PowerShell MFA for CSP Delegated Admin Privileges
Currently the PowerShell module that supports MFA does not support CSP Delegated Admin Privileges. Considering the scope and power of a DAP account this is a pretty wicked security hole.
Per von Zweigbergk commented
It's ridiculous that this isn't here yet, especially right now, with enforcement of 2FA coming for partner tenants.
One possible workaround is to use the MSOL cmdlets, that still work with 2FA and delegated auth) to create individual admin accounts in every single partner tenant, for use with EXO Powershell.
Please sort this MS. Once MFA is forced on partner admin accounts CSP's are no longer going to be able to perform delegated powershell management task for tenants. It's going to be a nightmare creating seperate admin accounts and configure MFA in each tenant and then each time you want to carry out Powershell task having to login to the tenant.
Let's hope it gets implemented soon.. We are stuck here with our powershell scripts which we use to manage our clients.. if anyone knows a solution or workaround, please tell me :)
Microsoft asking to implement MFA for all CSP admins, but powershell EXO does not support MFA for delegated access. This must be fixed ASAP.
For those that tweet - https://twitter.com/mtwelve_/status/1145639430306324481
How is the not yet implemented? We are being pushed to ensure MFA is enabled everywhere by Microsoft! What is the solution if the technology doesn't support it.
Same problem here.. We hope Microsoft will provide us with a solution soon.
Ben Young commented
still an issue..........
This is still an issue, fix this Microsoft. We have to compromise our customers security in order to admin our tenants.
Can someone from Microsoft give at least a comment to this unbelievable situation?
Let's get going on this Microsoft!
Jamie Wilson commented
It is stupid that this feature is not built in.
This is a ridiculous security flaw that should be seriously considered both from CSPer and prospect customers.
The CSP admins need to be namely provisioned for each tenant (and then must be enrolled for MFA!!! Just crazy!).
As a (prospect or actual) customer, you can take for granted that your CSPer will hardly execute the above.
This should be n. 1 in the fix list of Microsoft if they are really concerned with security and do want to continue selling online services.
This is indeed ridiculous that this hasn't been addressed yet!
For years Microsoft is warning us with increasing identity thefts. We also want to secure as much as possible with MFA especially the CSP DAP. But if we want to use PowerShell for a customer tenant we still have to resort to a normal admin account within that tenant without MFA. Enabling MFA is cumbersome because all our employees need to use that account. Creating personal admin accounts for all our employees is also not an option per user tenant.
Currently we just disable the admin account in the customer tenant and enable it when we need to use PowerShell but that is also very sensitive to human error.
Recently they also announced this:
Clearly the different Microsoft teams are not talking to each other. On one side they are creating fantastic products like Azure ATP, Azure Privileged Identity Management etc, but on the other side they leave these “holes” open. I have the feeling they don’t listen to technical people in the field anymore.
Mark Ziesemer commented
To further clarify:
Performing delegated administration of Exchange Online by PowerShell is officially documented at https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-exchange-online-tenants-with-remote-windows-powershell-for-delegated . However, this does not work with MFA.
Connecting securely with MFA is officially documented at https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps (using Connect-EXOPSSession). However, this does not work with DAP.
Mark Ziesemer commented
Chris Herrmann commented
This is totally ridiculous. We're told we have to use MFA (and I happen to agree)... and we should be getting users onboard with MFA... and using delegated admin rather than creating new global admin accounts.. then you get this rubbish.