Published By:
Scot Armstrong
330.414.0229
NetWorks Group recommends using MFA for all Microsoft 365 users. While it can be a difficult implementation, there are valid security reasons for doing so and there are easier alternatives.
Why?
- MFA is becoming a necessary requirement from underwriting in order to get insurance. Many insurance companies won’t even provide a quote on cyber insurance until customers ensure that MFA is in place, especially when it comes to email access. If MFA is not enabled in your computing environment, you are engaging in behavior so risky that insurance carriers will not offer cyber insurance coverage to your business.
- Microsoft 365 can be a rich target of sensitive data through email, SharePoint, Teams, Project and other applications. Microsoft 365 also has tie-ins to Azure Active Directory. Just think what cracking open Azure AD can provide: names, titles, email, phone #, address, etc. All of that data is accessible from anywhere in the world and given enough time hackers can pour through files and messages to capture confidential information. Without MFA, it’s only a user password strength between all that good data and a hacker. When we pen test an organization, the process for getting a complete user list takes less than 2 minutes after compromise and is almost never detected. All it takes is compromised credentials to log into Azure portal.
- Good Security - Microsoft states in this article: “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”
The Problem
- Microsoft 365 has lots of features, switches and levers and MFA can be difficult to integrate. Once turned on, users can experience problems and frustration. One example: Exchange administrator enables multi-factor authentication (MFA) for your account, but doesn't enable modern authentication for the Exchange tenant organization, so you can't successfully set up an Microsoft 365 Exchange Online email account in Outlook.
- Viewed as disruptive to users and requires a change in thinking/perspective on security. We often see push back from users and management
Don’t Despair!
Instead of using the Microsoft Authenticator for MFA, NetWorks Group has seen customers successfully use Duo MFA. Plus, your users can use that same Duo license to access the VPN. It’s as easy as configuring and implementing Duo Access Gateway, which is licensed with Duo’s MFA. I’m sure other MFA vendors like Okta probably have a similar setup. VPN users should be using an MFA already anyway, so it seems like a no brainer.
Implementing MFA on O365 can be overwhelming. If you find yourself struggling with that or any other security requirements, please reach out. NetWorks Group helps customers with both identifying risks and gaps as well as practical advice to remediate them. We’ll help you develop a prioritized approach you can share with the CEO to gain buy-in. We’ve also created a number of services to help if you don’t have the time or in house expertise. Please reach out for more information. We’re here to help.
