PowerShell MFA for CSP Delegated Admin Privileges
Currently the PowerShell module that supports MFA does not support CSP Delegated Admin Privileges. Considering the scope and power of a DAP account this is a pretty wicked security hole.
Can someone from Microsoft give at least a comment to this unbelievable situation?
Let's get going on this Microsoft!
Jamie Wilson commented
It is stupid that this feature is not built in.
This is a ridiculous security flaw that should be seriously considered both from CSPer and prospect customers.
The CSP admins need to be namely provisioned for each tenant (and then must be enrolled for MFA!!! Just crazy!).
As a (prospect or actual) customer, you can take for granted that your CSPer will hardly execute the above.
This should be n. 1 in the fix list of Microsoft if they are really concerned with security and do want to continue selling online services.
This is indeed ridiculous that this hasn't been addressed yet!
For years Microsoft is warning us with increasing identity thefts. We also want to secure as much as possible with MFA especially the CSP DAP. But if we want to use PowerShell for a customer tenant we still have to resort to a normal admin account within that tenant without MFA. Enabling MFA is cumbersome because all our employees need to use that account. Creating personal admin accounts for all our employees is also not an option per user tenant.
Currently we just disable the admin account in the customer tenant and enable it when we need to use PowerShell but that is also very sensitive to human error.
Recently they also announced this:
Clearly the different Microsoft teams are not talking to each other. On one side they are creating fantastic products like Azure ATP, Azure Privileged Identity Management etc, but on the other side they leave these “holes” open. I have the feeling they don’t listen to technical people in the field anymore.
Mark Ziesemer commented
To further clarify:
Performing delegated administration of Exchange Online by PowerShell is officially documented at https://docs.microsoft.com/en-us/office365/enterprise/powershell/connect-to-exchange-online-tenants-with-remote-windows-powershell-for-delegated . However, this does not work with MFA.
Connecting securely with MFA is officially documented at https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps (using Connect-EXOPSSession). However, this does not work with DAP.
Mark Ziesemer commented
Chris Herrmann commented
This is totally ridiculous. We're told we have to use MFA (and I happen to agree)... and we should be getting users onboard with MFA... and using delegated admin rather than creating new global admin accounts.. then you get this rubbish.