This is great timing, we're working on rolling out MFA for M365 right now as well. I thought that enabling the Security Defaults overrode that page's settings. What gets even more confusing is I have other clients also using the Security Defaults and their users on the page you noted almost all show Disabled, and yet MFA is required even for those "Disabled" users. After all, it says you have 14 days to set up before it is required. I was under the impression that enabling the Security Defaults would enforce the MFA prompt. That is exactly what I meant by "old-school" method of manually enabling it and it's how I had to do it to get it to work at this client. I use AuthPoint for almost everything and Duo as a backup way in for my WatchGuard firewall just in case AuthPoint is down. I use both Duo and WatchGuard AuthPoint for all other MFA. Personally, I use the Microsoft Authenticator for M365 MFA. Duo also bills monthly, while AuthPoint is a yearly license (at least it was yearly when I did the setup months ago). Duo is (was?) free for up to 10 users (I use it free) and this client has 13 remote users authenticating to their WatchGuard firewall. I have one client use Duo for MFA for their WatchGuard firewall because it was less costly than using WatchGuard's own AuthPoint licensing. For my clients, I have them install the Microsoft Authenticator app for M365 MFA. Most answers focus around Azure AD because the question is posted in the Microsoft Office 365 forum. It seems like most of the answers are focused around Azure, which is fine, but does anyone have experience implementing Duo? I've confirmed through new computers and test setups that once enabled, it asks when you sign in for the first time on a new device (or after clearing cache in your browser, etc depending on where you're logging in) Within 5 minutes, Outlook/Teams/etc on their computer kicks on asking for a code (confirming it's been activated).I go to the user who confirmed completing the steps and choose "Enable".Top center, click on Per-User MFA (opens a new tab).I go into the Azure Active Directory admin portal.Once the user has gone to aka.ms/MFAsetup to add their cell number and desk number (I have them do both in case one day their phone is left at home or something), then: Have you tested from a new computer to log into their accounts to see if the prompt appears? I had to go to the old-school method of enabling it for each user. However, I tested it and I can log into any user's account from my home office via OWA without seeing the MFA message and without the user getting a prompt. That give users 14 days to get set up, which they all did, then MFA is supposed to prompt at any login from a new device after the 14 days is up. On my client's account, I enabled the Security Defaults in Azure AD. "Sent them to aka.ms/MFAsetup, and after they confirmed doing that I switched them on in Azure." Sent them to aka.ms/MFAsetup, and after they confirmed doing that I switched them on in Azure. Then I went department by department- gave myself 2 weeks to knock it out (especially since you'll have some people on PTO, so you'll probably want to wait on those until they come back, etc etc). How many people are you talking? For me, I only have 50 users, so I started with an email to everyone explaining the new requirement. Duo app HAS to be on PC for block to work. Once all users are in there is also a "block unenrolled users" option if you have compliance requirements. First rollout to 2500 users took 45 days.ĭuo has an AD sync if your company allows it so you can add the users in AD Groups and add the groups to Duo web portal and sync them - once synced they will get prompted - there is also a bypass feature if you are running into troubles or remove the users from the group(s) and resync. once half the plant was done then the entire plant. Managers generally preferred blocks of users (25 the first day, 50 the second, 100 the third etc. Then one final email with more specific instructions on how to use Duo with Yubi and how to enroll phones and out it went. Duo has their own key that's instant apparently. Hopefully there is a more dynamic option these days if OTP is needed. Yubi can be the time consuming part - we had to go with the OTP option (after compatibility tests showed it was the only viable option) and with OTP each Yubi has to be "programmed" to work with Duo. then we had short specific meetings with managers and cell leaders in the plant and got them using Duo first. Just like rburch said communication is the key - our method was to send out "Multifactor is Coming" emails to users in one plant at a time (~5000 users over 30 plants). We are a med sized company running Duo - both YubiKey and Company cell phone are used.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |