SOLVED

Modern Authentication - managing, supporting and deploying systems/devices is a nightmare

Iron Contributor

I wholeheartedly agree with modern authentication (and it's mild association with MFA) - we use MA throughout our environment and, from a security perspective, it works great. HOWEVER, am I the only one who struggles with MA when supporting/deploying devices? In other words, here are my 2 biggest struggles.

 

1) When a user with MA experiences problems with Office 365 on a Windows 10 device, sometimes it requires removal, repair, etc. of the platform and association with authenticating to Office 365 (not to be confused with Microsoft 365).

 

2) When preparing a Windows 10 device for user deployment, part of the process is to establish connection to Exchange Online (using native Outlook).

 

In both scenarios, the end user needs to forward me a copy of the "confirmation text" (i.e., code), in order for me to complete the necessary tasks.

 

Both scenarios cause me great heartache when I have to wait for the end user or re-submit the request due to a timeout.

 

Is there a way in which one (me, the sole O365 admin) could "pause" this requirement during such times as troubleshooting or preparing a system for user assignment? Asking the end user to forward the "confirmation" is such a struggle -- most of our employees work in remote locations (dynamic IPs) and/or are in different time zones, so I'm usually waiting, re-submitting, etc., each time I reach this place in the process.

 

Again, we do not use Microsoft 365 so Named Locations doesn't apply to those using Office 365 (at least for now) and even if it was an option, I can poke holes this "concept" for those of my employees who are using dynamic IP address (i.e., home network).

 

PLEASE HELP!

5 Replies

You can use named locations/trusted IPs just fine with O365. But yeah, might be tricky for dynamic IPs. Anyway, why are you using the SMS code option? It's considered the least secure one, and as you've noticed already, not really practical either. The recommendation is to configure the Authenticator app where possible, which among other things can also enable users to do a passwordless login.

@Vasil Michev regarding the SMS code, my current existence is supporting an environment where most employees can barely use a smartphone (not a knock on them - they're at the middle or tail end or their careers)...hence the hint of hand-holding in my initial post. Most of these employees don't use TXT/SMS on a regular basis...they will make a call 9 times out of 10 before ever thinking of typing (not joking).

 

Also, I don't believe the Authenticator app is an option for us because we're not actually using MFA; we use MA which, in the eyes of native Outlook, will use SMS and phone entries if provided by the employee (should they complete the SSPR setup/process). Yet, we still have a few long-time employees who have not completed said process (it's been almost a year).

 

Lastly, unless something has changed recently (the past few days) or it's been there all along (and I don't know about it), Named Locations and Trusted IPs in Azure isn't possible for those of us subscribing to Office 365 Business Premium. I understand that Microsoft 365 BP provides this as do the many levels of Enterprise subscriptions. Unfortunately, we're a small company and the price-point of these are out of reach at this time. It's a shame too -- the small businesses need all the help we can get. I've worked numerous places that subscribed to E3 and, until coming on-board here, never knew there were so many differences between the Business and Enterprise plans (I thought it was merely the license tally of 300 that was the only difference -- boy, was I wrong).

 

Quite frankly, I wish Microsoft would just STOP it with the ongoing and never-ending changes in names, services, options, features, etc. -- it's all I can do (I'm a one person IT Dept) to keep up with this madness...

 

a] Receive the "here's what's new" campaigns

b] Review each to understand whether or not it's something we want/need and

c] Determine whether or not it's EVEN part of our subscription

 

SO many times I've conducted research on such notifications, only to run in circles, ultimately concluding that even though one site/page/portal indicates it's available to BP subscribers, there are an equal amount of them that suggest otherwise.  :0/

 

 

Well configure the phone call method then, really anything is better than SMS. And yes, you will need Azure AD Premium for the trusted IPs functionality, as it's considered part of CA.

The texting etc has nothing to do with Modern Auth. You have to have MFA on. If your not using MFA the only time you would need to use MFA in anything o365 related would be to connect a device to windows hello.
best response confirmed by lance-aughey (Iron Contributor)
Solution

@lance-aughey, In my office 365 tenant, I (a global admin) go to Portal.Azure.com \ Azure Active Directory \ Users \ Go to their ID \  Authentication Methods tab \ change the phone number to my cell.  The MFA prompts now come to my cell.  When finished, I put their phone number back in.   

Three quarters of my force (49 IDs, small shop). is on the road, in multiple states throughout the US.  This has worked well for me.  I have not done the password-less-MFA (works with Microsoft Authenticator) for anyone but me, so haven't figured that one out.  All my users do the sms text, which has worked out well, even when rebuilding devices for an existing account.  Our devices are Azure-AD-Joined, thus requiring the text when logging on with their ID.

MFA is enforced for all IDs in my tenant.  We have the E5 license and the EMS-5 license.

There is also a temporary override switch on the MFA, but haven's played with that so can't give an opinion here.  

1 best response

Accepted Solutions
best response confirmed by lance-aughey (Iron Contributor)
Solution

@lance-aughey, In my office 365 tenant, I (a global admin) go to Portal.Azure.com \ Azure Active Directory \ Users \ Go to their ID \  Authentication Methods tab \ change the phone number to my cell.  The MFA prompts now come to my cell.  When finished, I put their phone number back in.   

Three quarters of my force (49 IDs, small shop). is on the road, in multiple states throughout the US.  This has worked well for me.  I have not done the password-less-MFA (works with Microsoft Authenticator) for anyone but me, so haven't figured that one out.  All my users do the sms text, which has worked out well, even when rebuilding devices for an existing account.  Our devices are Azure-AD-Joined, thus requiring the text when logging on with their ID.

MFA is enforced for all IDs in my tenant.  We have the E5 license and the EMS-5 license.

There is also a temporary override switch on the MFA, but haven's played with that so can't give an opinion here.  

View solution in original post