SOLVED

Attack Simulator

%3CLINGO-SUB%20id%3D%22lingo-sub-190183%22%20slang%3D%22en-US%22%3EAttack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190183%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Attack%20Simulator%20appears%20disabled%20with%20a%20message%20that%20says%20%22%3CSPAN%3EYou%20must%20enable%20multi-factor%20authentication%20(MFA)%20to%20schedule%20or%20terminate%20attacks.%22%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20MFA%20Enabled%20on%20just%20about%20every%20account%20with%20the%20exception%20of%20a%20few%20that%20are%20not%20real%20user%20accounts%20(converted%20to%20shared%20mailboxes).%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20every%20account%20have%20to%20have%20MFA%20enabled%20in%20order%20for%20this%20to%20work%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190375%22%20slang%3D%22en-US%22%3ERe%3A%20Attack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190375%22%20slang%3D%22en-US%22%3E%3CP%3ENo.%20What%20you%20need%20is%20to%20have%20actually%20performed%20the%20MFA%20challenge%20before%20you%20access%20the%20page.%20It%20will%20check%20the%20access%20token%20for%20the%20presence%20of%20the%20%22user%20has%20performed%20MFA%22%20bit%2C%20and%20only%20let%20you%20manage%20the%20settings%20if%20this%20is%20true.%20Think%20of%20it%20as%20added%20security%20for%20one%20of%20the%20more%20sensitive%20features%20we%20have%20in%20O365.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-837329%22%20slang%3D%22en-US%22%3ERe%3A%20Attack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-837329%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bwhats%20crazy%20is%2C%20what%20if%20you%20have%20conditional%20access%20policies%20applied%20to%20your%20org.%20MFA%20doesn't%20kick%20in%20for%20me%20when%20I%20am%20at%20work.%20So%20I%20need%20to%20go%20home%20and%20do%20this%20part%20of%20my%20job%3F%20lol.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-g%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863690%22%20slang%3D%22en-US%22%3ERe%3A%20Attack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F136321%22%20target%3D%22_blank%22%3E%40Greg%20Hogan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20is%20also%20discussed%20here%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2FOfficeDocs-o365seccomp%2Fissues%2F439%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2FOfficeDocs-o365seccomp%2Fissues%2F439%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EIf%20Conditional%20access%20doesn't%20deem%20MFA%20to%20be%20a%20requirement%20for%20your%20given%20session%2C%20then%20yes%20you'll%20be%20blocked%20from%20the%20page.%20You%20might%20want%20to%20use%20one%20of%20the%20available%20methods%20within%20conditional%20access%20to%20exempt%20your%20session%20during%20that%20visit%2C%20or%20temporarily%20flip%20to%20a%20hotspot%2C%20etc.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

The Attack Simulator appears disabled with a message that says "You must enable multi-factor authentication (MFA) to schedule or terminate attacks." 

 

We have MFA Enabled on just about every account with the exception of a few that are not real user accounts (converted to shared mailboxes). 

 

Does every account have to have MFA enabled in order for this to work? 

3 Replies
best response confirmed by Bryan Kuester (Occasional Contributor)
Solution

No. What you need is to have actually performed the MFA challenge before you access the page. It will check the access token for the presence of the "user has performed MFA" bit, and only let you manage the settings if this is true. Think of it as added security for one of the more sensitive features we have in O365.

@Vasil Michev whats crazy is, what if you have conditional access policies applied to your org. MFA doesn't kick in for me when I am at work. So I need to go home and do this part of my job? lol.

 

-g

 

@Greg Hogan 

this is also discussed here 

https://github.com/MicrosoftDocs/OfficeDocs-o365seccomp/issues/439

 

If Conditional access doesn't deem MFA to be a requirement for your given session, then yes you'll be blocked from the page. You might want to use one of the available methods within conditional access to exempt your session during that visit, or temporarily flip to a hotspot, etc.