Afternoon all,<\/p>\n

Advertisement

Close

I am looking at a Conditional Access policy in Azure.<\/p>\n

Advertisement

Close

The policy I am looking at is Require multi-factor authentication.<\/p>\n

Should I exclude any users from this? For example, service accounts? The one I have in mind is the following…<\/p>\n

On-Premises Directory Synchronization Service Account<\/p>\n

Many thanks<\/p>","upvoteCount":6,"answerCount":6,"datePublished":"2022-07-04T10:35:53.000Z","author":{"@type":"Person","name":"cyberspice82","url":"https://community.spiceworks.com/u/cyberspice82"},"suggestedAnswer":[{"@type":"Answer","text":"

Afternoon all,<\/p>\n

I am looking at a Conditional Access policy in Azure.<\/p>\n

The policy I am looking at is Require multi-factor authentication.<\/p>\n

Should I exclude any users from this? For example, service accounts? The one I have in mind is the following…<\/p>\n

On-Premises Directory Synchronization Service Account<\/p>\n

Many thanks<\/p>","upvoteCount":6,"datePublished":"2022-07-04T10:35:53.000Z","url":"https://community.spiceworks.com/t/conditional-access-policy-help-please/930239/1","author":{"@type":"Person","name":"cyberspice82","url":"https://community.spiceworks.com/u/cyberspice82"}},{"@type":"Answer","text":"

I guess I previously answered it<\/p>\n

Go to Microsoft 365 admin center → Users → Active users → Select the user → Manage multifactor authentication → Select the user → Disable multi-factor authentication.<\/p>\n

How is MFA enabled?<\/p>\n

CA to exclude MFA https://support.voleer.com/hc/en-us/articles/360058029673-MFA-White-Listing<\/a><\/p>","upvoteCount":0,"datePublished":"2022-07-04T10:43:08.000Z","url":"https://community.spiceworks.com/t/conditional-access-policy-help-please/930239/2","author":{"@type":"Person","name":"jitensh","url":"https://community.spiceworks.com/u/jitensh"}},{"@type":"Answer","text":"

thank you, I was just wondering if there are other accounts like this (service accounts) that should MFA disabled. Or should MFA be enabled on all accounts, users and service?<\/p>","upvoteCount":0,"datePublished":"2022-07-04T10:47:40.000Z","url":"https://community.spiceworks.com/t/conditional-access-policy-help-please/930239/3","author":{"@type":"Person","name":"cyberspice82","url":"https://community.spiceworks.com/u/cyberspice82"}},{"@type":"Answer","text":"

I think an actual user account is being used to sync ad with Azure (Azure AD connect) rather than a service account.<\/p>\n

Is it a simple case of re running the setup wizard for Azure AD connect to change the account used to sync?<\/p>","upvoteCount":0,"datePublished":"2022-07-04T11:12:51.000Z","url":"https://community.spiceworks.com/t/conditional-access-policy-help-please/930239/4","author":{"@type":"Person","name":"cyberspice82","url":"https://community.spiceworks.com/u/cyberspice82"}},{"@type":"Answer","text":"

Exclude all service account along with Azure sync account from MFA. Only users and admin accounts needs to be setup with MFA. You can create two Azure security group. Populate one group with all the service account and another group with your users who would require MFA. From your M365 portal, go to security, conditional access and configure your MFA there. Include necessary above group to require MFA and exclude necessary group to exclude them from MFA.<\/p>","upvoteCount":0,"datePublished":"2022-07-05T00:04:43.000Z","url":"https://community.spiceworks.com/t/conditional-access-policy-help-please/930239/5","author":{"@type":"Person","name":"sandippatel6","url":"https://community.spiceworks.com/u/sandippatel6"}},{"@type":"Answer","text":"

Yes, MFA should not be enabled for service accounts.<\/p>","upvoteCount":0,"datePublished":"2022-07-05T08:40:51.000Z","url":"https://community.spiceworks.com/t/conditional-access-policy-help-please/930239/6","author":{"@type":"Person","name":"rupesh-lepide","url":"https://community.spiceworks.com/u/rupesh-lepide"}}]}}