![]() ![]() I can understand that using preview features is not the preferred options for a business, yet it was decided this way to make a cost-free method to enable MFA for everybody available immediately, instead of waiting until GA to come with this option. internal use rights - as Partner you should have internal use licenses for EM+S E3, which includes AzureAD Premium P1 (And those keys/license packs can be enabled in any tenant - but each key only in one tenant). Anyway, difficult to do a root cause analysis later and without logs of risk details. Still I wonder why usage of different source IPs would trigger a password reset - often-changing IPs should only trigger a forced MFA prompt, not a pw reset. I agree that some of the caveats in those policies can be documented more clearly (and some of this was already improved in the last weeks). ![]() Your comments are definitively a good read for all the other Partners in this community. Right now the help desk can go into AAD, switch to Authentication methods and do everything that is needed there. I already assigned the Authentication admin role and this partially works. I have worked with a few Partners already enabling those, luckily none of them experienced this. 08:28 AM Office 365 Admin Role Needed for MFA I would like to assign members of the help desk access to manage MFA for non-admin users. Thanks for your feedback and I'm sorry to hear that enabling this policy resulted in a full day business outage. Issues resolved, but the problem is there, and they shouldn't be basing our partnership agreements on Preview/Beta software. But it took 10 hours and my company was out of business for a day, with all users being considered Risky Users and my DC unavailable for password changes. I'm the tenant admin and had no idea 'Risky Users' even existed, so I'd like to know that I've got users in that bucket.Īs I said, the answer is exactly as you've described, but it required me to get baseline removed from my user account so I could get in then disable baseline for everyone. So while there's a simple sentence in that article about Compromised users at the tail-end, it does not take into consideration things like users who run MS software on phones or tablets and have a VPN, for example, so that the software that constantly logs in to Microsoft logs different IPs and automatically throws the user in a compromised user bucket without notifying anyone. The compromised users thing is still in Preview/Beta and I wasn't even aware of it, but I can't touch or change it without a premium AD license. The problem is I didn't encounter any of these items or issues until after MFA was enabled. This is a fantastic response, and the correct one, so thank you. ![]()
0 Comments
Leave a Reply. |