SOLVED

Question on: MFA should be enabled on accounts with owner permissions on your subscription

%3CLINGO-SUB%20id%3D%22lingo-sub-836497%22%20slang%3D%22en-US%22%3EQuestion%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836497%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%20we%20have%20an%20Azure%20emergency%20account%20that%20is%20not%20enabled%20for%20MFA%20and%20therefor%20this%20user%20shows%20up%20on%20the%20%22MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3CSPAN%3E%22%20Warning.%20Is%20there%20a%20way%20to%20exclude%20just%20a%20single%20user%20from%20this%20policy%20or%20do%20I%20have%20to%20disable%20this%20security%20completely%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EGunter%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-836497%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-836646%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836646%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F99256%22%20target%3D%22_blank%22%3E%40Gunter%20Danzeisen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20cannot%20exclude%20the%20account%20from%20the%20policy.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20other%20hand%2C%20I%20always%20suggest%20other%20ways%20to%20bypass%20the%20MFA.%3C%2FP%3E%0A%3CP%3Eone%20way%20is%20to%20create%20a%20trusted%20location%20in%20conditional%20access%20or%20just%20add%20the%20trusted%20IPs%20at%20the%20Office%20365%20MFA%20page.%20Then%20create%20a%20rule%20for%20this%20account%20to%20exclude%20MFA%20on%20trusted%20locations.%3C%2FP%3E%0A%3CP%3EAn%20other%20way%20is%20to%20create%20a%20%22back%20door%22%20account%2C%20as%20Dr%20Nestori%20suggests%20%3A%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fo365blog.com%2Fpost%2Faadbackdoor%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fo365blog.com%2Fpost%2Faadbackdoor%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211308%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211308%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68853%22%20target%3D%22_blank%22%3E%40Pantelis%20Apostolidis%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20similar%20issue%2C%20but%20in%20my%20case%20I%20have%20enabled%20the%20third%20party%20MFA%20-DUO%20in%20my%20Azure%20subscription.%20But%20still%20it%20shows%20%22MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20method%20to%20bypass%20or%20any%20settings%20available%20in%20the%20azure%20portal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ESreejith.G%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1216304%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1216304%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F575226%22%20target%3D%22_blank%22%3E%40gsreejith%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20your%20question%20is%3A%20%22How%20can%20I%20tune%20ASC%20to%20stop%20showing%20recommendations%20I%20deem%20as%20false%20positive%3F%22%2C%20then%20there%20is%20a%20way%20how%20you%20can%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ftutorial-security-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eedit%20ASC%20security%20policy%3C%2FA%3E%20and%20turn%20off%20specific%20parts%20(e.g.%20MFA%20for%20owners)%2C%20so%20you%20won't%20see%20related%20recommendations%20in%20the%20Compliance%20center%20anymore.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1986463%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1986463%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20also%20using%20third%20party%20IAM%20soution.%20I%20am%20also%20facing%20the%20same%20issue.%20My%20question%20is%20can%20the%20security%20center%20fetch%20data%20from%20IAM(okta%2C%20etc.)%20solution%20and%20show%20the%20IAM%20security%20recommendations%20based%20on%20that%20data%3F%20If%20yes%2C%20how%20can%20we%20achieve%20it.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Everyone, we have an Azure emergency account that is not enabled for MFA and therefor this user shows up on the "MFA should be enabled on accounts with owner permissions on your subscription" Warning. Is there a way to exclude just a single user from this policy or do I have to disable this security completely?

Regards,

Gunter

4 Replies
best response confirmed by Gunter Danzeisen (Occasional Contributor)
Solution

Hello @Gunter Danzeisen 

you cannot exclude the account from the policy. 

On the other hand, I always suggest other ways to bypass the MFA.

one way is to create a trusted location in conditional access or just add the trusted IPs at the Office 365 MFA page. Then create a rule for this account to exclude MFA on trusted locations.

An other way is to create a "back door" account, as Dr Nestori suggests : http://o365blog.com/post/aadbackdoor/

@Pantelis Apostolidis

 

I have a similar issue, but in my case I have enabled the third party MFA -DUO in my Azure subscription. But still it shows "MFA should be enabled on accounts with owner permissions on your subscription".

 

Is there any method to bypass or any settings available in the azure portal.

 

Thanks

Sreejith.G

Hi @gsreejith 

 

If your question is: "How can I tune ASC to stop showing recommendations I deem as false positive?", then there is a way how you can edit ASC security policy and turn off specific parts (e.g. MFA for owners), so you won't see related recommendations in the Compliance center anymore.

Hello,

We are also using third party IAM soution. I am also facing the same issue. My question is can the security center fetch data from IAM(okta, etc.) solution and show the IAM security recommendations based on that data? If yes, how can we achieve it.
www.000webhost.com