Back in August 2024, Microsoft announced here, that they were improving the security of their online services by requiring Multifactor Authentication (MFA) for any account accessing admin portals. Research shows that applying MFA can block more than 99.2% of account compromise attacks, so you can see why they want this in place.
Although technically this is something they need the customers to put in place, we know that not all customers administer their own infrastructure so this one falls on the Partners to implement in some instances.
Access to Azure, Entra, and Intune portals will require MFA in the second half of 2024 (October 2024), with more portals in ‘Early 2025’. Now is the time to examine all of your customers’ accounts to ensure MFA is in place, especially for accounts that will be used to access the portals mentioned in the original Microsoft blog post.
What do I need to do?
The steps you need to take in order to meet this requirement differ, depending on the licensing in place. With this in mind, I recommend you go through the ‘Research and Configure Multifactor Authentication’ Workflow which is included in SkyKick Security Manager.
- Follow through the workflow to collect information on your customers.
- ‘Get Microsoft 365 MFA Status Report’ command will check all possible MFA configuration methods for each user and see if they are registered i.e. have been through the process to set up MFA. It’s worth noting that we recently updated this command so you can now exclude Exchange Online Service Accounts
- ‘Get Microsoft 365 Organizational Info Report’ command will help you understand Entra ID licensing and if Secure Defaults is applied.
- ‘Get Conditional Access Policies Report’ will help you understand what, if any, conditional access policies are configured and possibly need updating.
- ‘Enable or Disable Microsoft Entra ID Secure Defaults’ command will help you enable/disable Secure Defaults across customers. Change this based on the Entra ID licensing they have available, as discussed above.
- Use the next few commands in the workflow to create various Conditional Access Policies depending on the licensing available and how strict you want to be. Perhaps start with ‘Create Conditional Access MFA for Administrators Policy’ assuming all of the people that need to access the portals currently also have an admin role assigned.
Here are a few hints and tips for you while running through the workflow:
- Look out for users that either don’t have MFA configured or have it configured but not Registered. These are the people to work on if they need access to the portals after October 2024.
- If in ‘Get Microsoft 365 Organizational Info Report’ you find Entra ID licensing is Premium P1 or P2, the recommended method for applying MFA is Conditional Access. If the Entra ID licensing is Free then configure MFA via Secure Defaults.
- Many of the ‘Create Conditional Access… Policy’ commands have a section to allow you to update existing policies, if you discover the customer already has them but they need to be amended, use this option.
- Use Run Options in the command to switch between applying generic settings across multiple customers or more detailed settings per customer.
- Run ‘Get Microsoft 365 MFA Status Report’ at the end of the workflow to check all the changes have been applied. It’s also a good idea to do this so you have a log of both before and after the change to refer to at a later date if required.
The clock’s ticking so sign into SkyKick Security Manager today and start running the Research and Configure Multifactor Authentication workflow to understand how this will affect your customers.