Applies to: Nerdio for Azure (NFA) Professional, Enterprise and Core.
Refer to this KB article to determine if you are a NFA user.
As of August 1st 2019, Microsoft has taken the initiative to ensure that all Azure environments are secure. As a result, Microsoft is now requiring that all partners who are in the Cloud Solution Provider Program (CSP), Control Panel vendors, or Advisor partners to enable Multi-Factor Authentication (MFA) for admins.
These requirements do not extend into your end-client tenants and are only required for your partner level Azure tenant accounts. There are two ways to enable and enforce MFA in your tenant through Azure. The first is to enforce them on a user by user level. The second is to create a Conditional Access policy that will apply to the entire Azure tenant.
NOTE: If you wish to use a third party MFA solution to secure your Azure tenant, you can do so and still meet these MFA requirements.
Ensure MFA is enabled for your tenant:
1. In your NAP Account, click on the Azure portal login button (or open a web browser and go to https://portal.azure.com).
2. In the new window, login to the Azure portal, then select "Azure Active Directory", "Security", and then MFA:
3. This will take you to the MFA module. MFA is included in several specific plans including Azure AD Premium P2 and EM+S. If you do not have the correct plan, you will be presented with the option to enroll in a free trial. If you have the correct plan, you will be presented with the MFA screen. Under "Configure" select "additional cloud-based MFA settings".
4. In the next screen, select the options that you wish to enable. For Nerdio automation to continue working, you will need to add the Nerdio IP address to the trusted ips section. Nerdio's IP address ranges are 188.8.131.52/28 and 184.108.40.206/24, you may also need to add the Public IP address of your DC01 server to bypass MFA for Active Directory Sync (AD Connect)
5. Once you have configured these options, click save and go back to the Azure portal.
Option 1 - Enable MFA on a user by user basis:
- You should not manually enable MFA on the "AdminPortalO365AdminXXXX" or the "AdminPortalAzureAdminXXXX" (NerdioO365Admin and NerdioAzureAdmin pre-July 2020 provisioned accounts) accounts. Due to Azure priority rules, doing this forces MFA even though the connection from these accounts originate from a trusted IP. Manually enforcing MFA on these accounts prevents Nerdio Admin Portal (NAP) management and provisioning task from executing (updates, auto-scale settings, user modifications, etc).
1. From the main Azure portal page, select "Azure Active Directory" then "Users"
2. Select "Multi-Factor Authentication" from the top menu
3. A new page that displays your users and their MFA status will open.
4. Select the user you would like to enable MFA for. This will open a new box to the right in which you will click "enable". This will enable and enforce MFA for that user
Option 2 - Use a conditional access policy to enable MFA:
1. From the Azure portal main page, select "Azure Active Directory" then under Security, select "Conditional Access".
IMPORTANT: Do not enable the existing MFA baseline policies that are currently in preview. They do not permit whitelisting IPs or selecting users and will cause the Nerdio Admin accounts to be protected by MFA. Doing this will break our integration into your Azure tenant.
2. Select "New Policy"
3. On the new policy page, give your policy a name. In the screenshot below, the name of the policy is set to "Require MFA for Azure portal access"
4. Under "assignment", select "users and groups". Here you can choose which users/groups you would like to enforce MFA across. Select the appropriate choices for your deployment.
5. Select done to go back to the new policy page. Then select "Cloud apps or actions" > "select apps" > "Microsoft Azure Management"
6. Select done, then select "Access controls". Select "grant" > "grant access" > "require multi-factor authentication".
7. Double check to ensure that your trusted IPs created in step 4 are excluded from the conditional access policy. Select "conditions" > "locations" and ensure configure is set to "yes". If it is not, select "yes", then "selected locations" and select the "MFA Trusted IPs" location and save.
8. Ensure "enable policy" is set to "on". Then select "create".
Requirements for meeting Microsoft compliance
We've recently seen situations where Microsoft is allowing partners to enable a group of Conditional Access Policies (CAP) which provide the same effect as enabling security defaults. You can see the source article HERE. IMPORTANT: Please note that you'll still need to exclude the trusted Nerdio IP's in each of these CAP's or else it will break API integration with the NAP.
- Require MFA for administrators
- Require MFA for Azure management
- Block legacy authentication
- Require MFA for all users
- Require Azure MFA registration - Requires Azure AD Identity Protection
Note: If you implement a Conditional Access Policy to prevent PowerShell access by non-authorized users, you must exclude "AdminPortalO365AdminXXXX" or the "AdminPortalAzureAdminXXXX" (NerdioO365Admin and NerdioAzureAdmin pre-July 2020 provisioned accounts).
Once the MFA policy is enabled, your users (including admin users) will immediately need to complete MFA enrollment before they are able to login to the Azure Portal. THIS user guide will help users who have not done this before.
For more information on the new partner requirements visit THIS article.