Get Office 365 Admin MFA Configuration

Get Office 365 Admin MFA Configuration

Hello,

In Office 365 you have different type of administrators. Billing admin, company admin, Exchange admin, SharePoint admin Teams & Skype admin, and a lot more of them. Hereunder the full list with their ID and descriptions:

Get Office 365 Admin MFA Configuration - Admin list

Get Office 365 Admin MFA Configuration – Admin list

There is quite a few of them. For security measure, you really want to force Multi Factor Authentication (MFA) on some of them.

Get Office 365 Admin MFA Configuration

An obvious exemple is the “company administrators”, you can check the current MFA enablement with this PowerShell line:

Connect-MsolService #You need to be connected to Microsfot Online first
Get-MsolRoleMember -RoleObjectId '62e90394-69f5-4237-9190-012177145e10' | select DisplayName,EmailAddress,IsLicensed,@{Label='MFAEnabled';Expression={if($_.StrongAuthenticationRequirements){$true}else{$false}}}
Get Office 365 Admin MFA Configuration - Company Admins

Get Office 365 Admin MFA Configuration – Company Admins

As you can see, I’m not a good exemple of security best practices, let’s correct that. To enable MFA, you can go to this page, and then select the users on which you want to add the MFA requirement.

Get Office 365 Admin MFA Configuration - Enable MFA

Get Office 365 Admin MFA Configuration – Enable MFA

And then, MFA is enabled, let’s run the PowerShell line to verify what we just did:

Get-MsolRoleMember -RoleObjectId '62e90394-69f5-4237-9190-012177145e10' | select DisplayName,EmailAddress,IsLicensed,@{Label='MFAEnabled';Expression={if($_.StrongAuthenticationRequirements){$true}else{$false}}}
Get Office 365 Admin MFA Configuration - Check Company Admins

Get Office 365 Admin MFA Configuration – Check Company Admins

And now you can see that the admin account that I enabled MFA for in now with a strong authentication requirement.

Conclusion

Now you know how to identify admin that are not compliant with your security standards. This is one of the steps that “Office 365 Secure Score” will warn you about.

Get Office 365 Admin MFA Configuration - Office 365 Secure Score

Get Office 365 Admin MFA Configuration – Office 365 Secure Score

This step is kind of an easy +50 points on your Office 365 Secure Score. The only accounts where it can be tricky to enable MFA is service accounts & scripting account.

Note: MFA is great, but the SS7 network that powers cell phone calls and texts can be spoofed, the best MFA configuration is to use the Microsoft Authenticator App which is based on push notifications and time based expiration token.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.