What should I do before another Multi-Factor Authentication outage occurs?
Multi-Factor Authentication is a very important security feature for several reasons; ensuring the user’s identity has not been compromised, lack of strength in many user’s passwords, or possible keylogging, phishing or pharming. These are all excellent reasons to enable MFA, but let’s not forget to consider that an MFA outage can also become the cause of a very serious single point of failure. What is a company supposed to do if all users have MFA enabled, and Microsoft MFA service experiences an outage? In the past month we have seen two major multi-factor authentication outages from Microsoft crippling tenants for up to 24 hours. This has caused a massive influx in helpdesk tickets being opened, phones ringing, and inboxes filling, all asking the same question “What do we do now?”. Here are three ideas to consider before the next MFA outage occurs: Create emergency access admin accounts, whitelist public IP addresses of their office, and configuring the Trusted IP feature in Azure Multi-Factor Authentication.
The bulk of activities that are performed by a global administrator are not needed by your lower level users. These users are not given these elevated permissions because they may mistakenly perform a task that should require a higher-level permission. Beyond users taking on admin privileges for themselves, you may need to prevent being accidentally locked out of your administration of your Azure AD tenant, because you cannot sign in or activate another users account as administrator. The impact of the lack of administrative access can be mitigated by storing at least two Emergency Access Accounts inside your tenant.
Emergency Access Accounts can be utilized by organizations that want to restrict privileged access with an Azure Active Directory environment. Emergency access accounts are used for absolute emergency scenarios, like I’m sure quite a few organizations have experienced with the recent MFA outages. These “in case of emergency break glass” accounts should maintain the objective of restricting the emergency accounts use to only the time during which it is necessary.
Is mandating MFA on user’s computer always necessary? Does every user need to receive a text, or a phone call every time they log on to their computer at the office? Some organizations may believe their offices to be considered trusted and may not necessarily need the extra layer of security. This has led some administrators to whitelist the public IP address of their local office. This allows MFA to be bypassed and not required when user’s log in on their offices IP address. Nevertheless, this will still require remote users to abide by the MFA requirements when accessing the internet from unknown and potentially unsafe locations. This is also a potential failsafe that protects against the recent MFA outages. If an outage does occur any global admin that can make it to the office will be able to bypass the MFA and disable MFA for other remote users.
Similarly, to whitelisting your IP address, Azure’s Multi-Factor Authentication contains a feature called Trusted IPs. This feature allows you to step around the two-step verification for users that log on to the company intranet. Depending on which Azure AD tenant type your organization uses will dictate the Trusted IP feature options that are available to your tenant. If the Trusted IP feature is disabled, two-step verification will be required for browser flows, and App passwords will be required for older rich client applications. Instead if you turn Trusted IP to enable two-step verification will not be required for browser flows, and neither will App passwords be necessary for older client applications either.
There are ways around these frustrating MFA outages. It just takes time and planning to carefully select a method that best works for your organization. To answer the question of “what do we do now?” to put it simply is “what did you put into place before the outage occurred?” Without a plan of action for the possibility of an outage, your organization may be left out in the cold waiting for Microsoft to turn the heat back on. By creating an emergency access accounts, white listing your office IP, or configuring your Azure MFA with Trusted IPs, you will ensure that your organization can adapt and react in a very short amount of time.
For more information email [email protected]
Or visit www.messageops.com