![]() ![]() Note: requires that each user have AADp1 license (covered by M365 A3 or EMS1) per-user and per-app: only specified users of that app require MFA.per-app only: all users of that app require MFA.per-user only: all AAD apps require MFA. ![]() Note: all of the above do not require modern authentication (needs testing)Īzure AD (conditional access + Azure MFA) per-user and per-relying party: all ADFS relying parties for specific users, except when a IWA token is presented.per-relying party only: all ADFS relying parties require MFA, except when a IWA token is presented.per-user only: all Shib-based applications require MFA (except when the app is actually an AAD or ADFS RP, then if a IWA token is presented, it can be used instead).Please reference the solutions table below. On #2, there are a variety of locations where we can trigger MFA to happen, each of which has different variables it can trigger upon and different implications. per-app may require MFA for the MS graph) and some of the options in #2 more broadly require MFA for some set of scenarios, so there is some entanglement. Note: there may be a few additional issues for #1 based on the answer to #2 (e.g. If we do not require MFA, then there are a variety of paths by which a given user might still use a password to access Office 365 applications. Once a user must perform MFA, only email clients using Modern Authentication (ADAL) will work. Thunderbird, Office 2010, IMAP-based, etc. This has an impact of breaking legacy clients, e.g. On #1, to require MFA for Azure AD & Office 365 applications we will need to use a MFA provider, most of which require Modern Authentication be used. On what basis do we enable MFA? What triggers MFA? Per user, per app, per subnet, for all, or some combination of the above?.Is MFA required or just enabled? IOW, do we want to allow MFA as yet another authentication possibility or require someone to use MFA?.There are several key decisions underpinning progress here: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |