Forum Discussion

Gurdev Singh's avatar
Gurdev Singh
Iron Contributor
Jun 12, 2019

Azure AD Connect sync account MFA support

Does the account that AAD Connect uses to connect to Azure AD requires MFA to be disabled? It's the account that AAD Connect creates itself during the installation process.   Recently, we noticed t...
Azure Active Directory (AAD)
Darren_BL's avatar
Darren_BL
Copper Contributor
Aug 16, 2019

Raymond Rothengatter 

 

This is the exact issue I am facing.  CSP partners are required to have MFA enabled on 100% of accounts, but Azure AD Connect does not seem to support the Azure AD Application Graph which would allow it to work with MFA Enabled?  

 

With other applications (like Veeam for Office 365 for example) I would open:

Azure Active Directory

App Registrations

New Registration

Then as part of the registration give it the "App Permission" of "Microsoft Graph"  and the sub-permissions that it needs.

 

I'm not finding any documentation from Microsoft for AD Connect to indicate that they support their own MFA-Compliant method of performing this.

 

I've opened a support case with the Partner Center, but hoping that someone has already figured out how to make this work.  If they cannot come up with a way to make AD Connect work with MFA Enabled account, then I'm hoping that they will carve out an exception because they are telling partners that we will no longer be able to transaction with Microsoft if we are not 100% MFA enabled.

Darren_BL's avatar
Darren_BL
Copper Contributor
Aug 23, 2019

OK, Here's what I found out from my support case.

 

As of August 2019, there are now two forms of MFA policy:

1. User-specific MFA 

Enabled through the https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx page.

2. Azure Active Directory Conditional Access - Policies

Accessed via URL: (https://aad.portal.azure.com/) 

Click "Azure Active Directory"

Click Conditional Access

Then enable these policies:

  • Baseline policy: Require MFA for admins (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

 

The techs on the call are saying that if #2 is enabled, then you do not need to enable MFA at the end user level, because the policy will be enforced for the things that they care about.

 

The techs all agreed that the documentation on the partner site (https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fsecurity-requirements-update) was inadequate to make this distinction and they included a documentation person on the call to make notes and take screen shots of the changes required to clarify the policy.

 

We also confirmed for the tech (and took Fiddler traces of) the Azure AD Connect logs when #1 User-Level MFA is enabled on the account used by ADConnect.  Proving without a doubt that the user-level setting being enabled will break ADConnect and with it disabled it fixes ADConnect.

 

Finally, we also reviewed the fact that the Microsoft Security Score site is not paying attention to the Baseline Policy settings when calculating your security score.  They plan to reach out to the Security Score team to have them update the score settings when the policy is configured.

 

 

  • Sol Birnbaum's avatar
    Sol Birnbaum
    Copper Contributor
    Aug 27, 2019

    Darren_BL I'm not sure I understand how that resolves the issue. If MFA is required on 100% of Azure AD accounts - regardless of whether it's enforced via the old portal, baseline CA policy, or custom CA policy - it is not compatible with Azure AD Connect.

    • Darren_BL's avatar
      Darren_BL
      Copper Contributor
      Aug 27, 2019

      Sol Birnbaum I currently have the baseline policy enabled, and the "user-level" MFA disabled for the account used by AD Connect and it worksADConnect/DirSync still syncs successfully.

       

      The senior support engineer basically said that the "Policy level" one is somehow "application aware" and does not interfere with AD Connect, whereas the User-Level one is not and requires MFA on every type of login.

       

      It looks like they have indeed updated the documentation page they said they would update as part of my escalated support case.  This page:https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fsecurity-requirements-update 

       

      Heading: "What are the key actions I need to take to meet the requirements?" has now been updated to explicitly mention the baseline policies.  

      They have also added this new section:

      Will the service account used by Azure AD Connect be impacted by the partner security requirements?

      No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support.

       

      Put differently, if you enable the Policy level one, it should have the effect of requiring MFA for a user trying to log into the portal to do admin work like manage your partner account, but it should not prevent logins used for other purposes.  Since they are trying to secure the partner portal, they view the mission as accomplished via the Baseline Policy.

       

       

      • Sol Birnbaum's avatar
        Sol Birnbaum
        Copper Contributor
        Aug 29, 2019

        Darren_BL Interesting because our custom conditional access MFA policy was definitely blocking the Azure AD Connect service account, but at this point I don't see a reason not to use the baseline protection policy anyway.

Resources