Forum Discussion
Azure AD Connect sync account MFA support
OK, Here's what I found out from my support case.
As of August 2019, there are now two forms of MFA policy:
1. User-specific MFA
Enabled through the account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx page.
2. Azure Active Directory Conditional Access - Policies
Accessed via URL: (https://aad.portal.azure.com)
Click "Azure Active Directory"
Click Conditional Access
Then enable these policies:
- Baseline policy: Require MFA for admins (Preview)
- Baseline policy: Require MFA for Service Management (Preview)
The techs on the call are saying that if #2 is enabled, then you do not need to enable MFA at the end user level, because the policy will be enforced for the things that they care about.
The techs all agreed that the documentation on the partner site (https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fsecurity-requirements-update) was inadequate to make this distinction and they included a documentation person on the call to make notes and take screen shots of the changes required to clarify the policy.
We also confirmed for the tech (and took Fiddler traces of) the Azure AD Connect logs when #1 User-Level MFA is enabled on the account used by ADConnect. Proving without a doubt that the user-level setting being enabled will break ADConnect and with it disabled it fixes ADConnect.
Finally, we also reviewed the fact that the Microsoft Security Score site is not paying attention to the Baseline Policy settings when calculating your security score. They plan to reach out to the Security Score team to have them update the score settings when the policy is configured.
Darren_BL I'm not sure I understand how that resolves the issue. If MFA is required on 100% of Azure AD accounts - regardless of whether it's enforced via the old portal, baseline CA policy, or custom CA policy - it is not compatible with Azure AD Connect.
Darren_BL Interesting because our custom conditional access MFA policy was definitely blocking the Azure AD Connect service account, but at this point I don't see a reason not to use the baseline protection policy anyway.
Sol Birnbaum I currently have the baseline policy enabled, and the "user-level" MFA disabled for the account used by AD Connect and it works. ADConnect/DirSync still syncs successfully.
The senior support engineer basically said that the "Policy level" one is somehow "application aware" and does not interfere with AD Connect, whereas the User-Level one is not and requires MFA on every type of login.
It looks like they have indeed updated the documentation page they said they would update as part of my escalated support case. This page: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq?branch=isaiah%2Fsecurity-requirements-update
Heading: "What are the key actions I need to take to meet the requirements?" has now been updated to explicitly mention the baseline policies.
They have also added this new section:
Will the service account used by Azure AD Connect be impacted by the partner security requirements?
No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support.
Put differently, if you enable the Policy level one, it should have the effect of requiring MFA for a user trying to log into the portal to do admin work like manage your partner account, but it should not prevent logins used for other purposes. Since they are trying to secure the partner portal, they view the mission as accomplished via the Baseline Policy.
