SOLVED

Require MFA for administrative roles Doesn't finish

%3CLINGO-SUB%20id%3D%22lingo-sub-1783571%22%20slang%3D%22en-US%22%3ERequire%20MFA%20for%20administrative%20roles%20Doesn't%20finish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783571%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Guys%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20in%20advance%20for%20taking%20a%20look%20at%20my%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20gotten%20the%20project%20to%20upgrade%20the%20security%20at%20our%20company%2C%20therefor%20have%20I%20started%20to%20implement%20MFA.%20The%20company%20has%20200~%20users%20world-wide%2C%20so%20that%20isn't%20done%20within%20a%20day.%20Therefor%20have%20I%20started%20to%20enforce%20MFA%20for%20the%20administrators.%20Unfortunately%20do%20I%20not%20get%20all%20the%20points%20for%20it%3F%20So%20when%20I%20took%20a%20second%20look%20at%20it%20I%20saw%20that%20we%20have%206%20out%20of%2010%20administrator%20users%20that%20have%20MFA%20enforced%2C%20well%20all%20our%20IT%20guys%20have%20MFA%20enforced%203%20weeks%20ago%20so%20that%20isn't%20it.%20So%20with%20an%20powershell%20script%20did%20I%20output%20all%20the%20administrators%20and%20came%20across%20these%20accounts%20for%20the%20sync%2C%20are%20these%20the%20accounts%20I%20have%20been%20looking%20for%3F%20And%20how%20do%20I%20use%20MFA%20on%20sync%20accounts%3F%20With%20app%20passwords%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EPleas%20let%20me%20know%20what%20the%20most%20secure%20way%20to%20do%20is.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EReally%20appreciated%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1783571%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadministrative%20units%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMFA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1784597%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20for%20administrative%20roles%20Doesn't%20finish%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1784597%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20look%20like%20the%20service%20principal%20objects%20for%20the%20corresponding%20service%2C%20you%20cannot%20enforce%20MFA%20there.%20But%20I%20wouldnt%20worry%20about%20the%20secure%20score%20too%20much%2C%20it%20has%20been%20known%20to%20%22lag%22%20or%20even%20show%20incorrect%20data%20at%20times.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hey Guys,

Thank you in advance for taking a look at my case.

 

I've gotten the project to upgrade the security at our company, therefor have I started to implement MFA. The company has 200~ users world-wide, so that isn't done within a day. Therefor have I started to enforce MFA for the administrators. Unfortunately do I not get all the points for it? So when I took a second look at it I saw that we have 6 out of 10 administrator users that have MFA enforced, well all our IT guys have MFA enforced 3 weeks ago so that isn't it. So with an powershell script did I output all the administrators and came across these accounts for the sync, are these the accounts I have been looking for? And how do I use MFA on sync accounts? With app passwords?


Pleas let me know what the most secure way to do is.


Really appreciated

1 Reply
best response confirmed by Security_specialist (Occasional Visitor)
Solution

Those look like the service principal objects for the corresponding service, you cannot enforce MFA there. But I wouldnt worry about the secure score too much, it has been known to "lag" or even show incorrect data at times.