MS started enabling the "security defaults" for all tenants here right around Christmas, and I had my clients' staff (contractors, not even employees) complaining about having to install an app for that one client etc. Time I can't really charge my clients with my current setup. I just charge them hourly for stuff that I "do" for them, but it gets really fuzzy when I need to spend weeks researching something like this, only to click a couple of buttons in the end. I'm basically a small time MSP-like support person for a few small businesses. It would cut out 5% of my weekly tasks and 50% of my frustration. Yes, if it were up to me, I would relinquish their mobile access entirely. I'm finding that a handful don't even log into their email more than once a year (if that). This is on top of the struggle to get a dozen or more people a month just to remember their passwords. Now I just have to figure out how to push a hundred+ people (a large portion, low skilled laborers) to migrate to Auth App in the coming months. Regardless, it seems Auth Apps are the only option so I've updated our security policies to reflect this required process going forward. The only evidence I have to support my argument is all the time and money it's cost this international multi million dollar company for sticking to their old school mom-and-pop ways. These are older people with big egos who push back against any minor inconvenience. I'm struggling to convince management, the people directly responsible for our server being held ransom possibly due to mobile phone spoofing, to commit to MFA at all. Also avoid push notifications, because people will just randomly approve things even if they're not actively trying to authenticate for some stupid reason. If your users are too stupid to be able to open an app every 30 days and tap a code to copy/paste it, they shouldn't have mobile access. SMS auth is better than no auth, but is ultimately a bad idea. From there she could have asked for all kinds of things to take be able to monitor or take over any of our numbers. That's how easy it is to take over a mobile plan. I literally asked them how they knew I was CisoPollo and the rep said "AP Admin said you were." I kid you not. She only had to supply our account number at the beginning of the call and they took zero steps to validate I was really the person they were supposed to get approval from. She conferenced me in, they asked "Is it OK if AP admin makes changes to your account", I said yes and they disconnected. They needed to confirm she was allowed and asked if I was available to approve the changes. The other day my AP admin was calling into Verizon to fix some billing issues. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults. After the 14 days have passed, the user can't sign in until registration is completed. Users have 14 days to register for Azure AD Multi-Factor Authentication by using the Microsoft Authenticator app. Unified Multi-Factor Authentication registrationĪll users in your tenant must register for multi-factor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. So, if you could tell me how to otherwise automate enforcing MFA via SMS, that would suffice. I'm trying to automate the new user creation process with PowerAutomate so this manual step is a roadblock to my workflow. Ultimately, I'm just trying to avoid having to go to the MFA portal ( ) to enforce MFA every time I create a new user - without having to pay to upgrade to Azure AD Premium. I do have strongly worded documentation written up to convince users to switch to the app if they so choose. The majority of our team isn't very tech savvy so I question if they're capable of installing and understanding how to use an MFA app. It seems as though enabling Security Defaults (Azure Active Directory > Properties > Manage Security Defaults >Enable Security defaults) requires MFA through an authentication app.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |