Lessons learned from the O365 MFA Outage
On the 19th of November Office365 Multifactor Authentication was down starting from 4.39 UTC until 19 UTC in almost all regions. This meant that users who have MFA enabled weren’t able to login for a whole day. This can be really dramatic for a business because almost everyone needs access to their Outlook, Skype, Sharepoint… to do theirjob.
Office365 doesn’t have a 100% guaranteed up time, so this is bound to happen once or twice a year. But what can you do to prepare yourself for an outage like this? Continue to read to learn more!
Enable Location Based Conditional Access
Conditional Access is an Azure AD Premium feature (Azure AD Premium Plans) that enables you to allow/deny access based on user or device features and/or require extra security features when certain conditions are met.
One of the best features of Conditional Access is Location Based Access. You can add ‘Known Locations’ (your company’s public IP-addresses for example) and add a Conditional Access Policy that only requires MFA when your users are out of the office. This means that they can login without MFA when they are in the office or when they initiate a VPN-connection.
Enable Device Based Conditional Access
Conditional Access has two device based conditions:
- Require device to be marked as compliant
- Require Hybrid Azure AD joined device
The conditions require the device the user is using to login to be marked as Intune compliant (defined in your Intune Compliance policy) or to be Azure AD Hybrid joined Azure AD Hybrid Joined. This way it is possible to ‘whitelist’ known devices so that they don’t have to use MFA. This option does create a security vulnerability that can be exploited. If a hacker gets a hold of a company device, they can access all the company resources without the requirement for Multifactor Authentication.
Remember MFA
In the Multifactor Authentication Options for Office365 it is possible to specify a timeperiod where MFA can be remembered on a device. This can be set up from 1 to 60 days. I recommend setting this to 14 days, this is a nice comprise between security and usability. I wasn’t personally affected due to today’s outage because Office365 had remembered MFA on my laptop.
Create an ’emergency’ administrator account
The first two options that I gave you require an extra license. If you don’t have access to Azure AD Premium Licensing (which I highly recommend by the way) it is important to keep one or two emergency/’break the glass’ administrator accounts. Create two administrators accounts with very complex password and keep the passwords in a secure location. In a day like today, this will enable you to access the administrator portal of Office365 while your other administrators won’t be able to login. Check the Microsoft best practice for this: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access
Every option I mentioned brings with it an extra security vulnerability, but during your MFA set-up you have to make some choices between security and usability.
I am a 22-year old cloud and automation enthusiast. My main focus is EMS, Powershell and Azure. My scripts can be found through my GitHub account: https://github.com/thijslecomte. I am currently blogging at http://365bythijs.be
Many of our Office365 customers were affected by MFA outage.
I recommend to Microsoft to create a backup tokens for such disaster.
GSuite already had this option years ago and are useful for many cases. e.g. When you are in a foreign country and for a reason you don’t have your phone to receive sms or the signin prompt etc…