{"title":"九州大学Microsoft 365多因素认证部署的设计与实现","authors":"Y. Kasahara, Takao Shimayoshi","doi":"10.1145/3501292.3511569","DOIUrl":null,"url":null,"abstract":"In Kyushu University, Information Infrastructure Initiative manages a Microsoft 365 tenant for our university members. We started offering Office 365 in 2016 and migrated our university-wide email service to Microsoft 365 Exchange Online in 2018. Due to the recent outbreak of COVID-19, off-campus uses of Microsoft 365 have increased, and concerns about account security arose. We discussed how to deploy Multi-Factor Authentication (MFA) to protect our users. Microsoft 365 comes with Azure Active Directory (Azure AD), and it includes built-in MFA functionality. With the basic Azure AD MFA, individual users can register MFA information anytime but have no control to enable or disable MFA. Tenant administrators need to enable MFA for each account. For a gradual deployment, we want to allow users to enroll in MFA and register information at their convenience. In addition to that, we want to prevent malicious attackers from registering their MFA information if an account should be already compromised. Such control was difficult with the basic Azure AD MFA. Since 2020 our tenant subscribes to Azure AD Premium P2 licenses, which provides Azure AD Conditional Access. Conditional Access enables fine controls of MFA and other user access behavior with security groups. We designed an MFA self-enrolling and configuration system, and implemented it with Microsoft Forms, Power Automate, Conditional Access, and in-house web applications. By design, this system prohibits MFA information registration until user’s self-enrollment in MFA, and requests the user to register MFA information upon the next sign-in after the self-enrollment. This is supposed to reduce the possible unauthorized registration of MFA information. We extensively discussed implementation of various measures and preparation of documents to counter users’ troubles and complaints. We started deploying MFA in April 2021, but we have not yet fully mandated MFA due to a push back from some executives expressing concern about the adverse effects of enforcing MFA too quickly.","PeriodicalId":275800,"journal":{"name":"Proceedings of the 2022 ACM SIGUCCS Annual Conference","volume":"94 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Our Design and Implementation of Multi-Factor Authentication Deployment for Microsoft 365 in Kyushu University\",\"authors\":\"Y. Kasahara, Takao Shimayoshi\",\"doi\":\"10.1145/3501292.3511569\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In Kyushu University, Information Infrastructure Initiative manages a Microsoft 365 tenant for our university members. We started offering Office 365 in 2016 and migrated our university-wide email service to Microsoft 365 Exchange Online in 2018. Due to the recent outbreak of COVID-19, off-campus uses of Microsoft 365 have increased, and concerns about account security arose. We discussed how to deploy Multi-Factor Authentication (MFA) to protect our users. Microsoft 365 comes with Azure Active Directory (Azure AD), and it includes built-in MFA functionality. With the basic Azure AD MFA, individual users can register MFA information anytime but have no control to enable or disable MFA. Tenant administrators need to enable MFA for each account. For a gradual deployment, we want to allow users to enroll in MFA and register information at their convenience. In addition to that, we want to prevent malicious attackers from registering their MFA information if an account should be already compromised. Such control was difficult with the basic Azure AD MFA. Since 2020 our tenant subscribes to Azure AD Premium P2 licenses, which provides Azure AD Conditional Access. Conditional Access enables fine controls of MFA and other user access behavior with security groups. We designed an MFA self-enrolling and configuration system, and implemented it with Microsoft Forms, Power Automate, Conditional Access, and in-house web applications. By design, this system prohibits MFA information registration until user’s self-enrollment in MFA, and requests the user to register MFA information upon the next sign-in after the self-enrollment. This is supposed to reduce the possible unauthorized registration of MFA information. We extensively discussed implementation of various measures and preparation of documents to counter users’ troubles and complaints. We started deploying MFA in April 2021, but we have not yet fully mandated MFA due to a push back from some executives expressing concern about the adverse effects of enforcing MFA too quickly.\",\"PeriodicalId\":275800,\"journal\":{\"name\":\"Proceedings of the 2022 ACM SIGUCCS Annual Conference\",\"volume\":\"94 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-03-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2022 ACM SIGUCCS Annual Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3501292.3511569\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 ACM SIGUCCS Annual Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3501292.3511569","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
摘要
在九州大学,信息基础设施计划为我们的大学成员管理一个Microsoft 365租户。我们在2016年开始提供Office 365,并在2018年将我们全校范围的电子邮件服务迁移到Microsoft 365 Exchange Online。由于最近新冠肺炎疫情的爆发,微软365的校外使用有所增加,人们对账户安全的担忧也随之增加。我们讨论了如何部署多因素身份验证(MFA)来保护我们的用户。Microsoft 365带有Azure Active Directory (Azure AD),它包括内置的MFA功能。使用基本的Azure AD MFA,个人用户可以随时注册MFA信息,但无法控制启用或禁用MFA。租户管理员需要为每个帐户启用MFA。为了逐步部署,我们希望允许用户在方便时注册MFA并注册信息。除此之外,我们希望防止恶意攻击者注册他们的MFA信息,如果一个帐户应该已经受到损害。这种控制在基本的Azure AD MFA中是很困难的。自2020年以来,我们的租户订阅了Azure AD高级P2许可证,它提供了Azure AD条件访问。条件访问可以通过安全组对MFA和其他用户访问行为进行精细控制。我们设计了一个MFA自注册和配置系统,并使用Microsoft Forms、Power automation、条件访问和内部web应用程序实现了它。通过设计,本系统在用户自我注册MFA之前禁止MFA信息注册,在用户自我注册后的下一次登录时要求用户注册MFA信息。这是为了减少可能的未经授权注册MFA信息。我们广泛讨论了各种措施的实施和文件的编制,以解决用户的麻烦和投诉。我们于2021年4月开始部署MFA,但由于一些高管对过早实施MFA的不利影响表示担忧,我们尚未完全强制执行MFA。
Our Design and Implementation of Multi-Factor Authentication Deployment for Microsoft 365 in Kyushu University
In Kyushu University, Information Infrastructure Initiative manages a Microsoft 365 tenant for our university members. We started offering Office 365 in 2016 and migrated our university-wide email service to Microsoft 365 Exchange Online in 2018. Due to the recent outbreak of COVID-19, off-campus uses of Microsoft 365 have increased, and concerns about account security arose. We discussed how to deploy Multi-Factor Authentication (MFA) to protect our users. Microsoft 365 comes with Azure Active Directory (Azure AD), and it includes built-in MFA functionality. With the basic Azure AD MFA, individual users can register MFA information anytime but have no control to enable or disable MFA. Tenant administrators need to enable MFA for each account. For a gradual deployment, we want to allow users to enroll in MFA and register information at their convenience. In addition to that, we want to prevent malicious attackers from registering their MFA information if an account should be already compromised. Such control was difficult with the basic Azure AD MFA. Since 2020 our tenant subscribes to Azure AD Premium P2 licenses, which provides Azure AD Conditional Access. Conditional Access enables fine controls of MFA and other user access behavior with security groups. We designed an MFA self-enrolling and configuration system, and implemented it with Microsoft Forms, Power Automate, Conditional Access, and in-house web applications. By design, this system prohibits MFA information registration until user’s self-enrollment in MFA, and requests the user to register MFA information upon the next sign-in after the self-enrollment. This is supposed to reduce the possible unauthorized registration of MFA information. We extensively discussed implementation of various measures and preparation of documents to counter users’ troubles and complaints. We started deploying MFA in April 2021, but we have not yet fully mandated MFA due to a push back from some executives expressing concern about the adverse effects of enforcing MFA too quickly.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
