SysAdmins - How do you setup your Tier 0/Global Admins MFA wise?
Posted by Technical-Device5148@reddit | sysadmin | View on Reddit | 21 comments
Hi All,
What's your current Security setup for Global Admins? I.e, are they using FIDO, regular App MFA, CA policies tied to Entra Roles to prompt for re-auth in Admin portals?
How have you got your setup in a robust state (or as best you can), while maintaining productivity and not causing any roadblocks during day to day work?
For example, if you setup FIDO keys and set CA to use this as a primary auth method for Admins, it's all well and good, until you run into a Module that isn't supported, like Azure Storage Explorer (Graph) and Exchange Online. I'm aware of PS Module 7 can work and using the PS module in https://portal.azure.com/, but understand it has some limitations.
Just curious from your perspective!
bjc1960@reddit
FIDO2 with phishing resistant MFA. As we have some VMs in Azure, we need to temporarily disable phishing resistant MFA to install the connector as GA as we can't pass with Yubikey to azure. Entra Private Access needs a GA to install the connector.
"I" am the only one that will do this, and I am diligent about swapping it back as soon as I am done. We are small enough not to have an drama about this.
we have PIM also for GA, other roles.
We are Entra only, there are many things that need GA - Entra Private access, some of the billing stuff, etc.
Here, IT is "drama free".
iRyan23@reddit
You can also allow TAP codes to be used. For example, I am using an Authentication Strength CA that says allow admins must login via FIDO2 or a TAP.
When you need to perform the work that doesn’t support FIDO2, just generate a TAP for that user and you don’t have to keep turning the MFA off.
Technical-Device5148@reddit (OP)
Our head of Security wants Tier0 Admins to be FIDO by default, but due to FIDO not being supported in some Modules it's a bit of a pain.
I could just set FIDO + MFA App but knowing human behaviour, and a malicious actor would just choose MFA App over FIDO if presented.
TAP is interesting, but what stops TAP from being abused from a malicious actor and bypassing FIDO?
iRyan23@reddit
TAP codes for admins can only be issued by users with Global Admin or Privileged Authentication Admin.
It just generates a one-time use (or short lived multiple use) random password. You would have to be diligent where you use the TAP codes as they are obviously not phishing resistant though.
ohyeahwell@reddit
Same, specifically yubikey5 nfc.
DaithiG@reddit
For people using Yubikeys, is there not a fear that the key will stop working? It's still hardware and can fail?
Technical-Device5148@reddit (OP)
AFAIK if there's an instance the assigned Yubi/FIDO key fails, the admins will just have to be removed from the global CA policies and fall back to other MFA methods, if there isn't an alternative configured in the assigned Auth Strength being used.
By design if you're the only GA in the organisation, then it's best to have some kind of a break-glass GA just encase you lock yourself out.
Saucy_Meatball_5122@reddit
Phish-resistant MFA using MS Authenticator requiring the manual entering if a number via push notification.
Entra CA policy requiring admin accounts reauthenticate every 24 hours.
Entra CA policy requiring logins from managed, compliant devices.
Entra CA policy enforcing geofenced access from only the US and CA.
Forced password changes every 90 days.
Breend15@reddit
I agree with everything here but the forced password changes. That's shown to decrease security over time and why NIST and most other governing bodies (including MS themselves) has moved away from that. https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
https://auditboard.com/blog/nist-password-guidelines
Saucy_Meatball_5122@reddit
A current password out on the dark web is still a current password out on the dark web regardless of complexity. Also Cyber Insurance firms still often times want passwords changed on an interval regardless of MS guidance.
SystemGardener@reddit
Wild everyone I’ve spoken to the last year hasn’t wanted it. It’s not just Microsoft saying it’s a bad idea, it’s also NIST.
Saucy_Meatball_5122@reddit
Why is it a bad idea?
Hour-Profession6490@reddit
Here's an example over time:
What should I use as a password?
Password = "Compl3x Passw0rd!"
90 days later...
Password = "Compl3x Passw0rd!1" 90 days later...
Password = "Compl3x Passw0rd!2"
This is not very secure.
Saucy_Meatball_5122@reddit
So less secure than having a password that you never change? A password that if it eventually leaks out in some sort of data breach, or is compromised it’s still a working password because it hasn’t been changed?
Hour-Profession6490@reddit
If you use a password like "Zone1-Startle-Strudel" (generated in Bitwarden) that you don't need to change, you're not going to re-use it.
If you use something like "Compl3x Passw0rd!1" you're probably going to re-use it all over the place because you have to keep changing it every 90 days.
Now in the scenario that the password leaks, you're still ok because of MFA. You should still change it if you discover that the password is leaked. However, what are the chances that the re-used password is also used somehere else that doesn't require MFA and also requires that you change your password every 90 days compared to the one that isn't changed all the time?
Saucy_Meatball_5122@reddit
Sounds like MFA and CA policies are saving the day in both scenarios but one scenario has passwords that are no longer valid.
Hour-Profession6490@reddit
Your mileage may vary on the "no longer valid passwords". It's up to the users changing passwords to not update the password to the password + number, which is what NIST and Microsoft have found happens when you force users to change their password all the time. hackers are smart and will try a "no longer valid password" + 1/2/3 etc.
Floh4ever@reddit
Just that we are not talking about users but sysadmins changing global admin account passwords. That's an entirely different thing. Rotating complex, random generated passwords definitely increase security.
iRyan23@reddit
You said phish-resistant MFA using MS Authenticator requiring entering the number via push notification.
That’s not phish-resistant then. You would need to be using a passkey within the MS Authenticator app and it does not involve entering a number from a push notification. It usually involves scanning a QR code and then confirming on your device with PIN or biometrics.
Unless I’m missing something, can you tell me a situation where using the MS Authenticator app with a push notification is somehow phishing-resistant?
Saucy_Meatball_5122@reddit
Also depending on your level of M365 licensing, MS Defender is a powerful tool especially for reporting. Set up alerts to send to an email distro for any admin level activity such as creating/deleting user accounts, elevating/lowering privileges, password resets etc. You can expand on that with alerts for Impossible Travel, Suspicious Sessions, mailbox redirects, and even create CA policies to automatically take action if an alert of a particular severity breaches your established threshold. If you have a 24/7 SOC, give them a list of your admin accounts and tell them to give the accounts additional scrutiny with their monitoring.
iRyan23@reddit
For Entra admin users, we only allow FIDO2/Passkeys using physical Yubikeys or with the MS Authenticator app. We also have TAP codes enabled so they can be generated as needed for use in the rare situation where FIDO2 won’t work.