Enable MFA without assigning Global Admin Privileges to support staff
|The purpose of this post is to provide an alternative method of enabling MFA on user accounts without assigning Global Admin Permissions to all support staff.
Please take note that this solution is based on Azure AD Conditional Access.
This option can be used to reduce the administrative portion when it comes to protecting comprised accounts.
To get started Login to the Office 365 Admin Portal : https://portal.office365.com
The navigate to Azure Active Directory
- Azure Active Directory then select Conditional access.
- From the Conditional access menu, select “New Policy”.
From the New policy menu, do the following.
- Policy Name “O365_Enable_MFA”
- Assignments select include and click “select users and groups”, tick Users and groups and select on-prem security group. “O365_Enable_MFA”
- Click “select” at the bottom after selecting the on-prem security group
On the following option, you need to provide the cloud application to which you would like to apply MFA to. In this case it will be Office 365 Exchange Online.
- Click Cloud Apps then select apps.
- Select Office 365 Exchange Online and click select.
- Click Done
To configure the MFA for the selected cloud apps, do the following.
- Click on Access control
- Then Click Grant and select “Require multi-factor authentication”
For multiple controls
- Select “Require all the selected controls
- Click on select
Lastly click on Enable Policy and set it to “Enable” and then click “save”
As you will notice from the Main policy screen, the newly created “O365_Enable_MFA” policy is now showing as “Enabled”
To test that MFA is working, login with a user that is part of the “O365_Enable_MFA” on-prem security group.
After login, the user will be presented with the following screen to setup MFA on their side.
The user will then be presented with following screen to provide a valid cellphone number, you can select Call or SMS and then click Next.
An OTP will be sent to the mobile number provided, Enter the OTP code and click verify to complete the MFA enablement.
Once the setup for MFA has been completed, the user will be presented with another screen to enter an OTP which was sent again after the registration process.
After providing the MFA OTP, the user will be able to access to Office 365 portal as below.