MicrosoftMicrosoftAlready active here on some CA rules. This is the worst decision from Microsoft in a long time.
We have tens of thousands of floor workers with no MFA method. They use some custom Microsoft apps, and we tried to use custom Apps fully, with permissions and everything, and acting as the signed in user.
It seems that for those users (and for B2B users) we will have to drop MFA by default, as we can't exempt individual apps, and maybe move to enforcing MFA on specific apps only if that will work ? Or strip Microsoft Graph from MFA requirement for most users. This really will lower security.
I can see one more workaround, a Custom Multifactor Strength, that includes password (aka single factor), targeting some users. But if we need to put it on Microsoft Graph, things are really bad.
Please show me the considerations/user story for floor employees, accessing a custom application from a personal device at home, no MFA - no access to company confidential data (say a non-public intranet) - We generally require MFA for other things. And some floor workers might have mail where we require MFA - so they would be MFA ready. Do you think we can/will micromanage group memberships to control this ?
How about B2B ? Some have higher permissions and directory roles, they need phishing resistant MFA, others needs just a password. Again our security will then depend on our ability to micromanage groups ? rather than exempt the few apps with low security requirements ?
