MFA Enforcement on Microsoft 365 Connection Account

Summary: This article contains step-by-step instructions on how to validate and configure the Microsoft 365 connection account manually.

Applies to: Cayosoft Administrator 6.3.1 or higher.

Overview

In January 2020, Microsoft introduced Security Defaults for Entra ID tenants. When enabled, this setting enforces multi-factor authentication (MFA) for all users with administrative roles, including sign-in attempts from scripts and background applications.

To automate various administrative tasks, Cayosoft Administrator requires a Microsoft 365 connection account with Global Administrator privileges. However, additional configuration steps are necessary for Cayosoft Administrator to function properly. These steps are outlined below.

Exclude Microsoft 365 connection account from conditional access policies

Requirement

Microsoft 365 connection account should be excluded from conditional access policies, including Baseline policies and custom policies.

Resolution

For step-by-step instructions please see the Excluding Microsoft 365 connection account from Conditional Access Policies article.

Exclude Microsoft 365 connection account from Security Defaults

Requirement

Microsoft 365 connection account should be excluded from Security Defaults.

Resolution

1. Check if Security Defaults is enabled:
   

   1. Sign in to the Microsoft Entra admin center as a user with a Global Administrator role assigned.

   2. Browse for Identity > Overview, and click the Properties tab.

   3. Select Manage security defaults.

   4. Check if Enable security defaults is set to Enabled.

   

2. If the Security Defaults is enabled, the Microsoft 365 connection account should be excluded from the MFA enforcement. To do this, perform steps 1-7 from this article: Modern Authentication and Entra ID Security Defaults impact on Cayosoft Administrator.

NOTE: Besides Security Defaults, Multi-factor authentication (MFA) can be enforced on connection accounts with Conditional Access Policies. See the following for more information: Validate Microsoft 365 connection account for MFA enforcement.

Disable Legacy Multi-Factor Authentication (MFA) for Microsoft 365 Connection account

Requirement

Multi-factor Authentication (MFA) should be disabled for the Microsoft 365 connection account.

Resolution

1. Navigate to https://login.microsoftonline.com.

2. Open the Microsoft 365 Admin Center, open the list of Active users, and select the Microsoft 365 connection account in the list.

3. Click Multi-factor authentication.

4. In the list of accounts, locate the connection account and make sure the Multi-factor Auth Status column states "Disabled", as shown in the screenshot below.
   

5. Save changes.

6. If you are not able to log on with the Microsoft 365 Administrator Account credentials, obtain credentials with the appropriate settings that allow you to log on to the Microsoft portal.