Forum Discussion

VasilMichev's avatar
VasilMichev
MVP

App passwords are bad, don't use them. They are doing the opposite of what MFA/CA does, and you should have some serious discussions with the powers that be, before going down that rabbit hole.

 

I'm assuming the issue here is making sure users are still able to access their email on a mobile, after switching on MFA? The latest iOS client should support Modern auth, thus MFA/conditional access will work. The Outlook app on every mobile platform also support it. So there should be at least one option available.

 

Or, you can just use CA in an opposite fashion - ask for MFA only when not using ActiveSync. And yes, enforcing it on the user level will always trigger it, regardless of what you have configured for CA (by "enforcing" I mean the corresponding option in the MFA portal). This is the more secure option, as apart from ActiveSync, CA will not trigger for anything that uses legacy auth, as you have already noted. Including the MSOnline PowerShell module for example.

 

In case you really, really, really need to use some app that does not support Modern auth, you can now use cert-based auth as additional level of protection. Assuming you have AD FS that is. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-certificate-based-authentication-get-started

Brent Ellis's avatar
Brent Ellis
Silver Contributor
Feb 21, 2018

It looks like CA and MFA wont work together to make my desired scenario work.

 

MFA 100% of the time on things that use legacy auth

Conditional MFA on things that use modern auth

 

Having protection against things like PowerShell is also going to be preferred.  If I users credentials get compromised, i'm going to assume most hackers arent just gonna stroll right up to OWA to try and use it.

 

Resources