Office 365 MFA with Azure AD Sync Tool Service Account
We have recently started looking at the security state of our O365 tenant with the Secure Score tool (https://securescore.office.com). One of the suggestions to raise the score is to enable MFA for all Global Admin accounts. However, the Azure AD sycn tool has a user/service account that requires the Global Admin role to be assigned to it (as noted in the first referenced link below). Additionally, other Office365 admin roles are not permitted the directory sync access (as noted in the second link below). Seeing as how the sync is an automated process, there is no way that I know of to build approving a login with MFA. I have been unable to locate any articles around the Azure AD sync tool, nor a way to add an exception to the Secure Score portal for this user account. Has anyone come across a solution for either adding MFA to a service account or creating an exception for a service account to the Secure Score? https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-accounts-permissions https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles
ADFS Modern Authentication Claims Rules
I have ADFS 4 deployed and am attempting to create claims rules for O365 to accomplish the following: - Allow intranet access - Allow extranet access via Activesync only (No access to web apps or ability to download email to PCs) Modern Authentication is enabled on tenant for Exchange Online and clients are using Outlook 2016. I've setup access control policies like so: Permit users from internet network and with Client Application claim equals to Microsoft.Exchange Activesync and Client Application claim equals to Microsoft.Exchange.Autodiscover in the request Permit users from intranet network This appears to be working to block traffic for webapps and Outlook 2016, but also is blocking mobile access. I've tested mobile by configuring both Nine and the Outlook app, but I'm being blocked. What am I doing wrong?FIDO2 Office 365 and Windows Hello For Business Sign-in?
I saw that this was in preview a year ago. https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/bg-p/Identity Is logging into Windows 10 Hybrid joined systems using FIDO security keys now working? What about signing into Office 365 desktop apps, mobile apps and web apps with FIDO security keys?