Knowledgebase:
2FA/MFA - How to force or overide two-factor or multi-factor authentication and options
Posted by Blair Benjamin, Last modified by Blair Benjamin on 11/19/2024 2:52 PM

Background - With the increasing need for tighter network security and the vulnerabilities we are subject to as a result of weak user passwords and discretion, 2FA/MFA authentication is needed.  This can create complications, however, particularly when it comes to generic/shared accounts.

Solution(s)

For illustrative purposes in this documentation, I'll refer to the studentfinancialservices@cairn.edu generic/shared O365 mailbox used by individuals in Business Services / SFS. Due to the nature of the data, we felt 2FA was necessary, but did not want to tie the authentication to any individual's mobile phone.  So, we used the Microsoft Authenticator app.  With a user already logged in (to studentfinancialservices@cairn.edu), we went to https://account.microsoft.com.  From there, we go to "Security Info" and "Add sign-in method" and choose "Microsoft Authenticator".  This yields a QR code that a new authorized user can scan and finalize the registration of their authenticator app.   This can also be done by just having a new user attempt to sign in and then get the 2FA code from another authorized/registered user of the account.

For the account to actually force 2FA and the use of the authenticator, they need to be included in the MFA policy that Marissa created.   This is accessed in https://entra.microsoft.com. On that portal, go to Protection > Conditional Access > Policies > MFA SMS > Users - Specific users included and specific users excluded.  From there, add the user(s) to the Include group.  It may then take a few minutes for the setting to take effect.

- BB (11/19/24)


Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: