Microsoft Entra ID - MFA Authentication
Posted by In_The_Quest47@reddit | sysadmin | View on Reddit | 11 comments
Hello everybody, we are changing MFA Authentication to log into microsoft customer accounts to keep only Microsoft Authenticator validation. So far the support team use to have sms or calls in the costumer profile to validate themselfs in order to access to the customer profile and solve situations or whatever the customer ask without bothering them with a number for the microsoft authenticator.
Do you think of a good alternative to keep bringing them support without beeing annoying to the customer? Thanks!
In_The_Quest47@reddit (OP)
None got the question right, maybe just one of the comments. THIS IS, OF COURSE, WITH THE AUTHORIZATION AND KNOWLEGDE OF THE CUSTOMER.
Myriade-de-Couilles@reddit
You didn’t understand the answers right.
Even with their authorisation you should never ever know the password of a user account, it is the most basic rule of accountability, auditing and compliance in general.
ElectroSpore@reddit
For the most part sms and calls are considered insecure these days and you SHOULD be moving to stronger token / push / password less MFA modes. It is at least better than NO MFA.
Probably fine in the short term if you are switching over from another system to make it easier but you should be moving up to more secure MFA methods.
In_The_Quest47@reddit (OP)
Totally agree. But any thoughts on an alternative access to let the support team access without bothering the customer giving them an authorization?
ElectroSpore@reddit
Wait you are logging in AS the users? Then no you should be fired!
In_The_Quest47@reddit (OP)
No at all, it's only for setup or to configurate licences or apps that need validation.
KavyaJune@reddit
Setup another authentication method but accessing as end user account is security violation.
AppIdentityGuy@reddit
This is an incredibly bad idea..
lart2150@reddit
Temporary access pass
Valdaraak@reddit
If I was a customer and the support team at your company was accessing my account (or anyone at my company) without authorization, I'd be looking to cancel services with you.
Unless you're talking about admin accounts that, for some reason, are tied to someone at the customer rather than the tech signing in.
TheUnrepententLurker@reddit
If y'all are logging into your end users accounts as them y'all need to be fired yesterday