Nov 27 2018 06:13 AM
I wrote this article on mitigating MFA for Admins and Users after this months outage. Obviously no one wants to turn it off, but there's certain things you can do to keep it enabled but utilise Trusted IPs or one-time by-pass. As well as BCS accounts in the event of admin lockout. I covered Azure MFA Server also which isn't well documented.
http://www.wave16.com/2018/11/mitigating-azure-mfa-issues-during.html
Thanks
Nov 27 2018 08:33 AM
Nov 27 2018 09:01 AM
Cripes hope I didn't curse it!
Dec 04 2018 11:39 AM
We use Trusted IPs and even internal people were having problems. It's almost as if the Trusted IPs were being ignored. We also experienced in during that first outage that when disabling MFA for users, it did not consistently take effect on the back end at Microsoft and some users continued to be prompted. We did wait at least 15 minutes and had the user reboot their device(s).
Dec 04 2018 10:28 PM
Hope these trusted IPs are public facing and they weren't added while MFA had issues. The only users who had issues during recent MFA issues were connecting from internet and most of them were advised to establish VPN and back to working mode.
Dec 06 2018 01:17 PM
That's interesting that trusted IPs weren't being recognised in your tenancy. They were with the ones we were managing.
I would imagine Microsoft will now put more diligent change request mechanisms for anything relating to MFA, as along with Azure AD it has the potential to wipe out access to every single service - even if those services are up and online.
Dec 11 2018 10:28 PM