Why doesn't MFA and the Azure Security Defaults make sense?

[thecomputerguy]

When you create a new office 365 tenant by default the Azure security defaults are enabled. Those defaults require MFA to be enforced 14 days after account creation.

But where I'm confused is if, in the admin center, you select users then "Multi-Factor Authentication" it is not enabled. So essentially MFA is enabled but it does't show up in the MFA section under users.

I know you can disable the Azure security defaults, then enable the MFA through Admin Center > Users

But why is there an inconsistency here?

@Sky-Knight

 

[Sky-Knight]

I disable security defaults, because if you don't that MFA Admin screen means exactly jack, other than you can use it to configure what sort of MFA you can use.

So I turn that crap off, so I can turn it on again for all the accounts, but have the option of disabling an account if I need to use it without MFA.

 

[YeOldeStonecat]

Two areas to manage it.
Site wide is more through Azure...conditional access. Pretty cool, such as define it for web access only, or exclude certain IP addresses (like the WAN IP of the office).
Or...individually via...mangle users...mfa.

Yes, 1x at a time via individual users is immediately easier
But conditional access is really the better way to go.

 

[Sky-Knight]

Except Conditional Access only works for E level subs. The mere mortals I support don't buy that.

 

[trevm999]

I believe it is Azure AD P1 that gets you Conditional Access. Which means that Business Premium will also have it.

That MFA admin portal is problematic because it is only accessible by the global admin. You need your global admin to be involved in any onboarding.

I have not seen a need yet for any account not to have MFA.

 

[sapphirescales]

Off topic but it's pretty bad that when I saw MFA in the title I assumed it stood for Medicare For All instead of Multi-Factor Authentication. I guess I'm just used to seeing it as 2FA.

 

[Sky-Knight]

2FA = 2nd Factor Authentication.
MFA = Multi-Factor Authentication.

All 2FA is MFA, but not all MFA is 2FA. So it really boils down to the context. M365 can be authenticated by just the authenticator if you want it. The "password" is reduced to a pin, and then you push the button. You can also with the right setup require a password, pin, AND the authenticator. But functionally, the terms are generally interchangeable.

@trevm999 Not all employees have smart phones. And employers are not able to force employees to get them, nor are all employees OK with tossing the authenticator software on their personal devices, nor are employers allowed to force that either. You're right, everyone should be MFA'd, but you have to have the option to not... and if you're not on Premium or better... the only option you have is to disable security defaults, and use the MFA window to configure it per login.

The bit that I don't understand is your concern about the global admin. Of course the global admin is involved with any onboarding... that's a given. How else does one onboard?

 

[trevm999]

@trevm999 Not all employees have smart phones. And employers are not able to force employees to get them, nor are all employees OK with tossing the authenticator software on their personal devices, nor are employers allowed to force that either. You're right, everyone should be MFA'd, but you have to have the option to not... and if you're not on Premium or better... the only option you have is to disable security defaults, and use the MFA window to configure it per login.

The bit that I don't understand is your concern about the global admin. Of course the global admin is involved with any onboarding... that's a given. How else does one onboard?

You can buy devices you can program to generate someone's OTP for $10. That's our plan if anyone objects.

If you're practicing least privilege, then you don't want every admin to have full keys to the kingdom on every tenant. User admin is enough for onboarding if you have AAD Basic. If not, then the admin will also need Licence Admin. Except for enforcing MFA.

 

[nlinecomputers]

$10? Who is the vendor?

 

[trevm999]

$10? Who is the vendor?

Well it was this one that I had in mind https://www.amazon.ca/Programmable-One-time-Password-SAASPASS-Services/dp/B0797DYDKW
Though it seems no longer available and I'm not seeing anything else quite as cheap at the moment.

 

[Sky-Knight]

Well it was this one that I had in mind https://www.amazon.ca/Programmable-One-time-Password-SAASPASS-Services/dp/B0797DYDKW
Though it seems no longer available and I'm not seeing anything else quite as cheap at the moment.

Dang... those would solve the problem quite nicely and at that price even my cheap skate clients wouldn't complain. It's certainly a better option than having an authenticator running on the desktop. But given that product doesn't exist on hypersecu.com anymore... I'm thinking there were issues.

I also hadn't realized the generic TOTP fobs had gotten so cheap. I'm going to have to look into those.

 

[nlinecomputers]

I’ve never seen anything close to that price.

 

[trevm999]

Dang... those would solve the problem quite nicely and at that price even my cheap skate clients wouldn't complain. It's certainly a better option than having an authenticator running on the desktop. But given that product doesn't exist on hypersecu.com anymore... I'm thinking there were issues.

I also hadn't realized the generic TOTP fobs had gotten so cheap. I'm going to have to look into those.

Sounds like they had issues with battery life.

 

[nlinecomputers]

Sounds like they had issues with battery life.

Or just crap to begin with. Hard to believe that they can be made that cheap.

 

[trevm999]

I'm also being told that using a FIDO2 key doesn't require AAD P1

 

[Sky-Knight]

I'm also being told that using a FIDO2 key doesn't require AAD P1

That is correct, you can use YubiKeys without AAD P1. And HOTP devices while really cool, and MUCH BETTER than anything else we've discussed here for a ton of reasons... are still rather expensive. Not to mention the absolute HORDE of adapters the user winds up needing to plug that thing into every device they need to login with.

 

[trevm999]

Free samples from hypersecu arrived today, I'll try to post a review this weekend. Looks like the HyperOTP are $11 CAD

 

[nlinecomputers]

Free samples from hypersecu arrived today, I'll try to post a review this weekend. Looks like the HyperOTP are $11 CAD

Whatever happened to this?

 

[trevm999]

Whatever happened to this?

Well they sent me some HyperOTP and aHyperFIDO. I don't think they had the HyperOTP programming tool downloadable at the time, so I never really tested them out. They seem pretty solid though, my child liked playing with them. Maybe I should try them again, but I'm not sure if my laptop has NFC.

Connecting the HyperFIDO to something also got on the TODO, but haven't done it yet.

 

[Sky-Knight]

I've since started turning security defaults on, unless a tenant specifically needs them off. Phone enrollment is easier, phone signon is amazing.

Still don't really have a good option for place that don't have their own smart phones.