RE: Setup up SMTP with MFA and the setting to block legacy authentication
Hello,
My favorite topic
There is a requirement to be 100% compliant as a CSP (if you are a CSP). The requirement here is that all the accounts you did add to your customer tenant (as a CSP) is that you add MFA to these accounts. The customer which you assist as as CSP do not have whereabouts of these accounts that were added (delegated admin for instance). So MFA is a must in that setup. If you are not a CSP, then this really a great idea to do this as a requirement to all your accounts that access ERP data.
More information for CSP's:
docs.microsoft.com/.../partner-security-requirements
There is always this misunderstanding:
1. Azure Policy => not compatible with App Passwords
2. Not being able to use these Azure Policies => not compliant => SMTP / CRM accounts can no longer be used
This is not true. Only 1 is true. Related to 2: It does not matter how you enable MFA on your accounts. The only requirement is that you do. Now with these Azure policies you do have the option to assign the policy and exclude the two accounts needed in Dynamics NAV / Dynamics 365 BC. Still you do have to enable MFA. This can be done on a per user base. Enabling MFA on all accounts with exceptions does require Azure Premium licenses. The free Azure policy like the Security Policy does simply switch MFA for all users including the two ones that do require App passwords.
If you do not need these Azure Premium license, you simply enable MFA on all account on a per user base. This can be done in Azure AD, Users, username or Office 365 Portal, Users, Edit users. Here you can also do this in bulk.
The only issue here is that when creating new users, you may forget to enable but you can overcome this by ensuring this does become a managed process. This is where the Azure Premium license do come into place.
Thanks.
