Disable Azure AD MFA Interrupt Mode for a group of users - azure-active-directory

I'm creating a set of hands-on lab users in my Azure AD for access to Azure Labs. We will reuse these user accounts (and reset the passwords after every lab session).
My challenge is that these users are being required to configure MFA. Which I THINK is called the Azure AD Interrupt Mode described here.
Is there a way to exclude these group of users from being required to set this up?

I think this can be disabled entirely by navigating to Azure AD - Default Directory - Properties - Manage Security Defaults (right at the bottom of the page) - Enable Security Defaults - set it to No.
If it's per user basis, then Navigate to Azure AD - All users - Per User MFA - this will list all the users and then you can select "n" number of them to either enable or disable MFA.

// Answering my own question and hope it helps someone.
The first and obvious step is to disable MFA. This is described in this link: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
After this, however, you may still face the interrupt wizard as shared in the screenshot of the question above. This is due to Self-Service Password Reset (SSPR) being enabled. If SSPR is enabled, then MFA is still required for them to be able to do a password reset.
Solution 1: If you want SSPR enabled, then create a Conditional Access policy requiring MFA upon sign in.
This way, MFA is only triggered when user wants to do an SSPR.
For this lab user scenario, you will still have to set-up MFA one-time for each of the users (you may use the same contact details).
Extra note: I tried setting the MFA details by bulk using PowerShell. However, it is not possible to set an MSOL user object's StrongAuthenticationUserDetails property.
Solution 2: Disable SSPR or limit to selected users using AD groups
Don't include the lab users in the selected users group. Since SSPR is not allowed for these users, the extra MFA details won't be asked of these users anymore.
Drawback: The setting is to include user groups which should have SSPR. There's no option to exclude just the lab users.
Solution 2 works for me but may not work for everyone.

Related

"User is not enrolled in Duo Security" after adding a security key

I succesfully added a YubiKey to Snowflake MFA:
Next time I try to login I immediately get following "User is not enrolled in Duo Security. Contact your local system administrator." error:
After inputting my username and password, I expect the site to ask me to touch my YubiKey. Instead I immediately get the error described above.
How can I setup Snowflake MFA using a YubiKey security key?
Our local admin disabled my MFA and I repeated the steps and I got the same result.
Unfortunately this is not available on Snowflake side as of now.
I do agree there is a bit of confusion the fact that you are allowed to enroll with Yubikey but then fail to authenticate.
We do have an internal improvement request pending for this feature. I don't know a timeline yet but you can reach out to your Snowflake representative if you need more information.
Functionality might not be available with Snowflake, you can always enable Single Sign-on with your Identity provider and enable the yubi on the IDP end.
Snowflake has removed that "Security Key" option for all regions to avoid this problem. That option for Snowflake MFA is not supported at the moment

Azure AD Access Reviews

I am wondering what the criteria are for Azure PIM Access Reviews recommendations? In the documentation it gives an example of an interactive user not signing in for the last 30 days. Do the PIM Access Reviews look at who hasn't activated their eligible role(s)? Is there a corresponding report that could be pulled to view anyone who has not requested to elevate their privileges in the last x days?
You can configure Security alerts for azure ad PIM if the user goes over specified number of days without activating the role. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert. We have three levels of severity in security alerts.
High: Requires immediate action because of a policy violation.
Medium: Does not require immediate action but signals a potential policy violation.
Low: Does not require immediate action but suggests a preferable policy change.
We have a default rule called Administrators aren't using their privileged roles you may configure this alert to get the list.
Why do I get this alert?
Users that have been assigned privileged roles they don't need increases the chance of an attack.
Trigger: Triggered if a user goes over a specified number of days without activating a role.
Number of days: This setting specifies the maximum number of days, from 0 to 100, that a user can go without activating a role.
Prevention Assign privileged roles only to users who have a business justification.Schedule regular access reviews to verify that users still need their access.
How to fix? Review the users in the list and remove them from privileged roles that they do not need.
Security alerts for Azure AD roles in PIM - Azure AD | Microsoft Docs
You can also retrieve the group membership information and users who are activated by using power shell commands or scripts
Here are some references to use power shell commands
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles
https://practical365.com/powershell-script-to-report-rbac-role-group-membership/

Azure Active Directory Blockers - Policy Behaviors

Customer has moved into Azure AD and needs clarification on two behaviors he is seeing in order to broadly roll out to organization and get off prem.
1- Right now , they have “keep me signed” in configured in Azure AD, however they have shared devices - iPad – in retail stores where they don’t want that behavior and want people to log in every time for websites. Is there a way to set a subgroup of users that keep me signed in will not apply to? Right now they only see a policy setting to configure it on or off for entire organization.
2- Customer turned on self-service password reset portal, how they only see option to configure what options they have to authenticate to be across whole org. Can they set up different options for different groups of users on what is needed to reset password and confirm identity - retail does q&a - business does authentication, etc.
Answer to Q1:
KMSI is controlled via the company branding, and is not on a per-user, but on a "per-language" (because you can have different branding for different locales). In that sense KMSI cannot be controlled on a per-user basis.
Answer to Q2:
SSPR has 3 states - None, Selected, All. When you choose Selected you can chose a single security group for which SSPR will be enabled. All other users will not have SSPR enabled.

AD for sign in only as well as group/role mapping

I have 2 different use cases for AD within the same app:
Sign a user in and nothing else
Sign in and read group/role claims, remove deactivated users etc.
Both are unique by user account, but live in the same app. It's important to avoid admin consent for the first case.
How can this be achieved? 2 different AD app registrations like "MyApp Simple" and "MyApp Enterprise"? Or is there something better?
You can try two different app registrations or just set the logic within the app itself and apply it based on the roles. From what I understand you will have certain users that have the same permissions but have different user experiences depending on where they sign in from? If this is the case you can just enable or disable the group/role claims in the app itself depending on the permissions applied to the user. I was able to achieve something very similar following this guide and repository. Please see if it helps.

SonarQube updating Active Directory users - sonar.security.updateUserAttributes

In our SonarQube 5.4 we authenticate in Active Directory using LDAP plugin and specifying just one property in sonar.properties:
sonar.security.realm=LDAP
(according to http://docs.sonarqube.org/display/PLUG/Microsoft+Active+Directory)
It's a shame they removed the feature to disable updating user properties on every login:
sonar.security.updateUserAttributes = false
See this:
https://jira.sonarsource.com/browse/SONAR-7219
We've been using it, as update on every login removes assignment of users to SonarQube built-in groups, e.g. sonar-administrators.
I can give individual users whatever rights in Administration > Security > Global Permissions, but I'd prefer to do this for SonarQube groups, as we have lots of users.
Reflecting the whole setup of groups in AD is difficult, as our Infrastructure teams are too slow and bureaucratic
Is there any other way to achieve what we want?
UPDATE
I've tried configuring empty values for group properties:
ldap.group.baseDn=
ldap.group.request=
ldap.group.idAttribute=
But it doesn't help - every login group membership is resynchronized again from AD and membership in internal SQ groups is removed.
In order to disable group synchronisation from LDAP, you can simply remove properties ldap.group.*.
See "Group Mapping" http://docs.sonarqube.org/display/PLUG/LDAP+Plugin.
link to post

Resources