Forum Discussion
Azure AD Connect sync account MFA support
VasilMichev...Thanks. Do you know if this is documented somewhere that AAD Connect Sync account must be excluded from MFA.
Also, do you know much about ADFS https://techcommunity.microsoft.com/t5/Azure-Active-Directory/AAD-Connect-staging-mode-and-ADFS-configuration/m-p/689450#M2959
I'm not aware of any article explicitly mentioning the MFA requirement. However, this article describes how the account is provisioned and the type of credentials used: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#azure-ad-connector-account
Hi All,
from 1 august MFA needs to be enabled on ALL Microsoft Partner Tentants:
https://docs.microsoft.com/nl-nl/partner-center/partner-security-requirements
When I read this: We cannot use conditional access anymore:
Once these requirements are technically enforced every single authentication must have an MFA challenge. You will not be able to use any feature of conditional access to avoid authenticating using MFA when access Microsoft commercial cloud services.
How are we suppose to combine this???
This is the exact issue I am facing. CSP partners are required to have MFA enabled on 100% of accounts, but Azure AD Connect does not seem to support the Azure AD Application Graph which would allow it to work with MFA Enabled?
With other applications (like Veeam for Office 365 for example) I would open:
Azure Active Directory
App Registrations
New Registration
Then as part of the registration give it the "App Permission" of "Microsoft Graph" and the sub-permissions that it needs.
I'm not finding any documentation from Microsoft for AD Connect to indicate that they support their own MFA-Compliant method of performing this.
I've opened a support case with the Partner Center, but hoping that someone has already figured out how to make this work. If they cannot come up with a way to make AD Connect work with MFA Enabled account, then I'm hoping that they will carve out an exception because they are telling partners that we will no longer be able to transaction with Microsoft if we are not 100% MFA enabled.
OK, Here's what I found out from my support case.
As of August 2019, there are now two forms of MFA policy:
1. User-specific MFA
Enabled through the https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx page.
2. Azure Active Directory Conditional Access - Policies
Accessed via URL: (https://aad.portal.azure.com/)
Click "Azure Active Directory"
Click Conditional Access
Then enable these policies:
- Baseline policy: Require MFA for admins (Preview)
- Baseline policy: Require MFA for Service Management (Preview)
The techs on the call are saying that if #2 is enabled, then you do not need to enable MFA at the end user level, because the policy will be enforced for the things that they care about.
The techs all agreed that the documentation on the partner site (https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fsecurity-requirements-update) was inadequate to make this distinction and they included a documentation person on the call to make notes and take screen shots of the changes required to clarify the policy.
We also confirmed for the tech (and took Fiddler traces of) the Azure AD Connect logs when #1 User-Level MFA is enabled on the account used by ADConnect. Proving without a doubt that the user-level setting being enabled will break ADConnect and with it disabled it fixes ADConnect.
Finally, we also reviewed the fact that the Microsoft Security Score site is not paying attention to the Baseline Policy settings when calculating your security score. They plan to reach out to the Security Score team to have them update the score settings when the policy is configured.
