This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in p...
Updated May 17, 2024
Version 4.0Blog Post
najshahid I see it was mentioned we cannot opt-out of this. But I'd like to present our edge case that we're really stressing over with this announcement.
We are a public higher ed institution with tens of thousands of active users. We enforce MFA in two different ways:
* Admin users use Microsoft MFA (which contains a claim that satisfies MFA requirements)
* Regular users use Duo via a Conditional Access custom control (which does not contain a claim that satisfies MFA requirements)
When Azure requires MFA in July, I understand that the admin accounts, and our regular users' M365 logins, will be unaffected. However, we have hundreds of employees and students that are using a variety of Azure services for various things like coursework, labs, DevOps, testing, pet projects, etc.
Duo via CA custom controls will not satisfy this new Azure MFA requirement. That said, Microsoft did very recently release EAM (external auth. methods) to replace CA custom controls: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/public-preview-external-authentication-methods-in-microsoft/bc-p/4164146
The above only came out in mid-May (after being delayed since 2020). So we basically only have two months to go through our change management procedures, testing, piloting, and changing authentication for everyone. This is simply not enough time at our scale, and if we do not act, it looks like all these Azure services will be unavailable. (or a legacy MFA policy might start nagging them to enroll in Microsoft Authenticator when we do not want them doing that.. we are a Duo shop)
Thoughts?