Modern Authentication and Entra ID Security Defaults impact on Cayosoft Administrator

Summary: This article contains step-by-step instructions on configuring Cayosoft Administrator when Modern Authentication is enabled for various cloud services, or Azure AD Security Defaults setting is enabled for Azure AD.

In January 2020, Microsoft introduced Security Defaults for Entra ID tenants. When enabled, this setting enforces multi-factor authentication (MFA) for all members of administrative roles. This enforcement also applies to sign-in attempts from scripts, scheduled tasks, or non-interactive services such as Cayosoft Administrator. Additionally, Security Defaults disable legacy authentication methods for connecting to cloud services.

Cayosoft Administrator supports Microsoft 365 tenants with Security Defaults enabled. However, additional configuration is required to ensure proper functionality. Without this configuration, you may encounter the following error in the Cayosoft Administrator Console:

Incorrect configuration for the Office 365 connection account. Details: Multi-factor authentication (MFA) is enabled for the connection account. Please click the [...] button for the Office 365 credentials setting and on the Specify Credentials dialog click the Validate button.

To resolve this error, follow the steps outlined in the Configuration section of the documentation.

Configuration

Check that the Microsoft 365 connection account is enrolled in MFA:

1. Sign in to Office.com and set up a 2-step verification for the Microsoft 365 connection account specified in the Microsoft 365 extension settings.

2. In the Cayosoft Administrator Console, navigate to Configuration > Connected Systems Extensions > Microsoft 365.

3. Click [...] button next to Microsoft 365 credentials.

4. In Specify Credentials window, click Validate:

   

5. Cayosoft Administrator checks if MFA prevents using Microsoft 365 connection account for non-interactive PowerShell command execution, and reports the issue. Click Next to exclude the connection account from MFA enforcement.

   

6. When prompted, sign in with a user who is a member of the Global Admins role in your Microsoft 365 tenant.

7. If a Microsoft 365 connection account is successfully excluded from MFA, you will get this message:

   

8. Close the dialog and click OK in the Specify Credentials window.

9. If a Conditional Access Policy (CAP) is configured to prevent the connection account from accessing Microsoft 365 or it is configured to apply MFA to this account, such connection account can not be configured automatically. You should exclude the Microsoft 365 connection account from the CAP manually. Learn more in: Excluding Microsoft 365 connection account from Conditional Access Policies.