Enabling MFA on admin level access to On premise AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2349559%22%20slang%3D%22en-US%22%3EEnabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349559%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone.%20I've%20run%20into%20a%20puzzler%20and%20I'm%20hoping%20someone%20can%20give%20me%20a%20tip%20on%20how%20to%20solve%20this.%20I%20have%20received%20a%20%22cyber%20security%20attestation%22%20document%20from%20a%20major%20insurance%20provider%20and%20must%20be%20able%20to%20say%20yes%20to%20all%20of%20the%20items%20on%20it%20as%20a%20baseline%20to%20receive%20a%20policy.%20Here's%20the%20one%20I'm%20stuck%20on%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3Emulti-factor%20authentication%20is%20required%20for%20the%20following%2C%20including%20such%20access%20provided%20to%203rd%20party%20service%20providers%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAll%20internal%20%26amp%3B%20remote%20admin%20access%20to%20directory%20services%20(active%20directory%2C%20LDAP%2C%20etc.).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20aware%20of%20a%20way%20to%20set%20up%20any%20MFA%20for%20admin%20access%20to%20Active%20Directory%20itself%2C%20but%20I'm%20all%20ears%20if%20someone%20knows%20of%20a%20way.%20What%20I%20think%20the%20only%20viable%20solution%20would%20be%20is%20to%20set%20up%20MFA%20for%20access%20to%20any%20Domain%20Controller%20in%20the%20domain.%20In%20order%20for%20that%20to%20be%20adequate%20though%2C%20I%20then%20need%20to%20be%20able%20to%20prevent%20RSAT%20connections%20to%20Active%20Directory.%20I'm%20not%20sure%20if%20there's%20a%20way%20to%20restrict%20that%20or%20not%2C%20so%20that's%20where%20i'm%20currently%20stuck.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20point%20me%20in%20the%20direction%20of%20a%20solution%20for%20either%20preventing%20RSAT%20access%20or%20(fingers%20crossed)%20enabling%20MFA%20on%20AD%20itself%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EJoel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398826%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398826%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%20is%20considered%20by%20Microsoft%20to%20be%20a%20multi-factor%20solution.%20There%20is%20a%20certificate%20on%20the%20device%20(something%20you%20have)%20and%20then%20you%20typically%20sign%20in%20with%20a%20PIN%20(something%20you%20know)%20or%20a%20biometric%20(something%20you%20are).%20I%20highly%20recommend%20that%20you%20check%20out%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fcore-infrastructure-and-security%2Fwhy-are-my-users-not-prompted-for-mfa-as-expected%2Fba-p%2F1449032%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fcore-infrastructure-and-security%2Fwhy-are-my-users-not-prompted-for-mfa-as-expected%2Fba-p%2F1449032%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone. I've run into a puzzler and I'm hoping someone can give me a tip on how to solve this. I have received a "cyber security attestation" document from a major insurance provider and must be able to say yes to all of the items on it as a baseline to receive a policy. Here's the one I'm stuck on:

 

multi-factor authentication is required for the following, including such access provided to 3rd party service providers:
All internal & remote admin access to directory services (active directory, LDAP, etc.).

 

I'm not aware of a way to set up any MFA for admin access to Active Directory itself, but I'm all ears if someone knows of a way. What I think the only viable solution would be is to set up MFA for access to any Domain Controller in the domain. In order for that to be adequate though, I then need to be able to prevent RSAT connections to Active Directory. I'm not sure if there's a way to restrict that or not, so that's where i'm currently stuck.

 

Can anyone point me in the direction of a solution for either preventing RSAT access or (fingers crossed) enabling MFA on AD itself?

 

Thanks,

Joel

1 Reply
Windows Hello for Business is considered by Microsoft to be a multi-factor solution. There is a certificate on the device (something you have) and then you typically sign in with a PIN (something you know) or a biometric (something you are). I highly recommend that you check out this article: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompte...