My boss emailed me asking if there's a way to enforce MFA when directly connecting to our server drives, since he can currently access them as admin without it. I'm not aware of any instance where MFA is needed for SMB shares, even with domain admin accounts. Currently, we utilize Duo for MFA with RDP and an LDAP auth proxy for VPN access, but I doubt Duo can secure SMB access in the same way. I'm hoping to confirm this and explore potential solutions before I reply to him. Any advice or ideas?
5 Answers
You might want to check out Entra Private Access. You can set it up to require MFA for accessing SMB shares by defining your file server as an application in their system. Just keep in mind, it could get a bit tricky with constant programmatic connections to the SMB shares, which might lead to a lot of MFA prompts. Also, look up John Savill's tutorials on YouTube for more insights on setting it up.
What specific licenses do we need for Entra? Can this work for internal connections too?
MFA for SMB might not be standard practice, as Microsoft is gradually moving towards cloud storage solutions like SharePoint and OneDrive, which inherently support MFA. Transitioning to those services could be the future-proof solution you're looking for!
You can look into Authlite for controlled access via groups. This way, you can require MFA for certain groups while letting regular users access SMB normally. It could balance things out without overcomplicating access.
Silverfort is another viable option. It requires a shift in your MFA setup, but it can manage MFA for pretty much any type of authentication, including SMB and RDP. It's great because it prompts for MFA for admin accounts specifically, which might solve your issue. However, I don't know all the technical details since it’s not in my domain of expertise.
We’re currently using Silverfort and it works quite well for admin accounts. I prefer their app for prompts because it’s faster than Microsoft Authenticator.
Honestly, I wouldn’t recommend implementing MFA for SMB shares. Instead, focus on properly auditing and setting share permissions. Users should only have access to the shares they need, and ideally, your boss shouldn't login as admin unless necessary. Using Duo for admin logins is a better approach to security.
That sounds promising! But I’m curious about how it handles multiple connections—do you think it would spam with MFA requests?