reqopengineer.blogg.se - Mfa in office 365

After having substituted the password with one MFA credential (private key + primary factor) (here more information : Azure Active Directory passwordless sign-in | Microsoft Docs) we can configure a way to make the password not necessary for domain administration, very long and complex, and disabled: Passwordless Strategy - Microsoft 365 Security | Microsoft Docs.

I wanted to demonstrate that this solution can protect also Domain Admins group to protect high privileged accounts (important notice about is present in this document : ( FAQs for hybrid FIDO2 security key deployment - Azure Active Directory | Microsoft Docs – “FIDO2 security key sign-in isn't working for my Domain Admin or other high privilege accounts.

Please have a look also at Plan a passwordless authentication deployment with Azure AD | Microsoft Docs. The solution is today present : the use a security key (FIDO2) : Passwordless security key sign-in to on-premises resources - Azure Active Directory | Microsoft Docs.

Many customers asked me, after they have used Azure/Office 365 MFA: is it possible to use something like that to log on to the domain/on prem resources.

No direct or indirect guarantee is given, and this cannot be considered official documentation.

It’s up to you to integer this work into your security posture and evaluate impacts.

I am not here to discuss if this document in any parts adhere to all principles and best practices of a secure administration environment, I just want to show a feature as a proof of concept. Obtain above with a sort of simplicity and costs control.Connect to Domain Controller thorough RDP form the PAW using SSO (Single Sign On).Same credential can be used on prem and in cloud (if needed).Have only one identity with one strong credential.Have the ability to use multiple PAWs (privileged access workstation) with same MFA credential.Eradicate from the domain the password presence for those privileged accounts (make impossible to use a password to log on to domain to prevent some king of password attacks).Use that solution to protect privileged accounts passwords.Configure a modern MFA solution to access on prem Windows 10 PC.I am here just to demonstrate that today is technically possible (Proof of Concept):