Microsoft likens MFA to 1960s seatbelts, buckles admins in yet keeps eject button Microsoft is introducing three Conditional Access policies for sysadmins as it continues to promote the implementation of multi-factor authentication (MFA) in organizations. The trio of optional policies will be automatically deployed to eligible customers' tenants in a report-only mode at first. Customers will have a 90-day …
I wish I could turn on MFA across the entire enterprise.... but OpSec still has this pre-cloud mentality that if the users are on-prem (physically or logically, via a VPN) then they don't need to do MFA..... I have strongly lodged my objections, and am now waiting for the first breach due to a compromised on-prem device.
Also the belief "we don't want to disrupt the C-suite" - ffs, who do you think is a richer target? The CxO or John at the callcentre?
or it was when I was an Azure sysadmin.
You have the conditional access framework which in turn triggers one of the methods of MFA (SMS, email, authenticator, etc).
You turn *on* conditional access, then configure it to use MFA when a condition is tripped.
They are currently trying to phase out SMS - which wouldn't be such as issue if the authenticator app was less of a pain in the arse to set up for users who aren't very IT literate. And the user has to do it (unlike with SMS where the admins can set it up for them).
Not any more, not by default. Microsoft made their own Authenticator app the only way to Authenticate through the newish (15th September) "Registration Campaign" in Authentcation Methods in AAD/Entra/whatever they call it this week, even for TOTP, certainly for any newly registered accounts.
The generated QR code only works with the Microsoft app and it registers the app to the corresponding user account. You could see this for a few weeks after implementation, because you could see where people were authenticating from in Sentinel (yes - Sentinel was actually tracking personal devices!! since fixed), even when using TOTP, not push!
Interestingly, Microsoft have prevented you scanning the same QR code twice when one account registers through the "campaign" (so multiple people can no longer have the same TOTP code on their devices). More secure, but I bet we're not the only ones who have a real world use for this feature (we have a couple of generic shared accounts, so we want to have the same TOTP on multiple devices).
You can, of course, bypass all this by disabling the registration campaign - at which point the "use other autenticator" link appears again, and the QR codes are just generic TOTP codes rather than Microsoft specific codes.
The reason they're doing this is because they're pushing "Microsoft Managed MFA" and they can't enforce much if they don't control the app that people are authenticating with (+ they almost certainly upload a bunch of "telemetry" from every device the app is installed on, and then sell it - that's the age we live in).
Palebushman: “The 'Five Eyes' were the original members of what is now considered the 'Nine Eyes' partnership. If what is going on or around our planet is important, it's a safe bet these folk will know about it.”
Do the 'Nine Eyes' know about me not cleaning up after my dog poops or am guilty of a "bin crime"?
Everyone agrees that MFA is great for security.
However, spare a thought for the tech who often ends up with a buggered PC and needs to access the users system. Either the device is taken to a remote workshop or it's accessed remotely - but how do you then enter your clients fingerprint or text received on their phone? It may be more secure, but IT Support will suffer.
This doesn't affect any corporate user, because you're not actually storing data on those systems anyway (so the user can be given any other machine in the meantime) and you have full access to the machine.
Remoting into a broken computer where you can't log into it as yourself is definitely a "return to base" issue nowadays.
The whole point of MFA is that you can't pretend to be the user without their cooperation. The whole point of a corporate managed system is that IT don't need to.
"The whole point of a corporate managed system is that IT don't need to."
Yeah, fine in theory - but not always in practice, given the tendency of users everywhere to do what they are not supposed to do (e.g. saving where they shouldn't), and of Microsoft things to often not work as expected (e.g. Sharepoint sync failing)
How much does MS earn from the personal data it sees/tracks when its MFA app is installed on *most* user's personal phones, just because Office 365 says it has to be? Up until the App install point, users are corporate numbers and (relatively) commercially unexploitable. The App is a claw into personal data.
Cynical, and tin-foil hat firmly on perhaps but I don't trust MS as far as I can throw them.
I'm currently debating this with our IT dept. Their own longstanding policy says that I am not allowed to use personal devices for company business. Last week's policy is that I have to install Microsoft Authenticator on my personal phone in order to log in.
Simple answer! They give you a company issued device.
We have a similar policy, we support BYOD, but that BYOD must be controlled to a certain extent by us. You will have MFA, you will use the Outlook app, and you will have our content filtering app installed.
When you leave the company, you will have all company data wiped. Not your personal data.
If they don't agree to this, they can get a company issued phone that won't be as up to date as they may want.
We do similar, but it's a fair amound of hassle - especially the tendency of users to be running some ancient device with an out of support version of Android, then comoplainig that it doesn't work.
BYOD is one of those things which is getting to be more hassle than it's worth (and it always was a lot of hassle) - we only use it for phones now; used to allow own computers for RDP over VPN into terminal servers, but not any more.
With Microsoft Authenticator, it used to be you'd get a tap on your wrist, and with an already authenticated Apple Watch (for Apple Pay, etc.), one could simply tap "confirm". No idea why they took it away. I prefer to work with my phone in a drawer, or at least out of sight. It was so convenient, user-centric, and well designed that I guess Microsoft just couldn't keep it.
Anyone wearing my Apple Watch and who knows its passcode could log in to my Mac, unless it decides to only ask for password. That’s reasonable ergonomics.
Having to enter a 2FA code for a desktop login every time you go for coffee could be a pain, especially if your phone goes flat. Smart cards would be better if you need that much security.
But 2FA for admin access or for sensitive information access? Sounds reasonable, so long as it works, Microsoft dudes.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
