Support Center

Welcome
Login  Sign up

M365 integration - MFA

Technical Overview

Integrating M365 with Augmentt allows us to manage your MFA security settings across all applications, and locations.

How It Works

On initialization of the M365 Integration with Augmentt, we will trigger Discovery. This will do the mfa initialization.

  1. Augmentt Engage will create a Conditional Access Policy named: AUGMENTT-POLICY-DONOTMODIFY 
  1. If you have Security Defaults enabled, Augmentt will disable this setting. Your users will then be added to the Augmentt Conditional Access Policy. This will ensure that MFA is enabled for your users as it was via the Security Defaults setting.  MFA will be enforced right away. No changes will be necessary on your end (users will not have to re-register their MFA). 
  2. If Security Defaults are disabled and Conditional Access Policies were being used for controlling MFA, Augmentt will record all users which are part of existing policies which enable MFA, add these users to the Augmentt Conditional Access Policy named AUGMENTT-POLICY-DONOTMODIFY, and your other policies will be updated to no longer control MFA (removal of the MFA grant type or disabling of the policy if it was only used for MFA). 

Note: The Augmentt Conditional Access Policy should never be modified 

Limitations

  • If you currently have MFA enabled at a user level (within the MFA authentication module in the active directory), we currently cannot access the information to know if MFA has been enabled.  We recommend disabling MFA within the MFA authentication module, then re-enabling the users within Augmentt.


What You Should Never Do If Managing SaaS Users with Augmentt’s Engage for M365

  1. Enable Security Defaults. This will cause Augmentt to lose the ability to control or accurately report on MFA.
  2. Delete or modify the Augmentt Conditional Access Policy, it is recommended that any MFA changes be made on the Augmentt Engage module.
  3. Enable MFA in other Conditional Access Policies. This will set MFA statuses that Augmentt will not have access to and Augmentt will have incorrect MFA status reporting.


Enabling/Disabling MFA at the User Level

The MFA statuses shown in Augmentt are set based on whether or not the user has been added to the Augmentt Conditional Access Policy (which controls MFA for your organization). When you enable MFA for user(s) they will be added to the Augmentt policy. When you disable MFA for user(s) they will be removed from the Augmentt policy.


Note: Should you have added the user to another policy, or updated MFA in the active directory portal, we will not be able to ensure the integrity of MFA statuses. Nor will we be able to enable or disable MFA in those cases as this information is outside the scope of what is allowed in the Microsoft Graph API.

 

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.