Educause Security Discussion mailing list archives

Re: Microsoft MFA Opt-In

From: "Dugan, Darin D [ITSYS]" <dddugan () IASTATE EDU>
Date: Wed, 29 May 2019 19:00:22 +0000

FWIW, using a different product and glossing over a few things.. For opt-in
MFA we created a small "Activate Multifactor Authentication" web app that
was advertised to non-MFA users via web portal. They click the tile, are
taken to a page that describes MFA, factor choices, links to documentation,
etc, then they click Activate (or Cancel) at the bottom. On activate the app
adds the user to an "MFA required" group and signs them out. On next sign in
they are required to use MFA, and the activate tile is no longer shown. No
end user way to opt back out.

 

Cheers.

--
Darin Dugan
Information Technology
Iowa State University

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kurtz, Eric
Sent: Wednesday, May 29, 2019 1:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Microsoft MFA Opt-In

 

You can try this approach. 

 

Create a public 0365 group, then use that group for MFA registration (Azure
Portal>Azure AD Identity Protection>MFA Registration) or however you are
assigning MFA. 

For end users, they can join by

                Outlook> Browser Groups > Select new group > click join

 

 

Eric Kurtz

Interim Director of Enterprise and Network Infrastructure

Senior Systems Engineer

Office of Information Technology
Susquehanna University

514 University Avenue
Selinsgrove, PA 17870-1164
 <mailto:kurtz () susqu edu> kurtz () susqu edu

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Pardonek, Jim
Sent: Wednesday, May 29, 2019 1:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Microsoft MFA Opt-In

 

I'm looking for some advice on the best way to handle an opt-in period for
Microsoft MFA.  It looks to me that the only way would be to add folks to a
particular group as they request to opt-in.  It doesn't seem workable if
several hundred students or staff request to opt-in at once.  Hoping that
someone might have a better way.

 

Jim

 

James Pardonek, MS, CISSP, CEH, GSNA

Information Security Officer
Loyola University Chicago 
1032 W. Sheridan Road | Chicago, IL  60660

*: (773) 508-6086

 

Loyola University Chicago will never ask you for your username or password.

For the lastest information security news at Loyola, please follow us
online,

Twitter: @LUCUISO

Facebook:
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.faceb
ook.com%2Flucuiso%2F&data=02%7C01%7Ckurtz%40SUSQU.EDU%7C4dec4d114d2747a81046
08d6e45e4c95%7Cf78aa315d9b34b8c9d672e8fefdb2d07%7C1%7C0%7C636947491023700193
&sdata=Hf9Q3S%2B4tHp%2FSw5oPeXQp0kZyCNeaf94tZsNOlxZd6A%3D&reserved=0>
https://www.facebook.com/lucuiso/

Our Blog http://blogs.luc.edu/uiso/

Attachment: smime.p7s
Description:

Current thread:

Microsoft MFA Opt-In Pardonek, Jim (May 29)
- Re: Microsoft MFA Opt-In Kurtz, Eric (May 29)
  - Re: Microsoft MFA Opt-In Dugan, Darin D [ITSYS] (May 29)