IT Blog

Uncategorized

Mandatory MFA without the pain.

If you don’t know by now then you must have been living under a rock. MFA (Multiple Factor Authentication) is mandatory for all Lorica clients and if you can’t live with it then we’d really need your confirmation in writing.

If you have cyber insurance, then I suspect your policy may well stipulate you have MFA in place.

Enforced MFA can have two drawbacks. One being the extra steps and actions required by your users when they login. The other being systems, applications and sometimes printers that need to use mailboxes on your M365 tenancy and can’t handle MFA.

Deep-dive to Azure AD MFA: Creating a custom authenticator app

Conditional Access

Here’s an option that may help. It’s pretty much exactly what it says. Access is granted based upon conditions.

So, we can describe the objective as follows.

If one of your users logs into Microsoft365, whether that is email, OneDrive, SharePoint or something else, they need to go through the multiple factor authentication. Except, if they are in the company office.

This keeps your accounts secure. However, if they are working from your office, and Microsoft365 can see this, then do away with the MFA and let them straight in. However, when they leave and stop at McDonalds and login on the WiFi there, they need to authenticate with MFA. Makes sense doesn’t it?

Requirements

  1. Some way to identify logins from your company office.
  2. The capability added to your tenancy

Your company office can be identified by a static IP address on the Internet connection. For most of our clients, this is already in place. If not, contact your ISP and request it. There may be a small charge.

To be able to use Conditional Access on your tenancy requires a “Microsoft 365 Business Premium” license. These cost about £15.00 per month but the good news is you only need one, not a license for every user. In fact, upgrade one user from Standard to Premium and that only adds around £5.00 per month to your bill.

NOTES : if you have multiple sites or remote virtual machines, then you’ll need a fixed IP for each to have this work on all locations.