Re: MFA
It's much worse than that. Microsoft's MFA is a total and complete mess. Around here, this is the situation:
If you connect to the company intranet or to company email from a company workstation on the company network, no MFA needed. Basically, if you're already inside the perimeter you're assumed to be good to go. I'm sure that there are those who can see a problem with this.
If you connect to the company intranet or to company email from a company laptop on the company network, same as above. Once again I'm sure that there are those who see a problem or two.
If you connect to the company intranet or to company email from a company laptop but not on the company network, you need to run MFA. The MFA is connected to the Microsoft Authenticator app, available for iOS and Android but not, I think, for WinPhone, gee I wonder why. If you lose the device with the MS Authenticator app, you're outta luck until you can get IT security to reconfigure the system to allow for a new app. Please note that if you download MS Authenticator onto several devices, only _one_ can be used to authenticate, so if you have two phones or a phone and a tablet, no, you _can't_ authenticate with the other one if you lost the primary. You must reauthenticate every 24 hours.
If you connect to the company intranet or to company email using a personal laptop on the company network, that laptop must be added to Active Directory and then functions as though it were a company laptop.
You can't connect to the company intranet using a personal laptop which has not been blessed by IT. You can connect to company email. You need to use MFA, and you must reauthenticate every 24 hours.
You can't connect to the company intranet using a tablet, company or personal. Connecting to the company network requires installing the MDM and being blessed by IT. On the network you don't need MFA and can connect to the company email at will. Away from the network you need to use MFA, again every 24 hours... except if the MS Authenticator is on the same device which you're trying to use to read email, in which case you NEVER HAVE TO USE MFA EVEN ONCE. Looks like a giant security hole to me.
"Connecting to company email" means using OWA or a dedicated mail client such as MS Outlook, Thunderbird, or Apple Mail. Apparently Microsoft Mail need not apply. If you change the password on the mail system, all that happens on a tablet when using any client, OWA, Outlook, Tbird, Mail, anything else, is that you have to update the password there. You still never have to enter MFA if you're using a device which has the MS Authenticator installed. On a personal laptop, you must run the MFA as soon as you change the password, but then you're good for another 24 hours. On a company laptop, if you change the password while connected to the company network you're good. On a company workstation, you're good.
If I wanted to screw with the company I'd use a personal laptop which was not blessed by the company or a tablet, again not blessed. Or I'd take a company laptop out, do things to it, then bring it back and connect to the network.Or just do things from a company workstation. Because IT security makes everyone change their passwords every 60 days and mandates 'complex' passwords, people write down passwords, so it is trivial to 'borrow' someone else's login creds and use a workstation other than your own.
I'm waiting for the explosion.