secure but it's far less painful to deploy too. How do you all do this? I suppose if I had an employee I could delegate these stupid calls over to them but I don't and I just foresee at least an entire day of walking computer illiterate people through this process.

 

[britechguy]

Bite the bullet, and use an authenticator and do the setup yourself, even if you have to do it in "groups of 5" (or 6 or 4 - whatever).

22 is not a huge number, and better to do it once and do it right (which means doing it yourself).

 

[timeshifter]

I can just see 22 phone calls of people calling to tell me they "forgot" their App Store password and they can't download the authenticator or other sorts of end user braindeaded-ness the comes along with supporting them. I could literally type out a document walking them through it step by step and they still wouldn't be able to figure it out. It's a wonder they let some of these people use computers at all.

It hurts just reading about this. So many people have no clue about their Apple ID or Microsoft account. When these things come up I know it's a 10-15 minute ordeal, most of it is listening to them spout off about their ignorance and me trying to educate them and then being frustrated as I know they still don't really get it and probably never will. Oh, then there's all the thumbing through their scraps of paper with the password they reset - three years ago and them acting like they struck gold, you know it's not going to be it. /rant off

Anyway, I can mostly tolerate it in small business or residential settings as when it happens I'm on the clock.

I don't know what your billing relationship is with this client, but I'd set the expectation that all those calls are billable. Make the document and then let the powers that be know that it's being distributed and if someone can't figure it out then it's going to cost the company some money. It will still suck fielding all those calls, but at least you'll be getting paid.

 

[frase]

Yeap personally "TEAM MEETING" - as in person. Setup sessions as @britechguy stated. Setup each user individually, make sure they understand; maybe whip up a brief documention tool or even append this to your website.

Download the rescue keys - keep these yourself, document user passwords and make sure they do as well any security questions etc.
Advise any calls regarding logging issues will be billable after a "Grace Period" that you setup.

 

[YeOldeStonecat]

It's part of the process of having clients....on 365.
25 or so users, pretty easy. Larger orgs...past 50...past 100...work with a person who is the main IT contact there...so they can assist.
I wrote up some guides..have them in our HUDU, send clients links, so some will be able to follow that, and for those who can't ...at least they have something you look at while you're on the phone with them. For clients on silver/gold plans, I'll go onsite. For larger clients...get a person onsite that works with you to knock them out.

I use the authenticator, for Androids....they don't need to know the Microsoft account yet....til they're doing it with you. Yes, for the iPhone users....you run into those users who don't know/forgot their Apple ID...and yes that's a pain.

Also, conditional access can handle the "unusual", special circumstance accounts at least....like if they'll never need to use that account outside of their office/away from the office, never on a phone.....

 

[SAFCasper]

25 or so users, pretty easy. Larger orgs...past 50...past 100...work with a person who is the main IT contact there...so they can assist.

Absolutely this. In the planning stage ask management which of their staff is the most tech literate and would they be open to assisting in the rollout. Provide some training and make them the first point of contact. All the basic "What's an app store?" queries go to this staff member with anything more complex referred on to you.

Rollout will generally go smoother. You have less crap to deal with. Client receives a lower invoice for the project. Everyone wins.

Alternate is you bill hourly rate for all additional support because it's almost impossible to predict that time in advance.

 

[nlinecomputers]

Are there any good youtube videos are there that anyone has used that show end-users what to do?

 

[mikeroq]

Microsoft has a video but It's a little out of date since they changed the UI/process

I came across this seems ok

I guess the best one would be for you to create your own video so your customers hear it from you

 

[Sky-Knight]

I don't allow for self service password resets, and I use the authenicator without SMS or phone call fall back.

I let the business owners know up front, I will be billing for time if I have to wait for users to figure out their phones, and I recommend Yubikeys to avoid all this headache. If the people cannot handle it, then that's more time for training.

Don't be afraid to bill for the time you need, just make sure the owners know up front what to expect. And, all of us need to watch out for the largest hairball... the simple fact that the business owner has no right to mandate use of employee private property for anything. So the owner better be ready to fire people over this, or be ready to fork over for FIDO2 keys / company owned and provided mobile devices.

But seriously, the hardest cases I've ever had, went smooth as silk as soon as I enabled phone signon and showed the first user. When that light comes on and they realize their password is now their phone unlock code? Perfection...

But despite all the videos and write ups, I'm still talking people through it one at a time over the phone. But again, billable time so I don't care.

 

[britechguy]

the simple fact that the business owner has no right to mandate use of employee private property for anything.

Indeed. And if they're doing so, once informed of the legal ramifications, they'll stop.

I presumed (and, I know, probably incorrectly) that we were discussing company issued devices here. When it comes to large companies, that's almost invariably the case, as they do not want the exposure that often comes from "mixing business with personal" on employee-owned devices. But when it comes to small companies, I should have thought about that.

 

[britechguy]

I'm still talking people through it one at a time over the phone.

It's not so much whether in-person or over the phone, but that it's person to person. And person-to-person service for something entirely new to the organization is generally billable except if a "platinum plan" is involved. Sometimes even then, as it's outside the originally contracted scope.

 

[Sky-Knight]

Indeed. And if they're doing so, once informed of the legal ramifications, they'll stop.

I presumed (and, I know, probably incorrectly) that we were discussing company issued devices here. When it comes to large companies, that's almost invariably the case, as they do not want the exposure that often comes from "mixing business with personal" on employee-owned devices. But when it comes to small companies, I should have thought about that.

Arizona has no law to protect employees in any way other than the employer cannot mandate use of the devices. Yet, most opt to use the device for their own convenience. I've a very high success rate in this effort, but only AFTER I train everyone involved on what this entails, and how the authenticator app is actually designed to be theirs personally, only configured to help them with the office, and the app doesn't in any way give anyone the ability to access their devices in any way. It's simply a set of keys. Phone signon is a huge quality of life improvement for users, so most of them opt into using whatever device they have. Many of them do not want company issued devices because then they have to cart around two smart phones. It just depends on the office, and figuring out what path to take here is the largest time sink in the process.

Even Microsoft has blurred the lines here, because if you install the app fresh it will ask you to "login". This login is for the user's PERSONAL Microsoft account. Because that's the account that syncs the details that will be configured in the authenticator app itself. This login is optional to the app, and NEVER CAN USE an enterprise or business account.

And the above is one of my primary snags in training, because it pops up and the user almost always is confused and attempts to use their office email, and then call because it fails. They have to be trained how to bypass this prompt, to get to the add account button that ultimately lets them scan the QR code to enroll the device.

 

[britechguy]

@Sky-Knight

All I can say is that based upon much of what passes through these forums, I am eternally grateful to be out of the business of supporting businesses of any significant size.

I feel like we're moving backward in that things kept getting more and more convenient (and, to some extent, easier to understand) and now the trajectory is precisely the opposite. I hate even having to try to explain the actual complications related to email anymore, and I'm not talking about editing records here, but a lot more frequently accessed than that.

I'm happy in my semi-retired state dealing with the residential market for the most part, and very, very small mom n' pop businesses for the rest.

 

[YeOldeStonecat]

We have about 150 active business clients....off the top of my head, I can count 2x that provide phones to their staff. All the others....clients BYODs. To be honest...I can barely count on 1x hand...the number of staff that whine/moaned about using their own phones for MFA stuff.
I have tons of them setup with MS Auth app for 365 stuff and workstations
and a small number also using DUO so they can log into their workstations. (cuz on local AD).

I've played with the Yubi key myself...got a demo unit a year or so ago. I just prefer my phone and the MS Auth app. Rob...sounds like you've deployed a few Yubi's....one thing I've wondered...they seem sorta easy to forget/misplace/lose. What's your experience with that as far as supporting clients that use them in larger numbers?

 

[Sky-Knight]

@YeOldeStonecat I don't have any in the field. As for their use, they simply replace the authenticator. So the user can have a key, and an authenticator if they want and use whatever they wish.

What's nice about using the key is they can pop it into their desktop / laptop and it's a truly passwordless login. The physical key is paired with a pin or finger print / facial recognition. This process involves TPM, and utterly screams why Windows 11 has the requirements it does.

The NFC enabled keys can be waved behind a NFC enabled cell phone to do the same thing on mobile devices OR you get the keys that are USB C / pass out adapters for the same.

I'm not going to say it's a perfect solution, but it's something to have in the quiver for that employee that doesn't want to use their personal device while you require MFA. Legally speaking, the employer cannot require use of that private property. So I have a couple I use internally just to know how they work, but as of yet... no clients have needed them.

Replacing a lost / stolen Yubikey is basically the same thing as re-enrolling a phone, you get into Azure, pop the old authenticator off the account, reset the password, and require new MFA at the top and set the user loose. And at $50 / key, they aren't too terribly expensive.

But phone signon is just so good!

 

[SAFCasper]

I've been using a Yubikey 5 NFC for roughly 2 years now. All out techs use them actually. Love it for anything supporting FIDO2 it's just so fast and easy. Pincode > press the button > done. Don't even need to type a username. WHfB same thing super easy. We also use smart cards for desktop login and I'm able to create a virtual card on the Yubikey so I no longer need a smart card reader.

Downsides - Microsoft not fully supporting it for all apps (not a specific Yubikey issue this is just FIDO2 support in general).

WHfB login - Yes
Any MS site in a browser - Yes
Outlook desktop app - Yes
Teams desktop app - not supported
OneDrive desktop app - not supported
PowerShell to Exchange Online, AzureAD etc - not supported

So I still have to fall back to using the authenticator app or basic TOTP authentication quite often. A shame because you truly could go "passwordless" in 365 if it worked everywhere.

 

[Sky-Knight]

@SAFCasper Microsoft does support FIDO2 on everything, but only if you're using Windows Hello for Business, so when you sign into the system itself you're already logging in with the FIDO process to Windows, and that single identity is fully merged with Azure.

In that case there's only 1 authentication event... the desktop. You don't have app specific authentication.

And I wouldn't expect MS to fix this, because they've always been about SSO. It's a founding principle for the company to link all things to a single login.

 

[SAFCasper]

@SAFCasper Microsoft does support FIDO2 on everything, but only if you're using Windows Hello for Business, so when you sign into the system itself you're already logging in with the FIDO process to Windows, and that single identity is fully merged with Azure.

In that case there's only 1 authentication event... the desktop. You don't have app specific authentication.

And I wouldn't expect MS to fix this, because they've always been about SSO. It's a founding principle for the company to link all things to a single login.

True. Guess I'm a niche case that I regularly access multiple accounts so not always signed into Windows with the same account I want to access other MS services.

 

[Sky-Knight]

True. Guess I'm a niche case that I regularly access multiple accounts so not always signed into Windows with the same account I want to access other MS services.

You're doing the same thing I am, it's not niche at all...

It's just that the "correct" way to do these things is to federate your Azure AD out to each of your clients, so that your live M365 login has the admin tokens you need in their tenants.

I see all that SSO as a HUGE house of cards, so I want nothing to do with it. So to work around that I need individual, nonshared admin accounts in each tenant for each employee I have that needs that access. Which thankfully is just me... Because managing all these things as silos is hard, and Microsoft doesn't want us doing it that way.

TLDR, we're IT people, so we get to do things the hard way.