Modern Authentication and Azure AD Security Defaults impact on Cayosoft Administrator

Summary: This article contains step-by-step instructions on configuring Cayosoft Administrator when Modern Authentication is enabled for various cloud services, or Azure AD Security Defaults setting is enabled for Azure AD.

Applies to: Cayosoft Administrator 7.1.0 or later  

ID: KB20200311-1

---

Overview

In January 2020, Microsoft announced the availability of Security Defaults for Azure AD tenants. When enabled, this setting enforces multi-factor authentication (MFA) for all administrative role members, including sign-in attempts from scripts and applications running on schedule or by non-interactive services like Cayosoft Administrator. In addition to MFA enforcement, Security Defaults disableы legacy authentication for connections to cloud services.

Starting with version 7.1.0, Cayosoft Administrator supports Microsoft 365 tenants with Security Defaults turned on, but additional configuration steps are required for Cayosoft Administrator to work correctly in such an environment. You may encounter this error in the Administrator Console: Incorrect configuration for the Office 365 connection account. Details: multi-factor authentication (MFA) is enabled for the connection account. Please click the [...] button for the Office 365 credentials setting and on the Specify Credentials dialog click the Validate button.

To fix this error, please do the steps described in the Configuration section.

 

Configuration

1. Check that the Microsoft 365 connection account is enrolled in MFA:
   1. Sign in to Office.com and set up a 2-step verification for the Microsoft 365 connection account specified in the Cayosoft Administrator Console in the Microsoft 365 extension. 
2. In Cayosoft Administrator Console navigate to Home > Configuration > Connected Systems Extensions > Microsoft 365.
3. Click [...] button next to Microsoft 365 credentials.
4. On Specify Credentials window click Validate:
   
   
   
5. Cayosoft Administrator checks if MFA prevents using Microsoft 365 connection account for non-interactive PowerShell command execution, and reports the issue. Click Next to exclude the connection account from MFA enforcement.
   
   
6. When prompted, sign in with a user who is a member of the Global Admins role in your Microsoft 365 tenant. 
7. If a Microsoft 365 connection account is successfully excluded from MFA, you will get this message:
   
   
   
   1. Click Close.
   2. Click OK on the Specify Credentials window.
8. If a Conditional Access Policy (CAP) is configured to prevent the connection account from accessing Microsoft 365 or it is configured to apply MFA to this account, such connection account can not be configured automatically. You should exclude the Microsoft 365 connection account from the CAP manually. See details in this KB: Excluding Microsoft 365 connection account from Azure AD Conditional Access Policies.