New tenant, Global admin requiring MFA even though MFA & Security defaults are disabled.

[thecomputerguy]

I have a client that I am migrating from Gsuite to O365 using the Google API (Not IMAP) migrating with MigrationWiz. The first thing I do when I get ahold of a new tenant is make myself an unlicensed Global Admin account.

As of creating my global admin account I am being prompted to enable MFA (which is normal) EXCEPT that security defaults, and per user MFA are both disabled. I am able to skip this and proceed, but I am constantly prompted when moving through the admin center.

MigrationWiz requires that the account being used for migration purposes NOT have any sort of MFA enabled, and security defaults need to be disabled temporarily while the migration takes place per: https://help.bittitan.com/hc/en-us/...Microsoft-365-Migration-Guide#limitations-0-1

After hitting my head against the wall over and over due to MigrationWiz being unable to verify credentials I discovered that the tenant owner was also a Global admin. Upon logging into his account I discovered that even though he is also a Global Admin MFA is not required for his account, and his account is not prompted like mine is.

I was eventually able to get MigrationWiz credentials to verify but I had to use his account (not a big deal). Mine would time out and say that the destination server failed to respond probably because when MigrationWiz was trying to verify the credentials, it got stuck because MFA is required for my account.

It looks like I am on the road to success with this migration but I'm trying to figure out why my newly created Global admin account is requiring MFA when it shouldn't?

 

[Sky-Knight]

If Security Defaults is disabled, and the per user MFA setting is also set to disabled for that specific user, all that's left is Conditional Access Policy.

Also time... it can take an hour for those settings to sink in.

Otherwise, yeah... MS is FORCING MFA now. Honestly Bittitan needs to get their devs out and fix this, you should be using an API, not an account. It's long past the time for such things to be done properly. And with the last round of massive Azure problems recently, MS is starting to force the issue even with Security Defaults off.

TLDR, if you've got any admin role, MFA will be in your face. And that's a GOOD thing!

 

[thecomputerguy]

If Security Defaults is disabled, and the per user MFA setting is also set to disabled for that specific user, all that's left is Conditional Access Policy.

Also time... it can take an hour for those settings to sink in.

Otherwise, yeah... MS is FORCING MFA now. Honestly Bittitan needs to get their devs out and fix this, you should be using an API, not an account. It's long past the time for such things to be done properly. And with the last round of massive Azure problems recently, MS is starting to force the issue even with Security Defaults off.

TLDR, if you've got any admin role, MFA will be in your face. And that's a GOOD thing!

Oh for sure I'm going to enable security defaults after the migration is complete, I just don't understand why my account requires MFA when all that is disabled and there are no conditional access policies setup.

Finally after 5 hours I was able to get MigrationWiz to verify credentials ... this used to be SO MUCH EASIER!!!

It's been a LONG time since I've done one of these because everyone is already on M365 and I was dreading this project. The hardest hurdle in this process has always been getting credentials to verify.

 

[Sky-Knight]

Oh for sure I'm going to enable security defaults after the migration is complete, I just don't understand why my account requires MFA when all that is disabled and there are no conditional access policies setup.

Finally after 5 hours I was able to get MigrationWiz to verify credentials ... this used to be SO MUCH EASIER!!!

It's been a LONG time since I've done one of these because everyone is already on M365 and I was dreading this project. The hardest hurdle in this process has always been getting credentials to verify.

Yeah, because you aren't using the API like you're supposed to. Bititan needs to update their junk.

I think the hurdle here was the fact that Security Defaults was still ON. You can't just flip the switch off and have it go into effect, the propagation delays can get huge.

 

[brandonkick]

One thing I can say is that the controls for MFA and other things controlled by security defaults are not exposed all that well. At least, some of it's not intuitive. I'd like to be able to disable MFA without nuking security defaults in it's entirely. It's rather annoying to provision accounts with it enabled, ESPECIALLY where a lot of hand holding is necessary / special and somewhat nonstandard configuration.

I had to migrate a ton of data into two specific users onedrive accounts. Two large datasets that NO ONE else but them need (or should have) access to. They were already starting to push their sharepoint 1TB limit and this would have put them within 100 GB of it. I believe it was possible to do so using an admin account and powershell scripts. It was just so much easier through synologys O365 plug in. Log in to the users O365 account through the plug in, define which folders to sync to their share point, and wait. Great performance as well. MFA was the PITA. So I disabled security defaults for a few days. Did the seeding. Turned it back on.

Would have been nicer to be able to just turn it off one by one, per account, and then flip it back on when seeding for that account was done.

Also had to do this to seed a few outlook accounts. Sign in to outlook, add the backup pst I pulled down from rackspace, let it replicate upwards to the cloud. Rinse. Repeat.

 

[Sky-Knight]

@brandonkick The feature you're looking for is called "Conditional Access". It doesn't work with Security Defaults enabled, and it gives the admin fine control over when MFA is required, and when it is not.

You just don't get that for free, you have to have Azure AD Premium P1 to do it, which comes with M365 Business PREMIUM, not basic or standard.