Hey y'all, Mark back for another quick MFA (multi-factor authentication) mailbag. Now I know what you might be thinking: another MFA mailbag? Where are the others? Didn't you just start this up? Well, you might not know that we've done 20+ mailbag posts over the last few years that made it through various blog platform moves. You can find all of the previous ones here, and there is some really good stuff in there. Check out the back catalog. The topic we've covered most, however, is MFA--let's keep that train rolling.
Question: I’ve followed best practices and enabled MFA for all my admins but now we can’t login to anything via PowerShell. How do we leave Azure MFA enabled but still use PowerShell?
Answer: You have old PowerShell cmdlets that need some updating.
Question: I'm protecting access to my admin accounts by using MFA [good decision there! -editor], is there any guidance on how I should set up an admin account to be able to access my tenant in a break glass/disaster scenario?
This tells Azure AD that the IDP (here, AD FS) is responsible for handling MFA. You can find more about this command here. We actually covered the flow of this in a previous post. See this mailbag, question 5. AD FS supports this natively, but if you’re using a non-Microsoft identity provider check with them to see if they also support it.
Question: I'm using Azure MFA Server. If we have to store username and password within the MFA user portal or mobile website web.config, is there any way to encrypt the credentials?
Answer: If you decide to configure username/password credentials in the web.config of the MFA user portal and MFA mobile web apps and don’t want to use certificate-based authentication, but you also want to encrypt the credentials being stored in the web.config, here’s how to do it:
Back up the web.config of both your user portal and mobile web sites just in case
From the web server that hosts your user portal and web mobile site, open up a command prompt with admin credentials
From the command prompt, navigate to C:\Windows\Microsoft.NET\Framework64\v4.0.30319
Then run the following command against both of the directories that host your user portal and mobile web sites:
Here you can see my web.config before I ran this with the username/password in clear text:
And then after running this command, voila, the credentials are now encrypted: