Home

Mitigating MFA issues after the AzureMFA outage

%3CLINGO-SUB%20id%3D%22lingo-sub-291627%22%20slang%3D%22en-US%22%3EMitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291627%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wrote%20this%20article%20on%20mitigating%20MFA%20for%20Admins%20and%20Users%20after%20this%20months%20outage.%20Obviously%20no%20one%20wants%20to%20turn%20it%20off%2C%20but%20there's%20certain%20things%20you%20can%20do%20to%20keep%20it%20enabled%20but%20utilise%20Trusted%20IPs%20or%20one-time%20by-pass.%20As%20well%20as%20BCS%20accounts%20in%20the%20event%20of%20admin%20lockout.%20I%20covered%20Azure%20MFA%20Server%20also%20which%20isn't%20well%20documented.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fwww.wave16.com%2F2018%2F11%2Fmitigating-azure-mfa-issues-during.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.wave16.com%2F2018%2F11%2Fmitigating-azure-mfa-issues-during.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-291627%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20MFA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299412%22%20slang%3D%22en-US%22%3ERE%3A%20Mitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299412%22%20slang%3D%22en-US%22%3EI%20also%20blogged%20about%20creating%20a%20backdoor%20to%20Azure%20AD%3A%20%3CA%20href%3D%22http%3A%2F%2Fo365blog.com%2Fpost%2Faadbackdoor%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fo365blog.com%2Fpost%2Faadbackdoor%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-297063%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-297063%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20interesting%20that%20trusted%20IPs%20weren't%20being%20recognised%20in%20your%20tenancy.%20They%20were%20with%20the%20ones%20we%20were%20managing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20imagine%20Microsoft%20will%20now%20put%20more%20diligent%20change%20request%20mechanisms%20for%20anything%20relating%20to%20MFA%2C%20as%20along%20with%20Azure%20AD%20it%20has%20the%20potential%20to%20wipe%20out%20access%20to%20every%20single%20service%20-%20even%20if%20those%20services%20are%20up%20and%20online.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-295151%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-295151%22%20slang%3D%22en-US%22%3E%3CP%3EHope%20these%20trusted%20IPs%20are%20public%20facing%20and%20they%20weren't%20added%20while%20MFA%20had%20issues.%20The%20only%20users%20who%20had%20issues%20during%20recent%20MFA%20issues%20were%20connecting%20from%20internet%20and%20most%20of%20them%20were%20advised%20to%20establish%20VPN%20and%20back%20to%20working%20mode.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-294886%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-294886%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20Trusted%20IPs%20and%20even%20internal%20people%20were%20having%20problems.%26nbsp%3B%20It's%20almost%20as%20if%20the%20Trusted%20IPs%20were%20being%20ignored.%26nbsp%3B%20We%20also%20experienced%20in%20during%20that%20first%20outage%20that%20when%20disabling%20MFA%20for%20users%2C%20it%20did%20not%20consistently%20take%20effect%20on%20the%20back%20end%20at%20Microsoft%20and%20some%20users%20continued%20to%20be%20prompted.%26nbsp%3B%20We%20did%20wait%20at%20least%2015%20minutes%20and%20had%20the%20user%20reboot%20their%20device(s).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291722%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291722%22%20slang%3D%22en-US%22%3E%3CP%3ECripes%20hope%20I%20didn't%20curse%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291696%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20MFA%20issues%20after%20the%20AzureMFA%20outage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291696%22%20slang%3D%22en-US%22%3EAnd%20MFA%20is%20down%20again!%20......%3C%2FLINGO-BODY%3E
Oliver Moazzezi
Contributor

I wrote this article on mitigating MFA for Admins and Users after this months outage. Obviously no one wants to turn it off, but there's certain things you can do to keep it enabled but utilise Trusted IPs or one-time by-pass. As well as BCS accounts in the event of admin lockout. I covered Azure MFA Server also which isn't well documented.

http://www.wave16.com/2018/11/mitigating-azure-mfa-issues-during.html

 

Thanks

6 Replies
And MFA is down again! ......

Cripes hope I didn't curse it!

We use Trusted IPs and even internal people were having problems.  It's almost as if the Trusted IPs were being ignored.  We also experienced in during that first outage that when disabling MFA for users, it did not consistently take effect on the back end at Microsoft and some users continued to be prompted.  We did wait at least 15 minutes and had the user reboot their device(s). 

Highlighted

Hope these trusted IPs are public facing and they weren't added while MFA had issues. The only users who had issues during recent MFA issues were connecting from internet and most of them were advised to establish VPN and back to working mode. 

That's interesting that trusted IPs weren't being recognised in your tenancy. They were with the ones we were managing.

 

I would imagine Microsoft will now put more diligent change request mechanisms for anything relating to MFA, as along with Azure AD it has the potential to wipe out access to every single service - even if those services are up and online.

I also blogged about creating a backdoor to Azure AD: http://o365blog.com/post/aadbackdoor/
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies