Modern Authentication and Azure AD Security Defaults impact on Cayosoft Administrator

Summary: This article contains step-by-step instructions on how to configure Cayosoft Administrator when Modern Authentication is enabled for various cloud services, or Azure AD Security Defaults setting is enabled for Azure AD.

Applies to: Cayosoft Administrator 7.1.0 or later  

ID: KB20200311-1

Overview

In January 2020 Microsoft has announced the availability of Security Defaults for Azure AD tenants. When enabled, this setting enforces multi-factor authentication (MFA) for all administrative roles members, including sign-in attempts from scripts and applications running on schedule or by non-interactive services like Cayosoft Administrator. In addition to MFA enforcement, Security Defaults disables legacy authentication for connections to cloud services.

Starting with version 7.1.0, Cayosoft Administrator supports Office 365 tenants with Security Defaults turned on, but additional configuration steps are required for Cayosoft Administrator to work correctly in such an environment. If you encounter this error in administrator Console: Office 365 connection failed. Immediate action required: navigate to Microsoft Office 365 settings and run Check settings command. CayoAdmin Service could not connect to one of the managed platforms:

To fix this error perform the steps described in the Configuration section.

Configuration

1. Check that Office 365 connection account is enrolled to MFA:
   1. Sign-in to Office.com and set up 2-step verification for Office 365 connection account that is specified in Cayosoft Administrator Console in Microsoft Office 365 extension. 
2. In Cayosoft Administrator Console navigate to Home > Configuration > Connected Systems Extensions > Microsoft Office 365
3. Click ... button next to Office 365 credentials
4. On Specify Credentials window click Validate:
   
   
5. Cayosoft Administrator checks if MFA prevents using Microsoft Office 365 connection account for non-interactive PowerShell command execution, and reports the issue. Click Next to exclude connection account from MFA enforcement.
   
   
6. When prompted, sign-in with a user that is a member of the Global Admins role in your Office 365 tenant. 
7. If Office 365 connection account is successfully excluded from MFA, you will get this message:
   
   
   1. Click Close
   2. Click OK on Specify Credentials window
8. If  Conditional Access Policies (CAP) are applied to Office 365 connection account, such an account can not be configured automatically. You should exclude Office 365 connection account from conditional access policies manually. See details in this KB: https://cayosoft.zendesk.com/hc/en-us/articles/360040551331
   
   
9. Configure Cayosoft Administrator to use Modern Authentication. See details in the next section.

Modern Authentication 

Starting from version 7.1.0 Cayosoft Administrator supports Modern Authentication. Perform the following steps to enable it:

1. In Cayosoft Administrator Console navigate to Home > Configuration > Connected Systems Extensions > Microsoft Office 365
2. Open Advanced Settings section
3. In Enable Modern Authentication (advanced) set Yes 
4. Save changes

Connect to SharePoint Online service when Modern Authentication for SharePoint is enabled

Due to current limitations in the Microsoft SharePoint module, when Modern Authentication for SharePoint is enabled, connecting to SharePoint Online service requires to add a registry subkey on the client computer. This key forces Modern Authentication when connecting to SharePoint Online. For details please see this Microsoft Article: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/security/cannot-force-modern-authentication