Troubleshooting MFA Enforcement on Office 365 Connection Account

Summary: This article contains step-by-step instructions on how to validate and configure the Office 365 connection account manually.

Applies to: Cayosoft Administrator 6.3.1 or higher  

ID: KB20200207-1

---

 

Overview

In January 2020 Microsoft has announced the availability of Security defaults for Azure AD tenants. When enabled, this setting enforces multi-factor authentication (MFA) to all administrative roles members, including sign-in attempts from scripts and applications running in the background. To automate various administrative actions, Cayosoft Administrator requires Office 365 connection account to be a member of the Global Administrators role. Additional configuration steps, provided below, are required for the Cayosoft Administrator to be performed.

 

Exclude Office 365 connection account from conditional access policies

Requirement

• Office 365 connection account should be excluded from conditional access policies, including Baseline policies and custom policies.

Resolution

For step-by-step instructions please see Configuring Azure AD Conditional Access Policies for Office 365 connection account KB.

 

Exclude Office 365 connection account from Azure AD Security Defaults 

Requirement

• Office 365 connection account should be excluded from Azure AD Security Defaults.

Resolution

1. Check if Azure AD Security Defaults is enabled:
   1. Sign in to the Azure portal as a user with Global Administrator role assigned.
   2. Browse to Azure Active Directory > Properties.
   3. Select Manage security defaults.
   4. Check if Enable security defaults is set to Yes.
2. If Azure AD Security Defaults is enabled, configure and run the script below that enables the Office 365 connection account to bypass multi-factor authentication.
   1. In the 1st line, provide the Office 365 connection account name, specified in Cayosoft Administrator for Offie 365 connection settings.
   2. When prompted for credentials, enter your credentials with a Global Administrator role assigned.
      
      

      $office365ConnectionAccount="your_connection_account@your_tenant.onmicrosoft.com"
      
      Connect-AzureAd 
      # When prompted, sign-in as a user with global administrator
      
      $office365ConnectionAccount="office365ConnectionAccount@tenantname.onmicrosoft.com" 
      $roleName="Directory synchronization accounts"
      
      $role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
      if ($role -eq $null) {
       $roleTemplate = Get-AzureADDirectoryRoleTemplate | Where {$_.displayName -eq $roleName}
       Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId
       $role = Get-AzureADDirectoryRole | Where {$_.displayName -eq $roleName}
      }
      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId (Get-AzureADUser | Where {$_.UserPrincipalName -eq $office365ConnectionAccount}).ObjectID

       
3. Verify changes were applied correctly:
   1. In Azure Portal, browse to Azure Active Directory >Users
   2. Find the user account that is used as Office 365 connection account in Cayosoft Administrator.
   3. Open user account Properties and select Assigned roles
   4. Verify that the account is a member of the Directory synchronization accounts role.

Notes

1. Besides Security Defaults, Multi-factor authentication (MFA) can be enforced on connection account with Conditional Access Policies. See sections 1.5 Disable Multi-Factor Authentication (MFA) for Office 365 Connection account and 1.6 Exclude Office 365 connection account from conditional access policies in the KB20180503-1 Troubleshooting connection to Office 365 article: https://support.cayosoft.com/hc/en-us/articles/360003316431.
2. Cayosoft team is working on improving the administrator experience with identifying and resolving issues related to MFA enforcement on connection account. Please refer to Release Notes for any progress report.

 

Disable Multi-Factor Authentication (MFA) for Office 365 Connection account 

Requirement

• Multi-factor Authentication (MFA) should be disabled for the Office 365 connection account.

How to resolve

1. Navigate to https://login.microsoftonline.com
2. Open Office 365 Admin Center, open the list of Active users and locate the Office 365 connection account in the list. 
3. Open the account properties, and click the Manage multi-factor authentication link.
4. In the list of accounts, locate the connection account and make sure the Multi-factor Auth Status column states "Disabled", as shown on the screenshot below.
5. Save changes. 
6. If you are not able to log on with the Office 365 Administrator Account credentials, obtain credentials with the appropriate settings that allow you to log on to the Microsoft portal.