Enable MFA for Azure AD Privileged roles

%3CLINGO-SUB%20id%3D%22lingo-sub-283102%22%20slang%3D%22en-US%22%3EEnable%20MFA%20for%20Azure%20AD%20Privileged%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283102%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20one%20of%20the%20recommended%20actions%20under%20our%20security%20score%20is%20%22Enable%20MFA%20fro%20AZURE%20AD%20Privileged%20Roles%22.%26nbsp%3B%20The%20issue%20I%20have%20with%20this%20setting%20is%20that%20it%20does%20not%20use%20any%20exception%20lists%2C%20like%20the%20user%20MFA%20setting%20does.%26nbsp%3B%20We%20have%20our%20internal%20network%20IPs%20in%20an%20exception%20list.%26nbsp%3B%20If%20this%20option%20is%20enabled%2C%20Administrators%20accessing%20anything%20from%20inside%20the%20network%20are%20constantly%20prompted%20by%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20that%20by%20design%20or%20was%20this%20overlooked%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-283350%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20MFA%20for%20Azure%20AD%20Privileged%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283350%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20least%20based%20on%20my%20experience%2C%20if%20the%20admin%20does%20not%20have%20MFA%20in%20Place%20the%20PIM%20Will%20force%20it%20when%20authenticating%20to%20the%20PIM%20tool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecondly%20to%20Protect%20the%20credentials%20there%20are%20few%20points%20to%20thingk.%3C%2FP%3E%3CP%3E-%20credential%20to%20use%3C%2FP%3E%3CP%3E-%20federated%20or%20non%20federated%20credential%3C%2FP%3E%3CP%3E-%20while%20Basic%20idea%20in%20cloud%20is%20to%20connect%20from%20any%20device%20the%20question%20is%20how%20you%20would%20like%20to%20limit%20it%20using%20conditional%20Access%20policies%20that%20does%20not%20cover%20your%20whole%20Network.%20No%20-%20instead%20the%20admin%20account%20can%20only%20sign%20in%20from%20specific%20Network%20segment%20or%20device%20in%20internal%20Network%20witch%20opens%20new%20Security%20risks.%20What%20if%20the%20admin%20surf%20and%20turf%20same%20time%20in%20that%20session%20and%20got%20malware%20as%20and%20example%20and%20it%20start%20to%20spread%20inside%20the%20%22admin%20Workstation%20segement%22%20polluting%20the%20devices%20on%20that%20segment.%20This%20opens%20a%20new%20question%20what%20are%20the%20solution%20to%20admin%20cloud%20services%20if%20we%20dont%20want%20to%20do%20it%20from%20any%20of%20our%20Network%20while%20also%20the%20admin%20Network%20is%20used%20to%20manage%20internal%20services%20in%20our%20production.%20Should%20we%20create%20second%20admin%20Network%20with%20terminal%20server%20or%20utilize%20azure%20RDP%20%2F%20Azure%20Citrix%20services%20or%20traditional%20VM's%20in%20Azure%20what%20can%20be%20one%20example.%20Deploy%20Secure%20Windows%2010%20VM%20to%20Azure%20for%20admin%20purpose%2C%20do%20all%20hardening%20what%20is%20needed%2C%20then%20create%20conditional%20Access%20policy%20to%20it%20to%20Protect%20the%20login%20with%20these%20admin%20credentials%20only%20from%20this%20PC's%20and%20if%20not%20enough%20you%20can%20deploy%20your%20own%20Firewall%20services%20in%20azure%20you%20go%20out%20to%20the%20any%20cloud%20services.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20some%20lessons%20learned%20and%20thoughts%20what%20have%20been%20done%20during%20years.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-283105%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20MFA%20for%20Azure%20AD%20Privileged%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283105%22%20slang%3D%22en-US%22%3E%3CP%3ERemember%20that%20those%20are%20all%20recommendations%2Fbest%20practices%2C%20Microsoft%20cannot%20possibly%20account%20for%20all%20the%20different%20variations%20in%20which%20each%20of%20these%20controls%20can%20be%20satisfied%20across%20thousands%20of%20customers.%20I%20have%20similar%20%22issues%22%20with%20this%20and%20other%20controls%20(CA%20are%20the%20worst)%2C%20but%20it's%20not%20all%20about%20the%20score.%20Review%20the%20recommendations%2C%20take%20any%20actions%20if%20necessary%2C%20benefit%20from%20the%20increased%20security%20and%20ignore%20the%20few%20missing%20points.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

So, one of the recommended actions under our security score is "Enable MFA fro AZURE AD Privileged Roles".  The issue I have with this setting is that it does not use any exception lists, like the user MFA setting does.  We have our internal network IPs in an exception list.  If this option is enabled, Administrators accessing anything from inside the network are constantly prompted by MFA.

 

Is that by design or was this overlooked?

2 Replies

Remember that those are all recommendations/best practices, Microsoft cannot possibly account for all the different variations in which each of these controls can be satisfied across thousands of customers. I have similar "issues" with this and other controls (CA are the worst), but it's not all about the score. Review the recommendations, take any actions if necessary, benefit from the increased security and ignore the few missing points.

At least based on my experience, if the admin does not have MFA in Place the PIM Will force it when authenticating to the PIM tool.

 

Secondly to Protect the credentials there are few points to thingk.

- credential to use

- federated or non federated credential

- while Basic idea in cloud is to connect from any device the question is how you would like to limit it using conditional Access policies that does not cover your whole Network. No - instead the admin account can only sign in from specific Network segment or device in internal Network witch opens new Security risks. What if the admin surf and turf same time in that session and got malware as and example and it start to spread inside the "admin Workstation segement" polluting the devices on that segment. This opens a new question what are the solution to admin cloud services if we dont want to do it from any of our Network while also the admin Network is used to manage internal services in our production. Should we create second admin Network with terminal server or utilize azure RDP / Azure Citrix services or traditional VM's in Azure what can be one example. Deploy Secure Windows 10 VM to Azure for admin purpose, do all hardening what is needed, then create conditional Access policy to it to Protect the login with these admin credentials only from this PC's and if not enough you can deploy your own Firewall services in azure you go out to the any cloud services. 

 

Just some lessons learned and thoughts what have been done during years.