• Home
  • Blog
  • Technical
  • How to require MFA for Azure AD Join, and enable Enterprise State Roaming

How to require MFA for Azure AD Join, and enable Enterprise State Roaming

Back to Blog
03Dec2018

How to require MFA for Azure AD Join, and enable Enterprise State Roaming

Hey folks! We have already covered a few posts on Azure AD Premium and Conditional access; and that’s great–because you do things like enforce requirements like Multi-factor Auth, but only in situations where devices are unmanaged. This provides a way better user experience than enabling MFA across the board, and without sacrificing much in terms of security. But now let’s assume someone is able to join a device to your Azure Active Directory–then they may gain access more easily to other corporate data, especially if you have “conditions” like those mentioned already setup (e.g. joined devices are not challenged for MFA).

To mitigate the very real risk that I describe, it is possible to require MFA in order to join Azure AD in the first place. I would recommend this setting for every subscription (not just those with Azure AD Premium).

Navigate to the Azure AD Admin center and go to Devices > Device settings. Choose Yes for Require Multi-Factor Auth to join devices. Then Save.

At this point, if someone attempts to join Azure AD, they will be challenged for MFA in the process. This raises your confidence level in the inventory of devices that you see under All devices. You will also notice that there are several other options in here, and I think they are worth discussing.

Consider managing local admin access on devices

First and foremost, we have the ability to restrict who is allowed to join devices to Azure AD. If that first option for Users may join devices to Azure AD is left set to All, which is the default setting, then any user in your directory can join a device to Azure AD. That might be fine for you, but be aware: if a user joins Azure AD as part of an OOBE setup on their own device, then they are considered the owner of the device, and they will become a local administrator on that machine. So you may want to consider preventing this.

Furthermore, where it says Additional local administrators on Azure AD joined devices, we find that it is also possible to define membership in the local Administrators group on any Azure AD-joined device. By default, all Global admins will have this membership, as well as the owner (the person who joined it), as mentioned above.

Managing device inventory

I want to draw your attention to the Maximum number of devices per user setting. I recommend dialing this way down–currently you can drop it down as low as 5, which is what I’ve pictured above. If I could, I would set this down to 1-3. Some people are confused by this stance, but let me explain why it is important. The first and most critical security control listed by CIS is device inventory. If you allow 50, 100 or unlimited devices per user, then you’re being lazy, and putting your organization at risk. You do not want that many devices in your inventory–how do you know which are legit and which are not? You can’t properly protect or mitigate risk if you don’t even know what you have.

For the same reason, I also recommend regularly auditing and pruning the devices in Azure AD–this would be a much more difficult maintenance task without this limit in place, and it keeps everyone honest. If a user or admin runs into this limit, then you ought to perform another audit, and prune some of those stale devices. You may also look into scripting this process for easier execution on a quarterly or semi-annual basis, for example–especially if you have to do it for a very large enterprise, or a lot of small ones.

Enterprise State Roaming

Last, flip over to Enterprise State Roaming settings–this is a great feature which makes changing out end-user devices a breeze, especially when combined with features like Autopilot and managed client app deployments, as part of the Microsoft 365 plans. Simply set this option to All, or scope it down to a specific group of users. Save.

And that’s all I have for today, folks!

Technical , , , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

20Apr

What is Windows Hello, and how to enable it

Windows 10 introduced a new security feature called "Hello," which allows a computer to be unlocked via different means than a traditional username/password prompt.  The marketing around this sells it as a more "personalized" login experience--more "human" or whatever. But it's really just extra security... read more
06Jun

How to perform a Cutover Migration to Office 365

My preferred method for migrating Email to Office 365 is to use the Remote Move (aka "Hybrid") method. If you are coming from SBS 2011 or Exchange 2010, then definitely go that route. If you are coming from older versions such as SBS 2008 or Exchange... read more
16Aug

How to configure anti-spam with end-user digest for Office 365 Exchange Online

Office 365 Exchange Online plans all include Exchange Online Protection (EOP) by default. And by default, the spam filter settings leave something to be desired. You can modify these settings from Exchange Admin Center. Today I will share the recommended "minimum" adjustments which I typically... read more
21Sep

Tutorial: How to Setup a Site-to-Site VPN between an Azure Virtual Network and WatchGuard Firewall, part 1

Using a Site-to-Site VPN tunnel into an Azure Virtual Network is the most common way for small businesses to begin extending the capabilities of their local network, and leveraging additional compute power and availability features in the cloud. There are many reasons one might need to... read more
05Mar

Office 365 Advanced Threat Protection Plan 2

Recently, Microsoft changed up some of the SKU's relating to security & compliance out in the Microsoft/Office 365 universe. As part of these announcements, they renamed Office 365 Advanced Threat Protection (ATP) to Office 365 ATP Plan 1. Then, to create Office 365 ATP Plan... read more
20Jun

GPO’s be trippin!

As many of us are now aware, a recent June update (MS16-072) causes certain GPO's to stop working. Short of removing the update, you can actually fix this yourself. But how to identify the problem policies? If you've ever removed the default security filtering (Authenticated users)... read more
17Aug

Showdown: Office 365 E3 vs. Microsoft 365 Business

Recently I wrote a few articles on the various subscriptions out there, and how confusing everything is getting as the 365 universe expands and morphs. Since that time, I have also been playing more and more with the Microsoft 365 Business subscription (as opposed to... read more
30Aug

(Mis)Adventures with Conditional Access in Azure Active Directory Premium (P1)

I have been playing with Azure Active Directory Premium (P1) features a lot lately. And I love to try as hard as I can to break things. Turns out, it isn't that hard to do with Conditional Access. But, having brushed up against a few... read more
04Sep

Windows Hello for Business: Azure AD Join vs. Hybrid Join

Windows Hello for Business replaces a traditional password when signing into your workstation, with a stronger two-factor authentication. One factor being some kind of local gesture such as a PIN, fingerprint or facial recognition, and the other being a key or certificate that is bound... read more
27Oct

Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016

One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft's official stance regarding hybrid is this: If you remove... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me