Microsoft
Microsoft
I see the biggest vector for attack from this to be a attacker pretending to me a IT staffer and asking for credentials. MFA makes those creds useless (mostly). I would also recommend as part of the lasagna to make sure you disable the ability for external people to remote control internal users via teams.
On the MFA thing, it has been done in targeted attacks, a portal that looks like Azure AD or Okta (or other SSO provider) so that the user goes there, gets prompted, the answer is then provided to the attacker who then goes to the real logon portal with the OTP.
As a side note, we don't use 3rd party SSO, we are pure Azure AD and loving it. From Azure AD Proxy for internal apps, to SAML SSO agreements for external. That plus the protections of Azure AD Security AI for risky sign ins. If your struggling with Okta for some on-prem web apps, check out Azure AD proxy.
