Forum Discussion
Solved
Common Area Phones and MFA
Doing a project that has 77 CAPs. Need to be able to sign them in in the most efficient way. I tested one manually and the account has MFA required (Note, I am not the AD account control person). ...
- Hi Jake Jacobs
I would recommend this article by Jeff Schwartz
http://blog.schertz.name/2020/04/common-area-phones-in-microsoft-teams/
It's probably the most comprehensive guide that there is out there in terms of a play by play for setting up CAP. CAP does support MFA, however you would make the decision about applying MFA to CAP and I guess this would largely depend on the setup of the user accounts. Personally I would go ahead with it then log in to https://login.microsoft.com and ensure all the user mailboxes associated with CAP are tied to a mobile device which has authenticator which should make that easy. As stated in the article, Intune isn't recommended as it adds little value in this scenario, and there is no remote management as you have to actually be at the device to log in so it will be a case of signing in one by one. The good thing about this article is that its very methodical in terms that the CAP policies are set up from the start via Powershell and the TAC, the users set up, licences and numbers applied, then policies applied via Powershell so a lot of this can be done en-masse via Powershell.
Hope that helps and answers your question
Best, Chris
Thanks. That's the article I have been looking at.
The front end of the process is easy and already completed. It is the signing in 77 CAP phones that is the tedious part.
So if they have MFA, each phone account will need a cell associated with it. 77 times.....
Doesn't sound like MFA is efficient for these.
Hi Jake,
That's right. It is a bit of legwork however it's really taking into account how far you think MFA is going to benefit. The article doesn't explicitly mention it, it's in the FAQ so Jeff doesn't think so. I know some that have and others that haven't. If you don't think you need it, disable it. If you do, then I would recommend tying all those users to a single cell if you can which will make it easy to work with MFA if you have authenticator. Some orgs would say that MFA is absolutely necessary because those logins can essentially be accessed over the web unless you apply something like conditional access on them. Others would say it's not. I think the important thing here, like in the article is restricting sign out so users can't actually log out of the devices which is potentially the bigger risk here
Best, Chris
That's right. It is a bit of legwork however it's really taking into account how far you think MFA is going to benefit. The article doesn't explicitly mention it, it's in the FAQ so Jeff doesn't think so. I know some that have and others that haven't. If you don't think you need it, disable it. If you do, then I would recommend tying all those users to a single cell if you can which will make it easy to work with MFA if you have authenticator. Some orgs would say that MFA is absolutely necessary because those logins can essentially be accessed over the web unless you apply something like conditional access on them. Others would say it's not. I think the important thing here, like in the article is restricting sign out so users can't actually log out of the devices which is potentially the bigger risk here
Best, Chris