Hey folks! I'm a new sysadmin at a small business, and I could use some advice on handling service accounts as Microsoft enforces MFA starting October 1st. I've already set up regular MFA for actual users with physical authenticators or phones. Right now, we have a hybrid identity setup with on-prem Active Directory and Entra. We use some user accounts as service accounts for our CRM, monitoring, and a few other systems, and I want to make sure we don't run into issues once MFA becomes mandatory. We've got the option to delay enforcement but I'd love to learn best practices while I can. How do I determine which accounts will be affected? What's the best way to migrate these accounts to service principals or other alternatives? Thanks a lot!
1 Answer
If you have to stick with user accounts for service accounts, consider using conditional access policies to allow access without MFA from specific locations. Create a service account group for these, and keep a close eye on it. As far as I know, Microsoft requires MFA to be configured, not necessarily enforced, so you might be covered, although it's not the best practice.
I thought I read that conditional access exclusions might not work as expected? But if MFA is set up but not enforced, could we still keep our service accounts functional?