Mitigating MFA issues after the AzureMFA outage

Brass Contributor

I wrote this article on mitigating MFA for Admins and Users after this months outage. Obviously no one wants to turn it off, but there's certain things you can do to keep it enabled but utilise Trusted IPs or one-time by-pass. As well as BCS accounts in the event of admin lockout. I covered Azure MFA Server also which isn't well documented.

http://www.wave16.com/2018/11/mitigating-azure-mfa-issues-during.html

 

Thanks

6 Replies
And MFA is down again! ......

Cripes hope I didn't curse it!

We use Trusted IPs and even internal people were having problems.  It's almost as if the Trusted IPs were being ignored.  We also experienced in during that first outage that when disabling MFA for users, it did not consistently take effect on the back end at Microsoft and some users continued to be prompted.  We did wait at least 15 minutes and had the user reboot their device(s). 

Hope these trusted IPs are public facing and they weren't added while MFA had issues. The only users who had issues during recent MFA issues were connecting from internet and most of them were advised to establish VPN and back to working mode. 

That's interesting that trusted IPs weren't being recognised in your tenancy. They were with the ones we were managing.

 

I would imagine Microsoft will now put more diligent change request mechanisms for anything relating to MFA, as along with Azure AD it has the potential to wipe out access to every single service - even if those services are up and online.

I also blogged about creating a backdoor to Azure AD: http://o365blog.com/post/aadbackdoor/