cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Exclude MFA for Non Users

Ask_Ak
Copper Contributor

‎Jun 13 2022 12:15 AM

‎Jun 13 2022 12:15 AM

Exclude MFA for Non Users

Hello, what would be the best way to roll out MFA via a conditional access for users and exclude non user identities as teams rooms, conference rooms, shared devices out of it. I am looking for a way that is easier to maintain in future.

4,542 Views
0 Likes
4 Replies
Reply
4 Replies
mikhailf

‎Jun 13 2022 03:13 AM

‎Jun 13 2022 03:13 AM

Re: Exclude MFA for Non Users

Hello @Ask_Ak,

 

You can use different groups for those "non user" identities. 

For example, "Teams Rooms" for teams rooms, "Conference Rooms" for conference rooms, etc.

This will allow you to exclude the "non user" identities from the main MFA policy but in the future you will be able to create a separate CA policy for them (for example, to restrict access to those accounts from non company IP addresses.

 

 

0 Likes
Reply
Ask_Ak

‎Jun 13 2022 07:21 AM

‎Jun 13 2022 07:21 AM

Re: Exclude MFA for Non Users

This could be one way but it requires maintenance as every time a new non-user identity is created it would have to be added to the group. I was wondering if there is a way to avoid that maintenance. Like use the same group but only assign MFA to user identities.
0 Likes
Reply
best response confirmed by Ask_Ak (Copper Contributor)
mikhailf

‎Jun 13 2022 07:29 AM

‎Jun 13 2022 07:29 AM

Solution

Re: Exclude MFA for Non Users

@Ask_Ak 

 

1. You can create a Conditional Access policy based on "All guest and external users", "Directory roles" and "Users and groups". I don't think that you can filter out service accounts (non user identities). But

 

2. You can create a Dynamic User group. And add users to the group based on their names.

For example, you create a new Conference room account. Give it a name like "Conference-A102". So the rule should be like this: If the "username" contains "Conference" move it to the "Conference Room" group. Same with other types of non user identities.

1 Like
Reply
B4Art

‎Jan 29 2024 05:08 AM - edited ‎Jan 29 2024 05:09 AM

‎Jan 29 2024 05:08 AM - edited ‎Jan 29 2024 05:09 AM

Re: Exclude MFA for Non Users

@Ask_Ak 
Maybe bit off topic, we had the experience of room-accounts becoming disabled via an automatic process in the background in Azure AD. This was because after creating the Room account the password did not match the password policy when they were created.

Maybe this remark will help someone else.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ask_Ak (Copper Contributor)
mikhailf

‎Jun 13 2022 07:29 AM

‎Jun 13 2022 07:29 AM

Solution

Re: Exclude MFA for Non Users

@Ask_Ak 

 

1. You can create a Conditional Access policy based on "All guest and external users", "Directory roles" and "Users and groups". I don't think that you can filter out service accounts (non user identities). But

 

2. You can create a Dynamic User group. And add users to the group based on their names.

For example, you create a new Conference room account. Give it a name like "Conference-A102". So the rule should be like this: If the "username" contains "Conference" move it to the "Conference Room" group. Same with other types of non user identities.

View solution in original post

1 Like
Reply