SOLVED

Common Area Phones and MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-1567951%22%20slang%3D%22en-US%22%3ECommon%20Area%20Phones%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567951%22%20slang%3D%22en-US%22%3E%3CP%3EDoing%20a%20project%20that%20has%2077%20CAPs.%3C%2FP%3E%3CP%3ENeed%20to%20be%20able%20to%20sign%20them%20in%20in%20the%20most%20efficient%20way.%3C%2FP%3E%3CP%3EI%20tested%20one%20manually%20and%20the%20account%20has%20MFA%20required%20(Note%2C%20I%20am%20not%20the%20AD%20account%20control%20person).%26nbsp%3B%20Intune%20is%20not%20available.%26nbsp%3B%20Is%20disabling%20MFA%20on%20those%20accounts%20a%20good%20solution%20to%20get%20around%20MFA%3F%3C%2FP%3E%3CP%3EHow%20can%20these%20be%20signed%20in%3A%3C%2FP%3E%3CP%3E1)%26nbsp%3B%20One%20by%20one%20basis%3C%2FP%3E%3CP%3E2)%26nbsp%3B%20All%20at%20once%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20for%20any%20specific%20procedures%20that%20would%20be%20helpful.%26nbsp%3B%20The%20simpler%20the%20better.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1567951%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECAP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECommon%20Area%20Phone%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHow-to%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1568903%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20Area%20Phones%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1568903%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227289%22%20target%3D%22_blank%22%3E%40Jake%20Jacobs%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20recommend%20this%20article%20by%20Jeff%20Schwartz%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fblog.schertz.name%2F2020%2F04%2Fcommon-area-phones-in-microsoft-teams%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fblog.schertz.name%2F2020%2F04%2Fcommon-area-phones-in-microsoft-teams%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIt's%20probably%20the%20most%20comprehensive%20guide%20that%20there%20is%20out%20there%20in%20terms%20of%20a%20play%20by%20play%20for%20setting%20up%20CAP.%20CAP%20does%20support%20MFA%2C%20however%20you%20would%20make%20the%20decision%20about%20applying%20MFA%20to%20CAP%20and%20I%20guess%20this%20would%20largely%20depend%20on%20the%20setup%20of%20the%20user%20accounts.%20Personally%20I%20would%20go%20ahead%20with%20it%20then%20log%20in%20to%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoft.com%3C%2FA%3E%20and%20ensure%20all%20the%20user%20mailboxes%20associated%20with%20CAP%20are%20tied%20to%20a%20mobile%20device%20which%20has%20authenticator%20which%20should%20make%20that%20easy.%20As%20stated%20in%20the%20article%2C%20Intune%20isn't%20recommended%20as%20it%20adds%20little%20value%20in%20this%20scenario%2C%20and%20there%20is%20no%20remote%20management%20as%20you%20have%20to%20actually%20be%20at%20the%20device%20to%20log%20in%20so%20it%20will%20be%20a%20case%20of%20signing%20in%20one%20by%20one.%20The%20good%20thing%20about%20this%20article%20is%20that%20its%20very%20methodical%20in%20terms%20that%20the%20CAP%20policies%20are%20set%20up%20from%20the%20start%20via%20Powershell%20and%20the%20TAC%2C%20the%20users%20set%20up%2C%20licences%20and%20numbers%20applied%2C%20then%20policies%20applied%20via%20Powershell%20so%20a%20lot%20of%20this%20can%20be%20done%20en-masse%20via%20Powershell.%20%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%20and%20answers%20your%20question%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1568960%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20Area%20Phones%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1568960%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%26nbsp%3B%20That's%20the%20article%20I%20have%20been%20looking%20at.%3C%2FP%3E%3CP%3EThe%20front%20end%20of%20the%20process%20is%20easy%20and%20already%20completed.%26nbsp%3B%20It%20is%20the%20signing%20in%2077%20CAP%20phones%20that%20is%20the%20tedious%20part.%3C%2FP%3E%3CP%3ESo%20if%20they%20have%20MFA%2C%20each%20phone%20account%20will%20need%20a%20cell%20associated%20with%20it.%26nbsp%3B%2077%20times.....%3C%2FP%3E%3CP%3EDoesn't%20sound%20like%20MFA%20is%20efficient%20for%20these.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1568987%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20Area%20Phones%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1568987%22%20slang%3D%22en-US%22%3EHi%20Jake%2C%20%3CBR%20%2F%3E%3CBR%20%2F%3EThat's%20right.%20It%20is%20a%20bit%20of%20legwork%20however%20it's%20really%20taking%20into%20account%20how%20far%20you%20think%20MFA%20is%20going%20to%20benefit.%20The%20article%20doesn't%20explicitly%20mention%20it%2C%20it's%20in%20the%20FAQ%20so%20Jeff%20doesn't%20think%20so.%20I%20know%20some%20that%20have%20and%20others%20that%20haven't.%20If%20you%20don't%20think%20you%20need%20it%2C%20disable%20it.%20If%20you%20do%2C%20then%20I%20would%20recommend%20tying%20all%20those%20users%20to%20a%20single%20cell%20if%20you%20can%20which%20will%20make%20it%20easy%20to%20work%20with%20MFA%20if%20you%20have%20authenticator.%20Some%20orgs%20would%20say%20that%20MFA%20is%20absolutely%20necessary%20because%20those%20logins%20can%20essentially%20be%20accessed%20over%20the%20web%20unless%20you%20apply%20something%20like%20conditional%20access%20on%20them.%20Others%20would%20say%20it's%20not.%20I%20think%20the%20important%20thing%20here%2C%20like%20in%20the%20article%20is%20restricting%20sign%20out%20so%20users%20can't%20actually%20log%20out%20of%20the%20devices%20which%20is%20potentially%20the%20bigger%20risk%20here%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569032%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20Area%20Phones%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569032%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F227289%22%20target%3D%22_blank%22%3E%40Jake%20Jacobs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EThe%20most%20common%20for%20common%20area%20phones%20is%20that%20you%20with%20conditional%20access%20set%20so%20that%20the%20IP%20network%20you%20have%20the%20phones%20connected%20to%20does%20not%20require%20MFA.%20So%20when%20a%20account%20that%20you%20use%20for%20one%20these%20phones%20signs%20in%20from%20your%20network%20there%20will%20be%20no%20MFA%20request%2C%20but%20if%20someone%20steals%20the%20phone%20or%20get%20the%20account%20information%20and%20tries%20to%20sign%20in%20from%20another%20network%20they%20will%20get%20the%20MFA%20challenge%20(or%20actually%20not%20get%20it).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERunning%20around%20and%20signing%20in%20Common%20Area%20Phones%20with%20MFA%20is%20not%20an%20option%2C%20some%20companies%20have%20requirement%20to%20sign%20in%20with%20MFA%20everyday.%20Not%20a%20fun%20task%20even%20for%20an%20intern.%20Also%20if%20the%20phone%20is%20in%20an%20common%20area%20not%20signed%20in%20so%20that%20you%20can't%20use%20it%20for%20emergency%20calling%20can%20be%20illegal%20in%20some%20countries.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1569047%22%20slang%3D%22en-US%22%3ERe%3A%20Common%20Area%20Phones%20and%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1569047%22%20slang%3D%22en-US%22%3EAwesome%20thanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9476%22%20target%3D%22_blank%22%3E%40Linus%20Cansby%3C%2FA%3E%20that%20was%20the%20point%20I%20was%20making%20about%20conditional%20access%20above.%20I%20had%20that%20a%20few%20months%20back%20the%20partner%20I%20was%20working%20with%20did%20exactly%20this%20%3AD%3C%2Fimg%3E%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Doing a project that has 77 CAPs.

Need to be able to sign them in in the most efficient way.

I tested one manually and the account has MFA required (Note, I am not the AD account control person).  Intune is not available.  Is disabling MFA on those accounts a good solution to get around MFA?

How can these be signed in:

1)  One by one basis

2)  All at once

 

Looking for any specific procedures that would be helpful.  The simpler the better.

5 Replies
Best Response confirmed by ThereseSolimeno (Microsoft)
Solution
Hi @Jake Jacobs

I would recommend this article by Jeff Schwartz

http://blog.schertz.name/2020/04/common-area-phones-in-microsoft-teams/

It's probably the most comprehensive guide that there is out there in terms of a play by play for setting up CAP. CAP does support MFA, however you would make the decision about applying MFA to CAP and I guess this would largely depend on the setup of the user accounts. Personally I would go ahead with it then log in to https://login.microsoft.com and ensure all the user mailboxes associated with CAP are tied to a mobile device which has authenticator which should make that easy. As stated in the article, Intune isn't recommended as it adds little value in this scenario, and there is no remote management as you have to actually be at the device to log in so it will be a case of signing in one by one. The good thing about this article is that its very methodical in terms that the CAP policies are set up from the start via Powershell and the TAC, the users set up, licences and numbers applied, then policies applied via Powershell so a lot of this can be done en-masse via Powershell.

Hope that helps and answers your question

Best, Chris
Highlighted

Thanks.  That's the article I have been looking at.

The front end of the process is easy and already completed.  It is the signing in 77 CAP phones that is the tedious part.

So if they have MFA, each phone account will need a cell associated with it.  77 times.....

Doesn't sound like MFA is efficient for these.

Highlighted
Hi Jake,

That's right. It is a bit of legwork however it's really taking into account how far you think MFA is going to benefit. The article doesn't explicitly mention it, it's in the FAQ so Jeff doesn't think so. I know some that have and others that haven't. If you don't think you need it, disable it. If you do, then I would recommend tying all those users to a single cell if you can which will make it easy to work with MFA if you have authenticator. Some orgs would say that MFA is absolutely necessary because those logins can essentially be accessed over the web unless you apply something like conditional access on them. Others would say it's not. I think the important thing here, like in the article is restricting sign out so users can't actually log out of the devices which is potentially the bigger risk here

Best, Chris
Highlighted

@Jake Jacobs 

Hi,

The most common for common area phones is that you with conditional access set so that the IP network you have the phones connected to does not require MFA. So when a account that you use for one these phones signs in from your network there will be no MFA request, but if someone steals the phone or get the account information and tries to sign in from another network they will get the MFA challenge (or actually not get it).

 

Running around and signing in Common Area Phones with MFA is not an option, some companies have requirement to sign in with MFA everyday. Not a fun task even for an intern. Also if the phone is in an common area not signed in so that you can't use it for emergency calling can be illegal in some countries.

Highlighted
Awesome thanks @Linus Cansby that was the point I was making about conditional access above. I had that a few months back the partner I was working with did exactly this :D

Best, Chris