Forum Discussion
Solved
Multifactor Authentication MFA and Virtual Machines VM
We are a small development company using Office365. For a new project we now want to use some Windows VMs in the cloud. Because Azure integrates nicely with Office365 it seems to make sense to create...
- Ok, so I think I found the problem.
As described above I have disabled MFA for my account in order to be able to login to the VMs using the AzureAD credentials. I was then able to login as desired but got redirected to the MFA setup wizard every time I logged in to some MS website. I then skipped the setup as I expected this would deny login to the VMs again.
I now realized that this MFA setup was for another organization where I was added as an external user. This organization still has company-wide MFA required and therefore I was bothered with the setup at every login. I now completed the MFA setup process and it really only requires it for that company and not for my own company so login to the VMs is still possible. I have to admit that I find this behavior quite confusing as it is nowhere shown for what organization you are setting up MFA.
Therefore my main problem is solved now. I would prefer to enable MFA and disable it only for RDP or even better enable it everywhere but unfortunately this seems to be too complicated. If a simple solution pops up please let me know.
Ok, so it doesn't sound like per-user MFA is supported.
So you either have to disable user based MFA (https://www.alitajran.com/disable-mfa-office-365-with-powershell/)
or upgrade your Business Basic to M365 Business Premium licenses to use Conditional Access (and look into Azure Virtual Desktop - which might be more what you are after the licenses are included in M365 Business Premium), from a security perspective this is the recommended option.
So you either have to disable user based MFA (https://www.alitajran.com/disable-mfa-office-365-with-powershell/)
or upgrade your Business Basic to M365 Business Premium licenses to use Conditional Access (and look into Azure Virtual Desktop - which might be more what you are after the licenses are included in M365 Business Premium), from a security perspective this is the recommended option.
I really appreciate if somebody tries to help, but did you ever really read my problem description?
I have disabled company-wide and per-user MFA already which is why I can login using the AzureAD credentials. The fact that MFA is not supported is the main cause of all problems.
I know Conditional Access policies can solve the issue, but the price per user per month is inacceptable only to turn off MFA functionality (which is a workaround that I don't even like to do).
Right now the main issue is that every time I open the Azure Portal I get redirected to the MFA setup wizard which is seriously getting on my nerves and therefore not an acceptable longterm solution.
So again, I appreciate your help and I understand that my description may not be perfectly clear but I do think that I explained more or less what the situation is so please try to address my problems and requirements.
I have disabled company-wide and per-user MFA already which is why I can login using the AzureAD credentials. The fact that MFA is not supported is the main cause of all problems.
I know Conditional Access policies can solve the issue, but the price per user per month is inacceptable only to turn off MFA functionality (which is a workaround that I don't even like to do).
Right now the main issue is that every time I open the Azure Portal I get redirected to the MFA setup wizard which is seriously getting on my nerves and therefore not an acceptable longterm solution.
So again, I appreciate your help and I understand that my description may not be perfectly clear but I do think that I explained more or less what the situation is so please try to address my problems and requirements.
SandroRudin Iit looks like the premium version of AAD is enough only for administrators
- Ok, so I think I found the problem.
As described above I have disabled MFA for my account in order to be able to login to the VMs using the AzureAD credentials. I was then able to login as desired but got redirected to the MFA setup wizard every time I logged in to some MS website. I then skipped the setup as I expected this would deny login to the VMs again.
I now realized that this MFA setup was for another organization where I was added as an external user. This organization still has company-wide MFA required and therefore I was bothered with the setup at every login. I now completed the MFA setup process and it really only requires it for that company and not for my own company so login to the VMs is still possible. I have to admit that I find this behavior quite confusing as it is nowhere shown for what organization you are setting up MFA.
Therefore my main problem is solved now. I would prefer to enable MFA and disable it only for RDP or even better enable it everywhere but unfortunately this seems to be too complicated. If a simple solution pops up please let me know. - So I open your link or go to Azure Portal, "View account", "Update security information" and I get stuck in an endless loop.
To be more precise: I open the Azure Portal (redirect to MFA setup, skip), then "View account" (redirect to MFA setup, skip), then "Update security information" and then redirect to MFA setup, skip, redirect to MFA setup, skip, ...
I have no idea what MS is thinking... - Sorry, I don't know; you may need to open a support case with Microsoft to check the setting on the Tenancy.
I just did some testing after disabling Security Defaults and removing any authentication information from my user account (https://account.activedirectory.windowsazure.com/Proofup.aspx). It is allowing me to log in with no prompts. - Asi I said three times already, I have turned off company-wide MFA, which is why I can remove MFA from my account which is why I can login. The redirect to the wizard is still popping up every time I login to Azure portal and I can then just skip setup on the first step.
Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
Browse to Azure Active Directory > Properties.
Select Manage security defaults.
Set the Enable security defaults toggle to No.
Select Save.
