There is no doubt that multi-factor authentication (MFA) is the great thing for the majority of accounts. It is probably the best protection against account compromise, however are there times that perhaps, MFA doesn’t make sense?
Security is about minimising, not eliminating risk. This means that it is a compromise and never an absolute. Unfortunately, MFA is a technology and all technologies can fail. If MFA did fail, or be unavailable for any reason, then accounts would be unavailable. This could be rather a bad thing if such an issue persisted for an extended period of time.
In such a situation, it would be nice to be able to turn off MFA for accounts, so users could get back to work, and re-enable it when the MFA service is restored. However, today’s best practice is to have all accounts, especially administrators, protected by MFA.
A good example is the baseline policies that are provided for free in Microsoft 365 as shown above.
You’ll see that such a policy requires MFA for all admin roles.
And yes, there is a risk for admin accounts that don’t have it enabled but there is also a risk if it is enabled and MFA is not working for some reason.
The challenge I have with these types of policies is that they are absolute. It is either on (good) or off (bad), and in the complex world of security that is not the case.
I for one, suggest there is the case for a ‘break glass’ administration account, with no MFA, that be used in the contingency that MFA is unavailable to get into accounts and re-configure them if needed. Such an account, although it has no MFA, is protected by a very long and complex pass phrase along with other measures. Most importantly, it is locked away and never used, except in case of emergency. There should also be additional reporting on this account, so it’s actions are better scrutinised.
Unfortunately, taking such an approach means that you can’t apply such absolute policies. It also means that you won’t be assessed as well in things like Secure Score. However, I think such an approach is more prudent that locking everything under MFA.
As I said initially, security is a compromise, however it would be nice to see the ability to make at least on exception to the current absolute approach because service unavailability can be just as impactful as account compromise for many businesses.
CIAOPS 
One option for the “break glass” account is to use a 3rd party MFA system. I used Duo, which is free for cloud apps up to 10 users, and was able to add it to our Azure AD tenant and configure a Conditional Access policy in under 30 minutes. Our normal global admin accounts are all Enforced for Azure MFA, except one admin account which is left at Disabled. Then in the CA policy, I have it target only that admin, and all cloud apps, and it requires Duo MFA when I sign-in. Works great in my experience.
You are correct that Secure Score will show my single global admin using Duo as unprotected, but in Secure Score there is an option for each recommendation to state that you are completing the requirement via 3rd party needs, and it is then supposed to give you full points for that recommendation.
LikeLike
I disagree. All MFA can fail and I think a simple clean account is always the best option for break glass accounts. I will also tell you that getting around Duo MFA is not that hard, so again I prefer either MS MFA or nothing. Keep it simple I say.
LikeLike
I guess we will agree to disagree. I find it highly unlikely that both Microsoft’s MFA and Duo’s MFA platform will be down simultaneously. I prefer to have all accounts, especially something as powerful as a global admin account, MFA protected. Also, as a CSP with Microsoft, we aren’t given the option at this point, as every account and authentication in our tenant is required to have an MFA token in the authentication request as of August 1st. They do not consider accounts configured in your recommended way, which was the old guidance from Microsoft, to be compliant anymore.
Are you willing to share some factual information on your claim that Duo MFA isn’t hard to get around? It’s a very widely-used MFA offering, and other than that is has the option to be configured to “fail open” on Windows desktop logins, which I would never use, I’ve never heard anything about it being “not that hard” to get around. And certainly not any less secure than Microsoft’s implementation of MFA.
LikeLike
1. That is why I am not a CSP reseller.
2. All MFA requires correct set up no matter who the provider is and I rarely see that
LikeLike
Typically I agree with you but I’m Curious to know what you think about Microsoft’s partner security requirements. MS defines the “break glass” account in this instance as one protected by an alternate MFA solution. Unless I misunderstand them.
LikeLike
Use a non MFA protection service to protect your break glass if needed to comply with all user MFA partner requirements
LikeLike
Typically I agree with you, but I’m Curious to know what you think about Microsoft’s partner security requirements. These as I understand them mean that no admin account can be without MFA, a break glass account in Thad instance is defined as one with an alternate MFA solution
LikeLike
MS allows things like app passwords and third party MFA providers there
LikeLike
I agree on the the break glass without MFA. One option to support this is using conditional access to restrict that account to a certain trusted IP range to limit the attack surface.
LikeLike