SOLVED

Requiring MFA for all users

%3CLINGO-SUB%20id%3D%22lingo-sub-356897%22%20slang%3D%22en-US%22%3ERequiring%20MFA%20for%20all%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-356897%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20working%20towards%20improving%20our%20office%20365%20security%20score%20and%20noticed%20the%20MFA%20requirements%20for%20all%20users.%26nbsp%3B%20Indeed%2C%20this%20has%20been%20enabled%20for%20all%20employees%20in%20our%20organization.%26nbsp%3B%20However%2C%20not%20all%20addresses%20are%20employee%20accounts.%26nbsp%3B%20We%20have%20many%20forwarders%20enabled%20on%20our%20tenant%26nbsp%3Band%20I%20wanted%20to%20see%20how%20can%20we%20disqualify%20the%20forwarders%20from%20the%20security%20score%20assessment.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELawk%20Salih%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358920%22%20slang%3D%22en-US%22%3ERe%3A%20Requiring%20MFA%20for%20all%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358920%22%20slang%3D%22en-US%22%3EThat%20should%20be%20the%20case.%20See%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FNew-Office-365-Secure-Score-features%2Fba-p%2F84855%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-and-Compliance%2FNew-Office-365-Secure-Score-features%2Fba-p%2F84855%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ENote%20that%20some%20controls%20have%20%5BNot%20Scored%5D%20against%20them%20which%20mean%20they%20are%20not%20linked%20to%20your%20secure%20score%20total.%20I%20think%20this%20is%20actually%20the%20case%20with%20the%20forwarder%20security%20control%20to%20external%20domains.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358912%22%20slang%3D%22en-US%22%3ERe%3A%20Requiring%20MFA%20for%20all%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358912%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20I%20ignore%20the%20security%20control%2C%20does%20that%20mean%20that%20it%20will%20not%20be%20evaluated%20by%20Microsoft%3F%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%2C%20I%20see%20a%20notice%20of%20%22%3CSPAN%3EYou%20have%20380%20of%20526%20user%20accounts%20that%20don't%20use%20MFA.%22%26nbsp%3B%20I%20like%20this%20feature%20since%20it%20gives%20me%20an%20idea%20as%20to%20where%20to%20look%20and%20for%20which%20specific%20users%20for%20example.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358908%22%20slang%3D%22en-US%22%3ERe%3A%20Requiring%20MFA%20for%20all%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358908%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F291514%22%20target%3D%22_blank%22%3E%40lawksalih%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EMicrosoft%20Security%20recommend%20the%20CIS%20Benchmarks%20for%20Securing%20your%20Office%20365%2FMicrosoft%20365%20tenant.%20This%20should%20be%20free%20to%20download%20here%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisecurity.org%2Fbenchmark%2Fmicrosoft_office%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.cisecurity.org%2Fbenchmark%2Fmicrosoft_office%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20terms%20of%20disqualifying%20forwarders%20you%20would%20go%20into%20Secure%20Score%2C%20find%20this%20security%20control%3CBR%20%2F%3E%3CBR%20%2F%3EDo%20not%20use%20mail%20forwarding%20rules%20to%20external%20domains%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20set%20Ignore%20on%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps%20to%20answer%20your%20question.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358893%22%20slang%3D%22en-US%22%3ERe%3A%20Requiring%20MFA%20for%20all%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358893%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%20--%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20response%20and%20I%20do%20agree%20with%20you.%26nbsp%3B%20However%2C%20I%20use%20the%20score%20as%20a%20baseline%20to%20improve%20the%20posture%20and%20how%20we%20can%20address%20the%20requirements%26nbsp%3Bby%20Microsoft.%26nbsp%3B%20What%20other%20forms%20of%20measurement%20do%20you%20recommend%20I%20use%20as%20a%20baseline%20for%20the%20security%20posture.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357096%22%20slang%3D%22en-US%22%3ERe%3A%20Requiring%20MFA%20for%20all%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357096%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%20there%20is%20no%20way%20to%20exclude%20certain%20accounts%20from%20the%20evaluation%20of%20this%20item%2C%20or%20mark%20it%20as%20compliant.%20Why%20do%20you%20care%20about%20the%20score%20improvement%20it%20gives%20you%2C%20the%20important%20part%20is%20the%20improved%20posture%20of%20the%20tenant%2C%20not%20whether%20some%20number%20has%20gone%20up%26nbsp%3B%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello Community, 

 

I am working towards improving our office 365 security score and noticed the MFA requirements for all users.  Indeed, this has been enabled for all employees in our organization.  However, not all addresses are employee accounts.  We have many forwarders enabled on our tenant and I wanted to see how can we disqualify the forwarders from the security score assessment.  

 

Thanks, 

 

Lawk Salih

5 Replies

Afaik there is no way to exclude certain accounts from the evaluation of this item, or mark it as compliant. Why do you care about the score improvement it gives you, the important part is the improved posture of the tenant, not whether some number has gone up :)

Vasil -- 

 

Thank you for your response and I do agree with you.  However, I use the score as a baseline to improve the posture and how we can address the requirements by Microsoft.  What other forms of measurement do you recommend I use as a baseline for the security posture.  

 

Thanks again. 

best response confirmed by Deleted
Solution
Hi @lawksalih,

Microsoft Security recommend the CIS Benchmarks for Securing your Office 365/Microsoft 365 tenant. This should be free to download here:

https://www.cisecurity.org/benchmark/microsoft_office/

In terms of disqualifying forwarders you would go into Secure Score, find this security control

Do not use mail forwarding rules to external domains

And set Ignore on it.

Hope that helps to answer your question.

Best, Chris

If I ignore the security control, does that mean that it will not be evaluated by Microsoft? 

For example, I see a notice of "You have 380 of 526 user accounts that don't use MFA."  I like this feature since it gives me an idea as to where to look and for which specific users for example.  

That should be the case. See here

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/New-Office-365-Secure-Score-f...

Note that some controls have [Not Scored] against them which mean they are not linked to your secure score total. I think this is actually the case with the forwarder security control to external domains.

Best, Chris