How to enforce MFA on CoreView service accounts
Modified on Wed, 19 Jul 2023 at 02:52 PM
Categories
-
What's New
-
Release Information
- CoreView Release Notes September 2023
- CoreView Release Notes August 2023
- CoreView Release Notes July 2023
- CoreView Release Notes June 2023
- CoreView Release Notes May 2023
- CoreView Release Notes April 2023
- CoreView Release Notes March 2023
- CoreView Release Notes February 2023
- CoreView Release Notes January 2023
- CoreView December 2022 Release Notes
- CoreView November 2022 Release Notes
- CoreView October 2022 Release Notes
- September 2022 Release Notes
- August 2022 Release Notes
- Release 22.06 Key Features
- Release 22.05 Key Features
- Release 22.04 Key Features
- Release 22.03 Key Features
- Release 22.01 Key Features
- Release 21.12 Key Features
- Release 21.11 Key Features
- Release 21.10 Key Features
- Release 21.09 Key Features
- Release 21.08 Key Features
- Release 21.07 Key Features
- Release 21.05 Key Features
- Release 21.04 Key Features
- Release 21.03 Key Features
- Release 21.02 Key Features
- Release 21.01 Key Features
-
Release Information
- Getting Started with Customer Care
-
Getting Started with CoreView
-
Configuring
- Configuration Overview
- Creating CoreView Tenant Administrators
- CoreView Operator Uses Cases & Dependencies
- Creating a License Pool
- Understanding Virtual Tenants
- "Send As" DNS Requirements for CoreAdoption Campaigns (Optional)
- How to enforce MFA on CoreView service accounts
- Creating a License Pool
- How to ensure security for CoreView service accounts
- Disabling MFA for CoreView service accounts
- Set Conditional Access to grant access only inside the CoreView data center
-
Configuring
-
How to
-
Exchange Online
- How to check and analyze the Message Trace
- How To Configure Email Forwarding
- How to convert a Shared Mailbox to a User Mailbox
- How to convert a user mailbox to a shared mailbox in Exchange Online
- How to Create Microsoft 365 Groups for Improved Collaboration
- How To Create Shared Mailbox
- How To Create User Mailbox
- How To Grant Access To Mailbox
- How to List all the Mailboxes a User has access to in Microsoft 365
- How to remove delegates from Mailbox
- How to remove user access to Mailbox
- How to review and manage Exchange online mailbox permissions
- How to verify if a user has updated the Password
- Read Permission for Mailbox
- What are security groups and How to create it
- What is a Distribution Group and How to create it
-
Exchange Online
- Custom Actions Library
- Getting Started with CoreHybrid
-
Knowledge Resources
-
Understanding CoreView - Quick Start Guides.
- CoreView Quick Start Guide Overview and Index - Tenant Admins
- CoreView Quick Start Guide Overview and Index - Operators
- Understanding CoreView Tenant Configuration – Management
- Understanding the CoreView Operator Profile
- Understanding CoreView Operator Roles (New UX)
- Understanding CoreView Operator Roles
- Understanding CoreView Operator Delegation
- Understanding CoreView - Report Column Filtering
- Understanding CoreView Tenant Configuration - V-Tenant User Filters
- Understanding CoreView Tenant Configuration - Portal Information
- Understanding CoreView Tenant Configuration Options
-
Troubleshooting Common Issues
- Unable to see OneDrive, SharePoint and Exchange Data
- Remote Office 365 PowerShell session can Conflict CoreView Management Actions
- Why I cannot save the changes on existing License pool?
- Error when attempting to perform a Management Action
- Unable to modify the Assigned Licenses in my License Pool Report
- Enabling Permission for Endpoint Manager Actions
- How to enable permission for BitLocker keys report
-
Tenant Administration
- How to recreate Admins Read-only
- How to add an operator to the portal?
- How to enable and configure CoreView management session
- How to provide a consent to activate Azure AD Reports Feature and activate Partial Import?
- Tips & Tricks: Leverage Pivot Reports to Prototype License Pool Criteria Filter
- Tips & Tricks - How to manage email notifications for newly added Operators.
- Disable MFA from Read Only Service Accounts
- How To: Report on "Consumed Portal Licenses"
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- Tips & Tricks: How to merge License Pools
- How to Use CoreView's Global Report Filters
- How to use the What If tool to check Azure AD conditional access policies
- How to Configure Allowed IP Addresses for CoreView Service Accounts
- How to Archive a Teams Group
- How to Restore a Teams Group
- On-demand Import for a Single Device in Endpoint Manager (Intune)
- Custom Actions using the Microsoft Graph API
- How to set up your tenant for the switch to Microsoft Graph API
- GraphAPI configuration: How to get Client ID and Client Secret
- How to provide consent to import exchange information
-
Reporting and Analytics
- How do I Check and Manage Calendar Permissions for a User?
- How CoreView can help you with your Microsoft 365 Chargeback Goals.
- New UX: Understanding the new License Centers
- Understanding the Savings Opportunities Dashboard
- Understanding the License Optimization center
- Understanding License Pool Snapshots report
- Understanding Call quality dashboard
- Understanding Call quality report
- Understanding User call quality report
- Understanding Teams groups activity report
- Understanding Teams Adoption Growth Report
- Understanding Endpoint Manager reports
- Understanding Teams dashboard
- Understanding Risky Users report
- Understanding Storage Dashboard
- Troubleshoot Active Users (License Usage) data
- Legacy Protocol Management
- Report Columns: Is active 30/60/90
- Quarantined Messages Report - Understanding The Reports
-
Managing and Administration
- Teams Voice: Direct Routing Support
- How to enable management function?
- Forward SMTP Address vs Forward Address management actions
- How to add the users in bulk while executing Users management actions?
- How to Create & Manage Custom Actions
- How to schedule a report to be sent automatically, and how to modify its scheduling options?
- How to schedule an alert report for the License Count
- Tips & Tricks – How to read and modify license pool report?
- Overview of CoreView Workflow
- How to delegate Workflow management using roles
- How to configure CoreView and ServiceNow integration
- How to Enable Multi Factor Authentication for Operators and Admins who Access the CoreView Portal
- How Can I Migrate from Group-Based Licenses to Direct Licenses Managed by CoreView?
- Naming convention rules
- Custom Actions: Forbidden and Warning Values
- How to add users to Distribution Group in bulk using via CSV
- Not able to manage licenses error
- Using custom action json output as an input in the workflow
- Setting the Sensitivity Label on SharePoint as a Mandatory Field
- DistinguishedName vs OnPremisesDistinguishedName
-
Understanding CoreView - Quick Start Guides.
- CoreView Product Manual
- Health Check
- Actions
-
Playbooks
-
Out-of-the-Box playbooks
- Introduction
- Overview
- Configuring predefined policies
- Edit policy settings: Set and monitor thresholds
- Edit remediation settings: Manual and automatic remediation
- Edit remediation settings: Configure attestation
- Remediation settings: Security & Identity policies
- Remediation settings: Teams Management policies
- Remediation settings: License Management policies
- Remediation settings: SharePoint & OneDrive Management policies
- Remediation settings: Exchange Management policies
-
Out-of-the-Box playbooks
- Workflows
- Learning Platform
- Internal Customer Care Resources
- Archive
- PowerShell
- Webinars and Events
- CoreVoice
- Internal Support
This article has been updated, and the deprecated content has been replaced. Please click here to access the new version.
This article will cover the steps required to enforce multi-factor authentication (MFA) on CoreView service accounts.
Overview
To ensure maximum security for your tenant and CoreView, you must enforce MFA on our service accounts. This document will guide you through the steps required to ensure that CoreView services will still be able to run properly from the data center you are hosted in, while maintaining high levels of security.
If you have Azure Active Directory Premium (part of EMS or Microsoft 365 licensing), please follow this guide how to configure the Conditional Access in your Azure AD environment and allow specific IP addresses for CoreView service users.
Note: Please choose only one of the two methods to secure CoreView service users based on the requirements applicable to your tenant’s specific case.
If you use Azure AD Conditional Access, you can block legacy authentication for these accounts.
There are two methods to secure CoreView service users. Please click the links below and follow the directions for the method that applies to your tenant.
- Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges
- Method 2: Without Azure Active Directory P1
Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges
Requirement: This process requires an Azure Active Directory Premium P1 or P2 subscription.
Step 1
Exclude CoreView service accounts from existing policies
Step 2
Login to Azure portal (portal.azure.com) as an Administrator.
Step 3
Open the Azure Active Directory blade.
Note: If the Azure Active Directory is not present among the recently used Azure services or in the dashboard, search for it in the search bar at the top of the Azure Web Portal or click on more services.
Step 4
Click on the Security menu and then on “Conditional Access”:
The “Conditional Access – Policies” menu will be opened:
If you have a policy that enforces MFA on the admin accounts, you must exclude CoreView service user accounts from it.
If you do not have a conditional access policy that enforces MFA on the admin accounts, please go to the Step 3 below.
Step 5
Click on the policy name to open its details. Click on Users and Groups under Assignment, then the Exclude tab on the right side.
Step 6
Check the box for "Users and Groups." Then in the ‘Select excluded users’ pane, search for the CoreView service user(s).
Note: The number of service users depends on the size of your tenant. The rules for the names are:
cvroa<randomnumber>@<onmicrosoft domain>
coreview.reports<randomnumber>@<onmicrosoft domain>
4ward365.admin@<onmicrosoft domain>
Step 7
Click on a user account to select it, and it will appear in the Selected items area below the search. Perform this action for all the CoreView service users and press the Select button. The Select excluded users menu will close.
Step 8
Click the Save button on the left side of the window to save your policy changes.
Now we can proceed, and setup allowed IP addresses for those users.
Step 9
Create named location and add IP addresses. A new Named Location must be created. Select Named locations under the Manage section and click on + IP ranges location.
Step 10
Insert the name for the location (Recommended: CoreView <region form> Platform IPs) and all IP addresses with the subnets in the table below. Once the list is complete, click "Create.”
Note: We have used European data center’s IP addresses for this example.
Please refer to the following table for the current list of trusted CoreView Data Center IP Addresses, below. Note: you can check the “Mark as trusted location” for a lower user sign-in risk.
Azure CCC (EU) | 52.178.220.169/32 |
| 13.79.166.132/32 |
| 52.164.205.60/32 |
| 40.69.61.123/32 |
| 191.239.215.199/32 |
| 20.191.46.79/32 |
Azure CCC (US East) | 52.225.217.154/32 |
| 104.209.147.75/32 |
| 40.70.44.94/32 |
| 137.116.90.35/32 |
| 52.225.222.18/32 |
| 40.65.233.115/32 |
Azure CCC (Canada East) | 52.229.116.78/32 |
| 40.69.100.107/32 |
| 52.242.35.38/32 |
| 52.242.126.90/32 |
| 52.235.47.42/32 |
| 52.155.24.77/32 |
Azure GCC (US East) | 13.72.21.184/32 |
| 52.247.175.28/32 |
| 13.72.21.53/32 |
| 52.247.150.99/32 |
| 52.227.178.31/32 |
| 52.227.179.120/32 |
| 52.227.221.240/32 |
Step 11
Create a new policy for CoreView service accounts. A new policy must be created. Select Policy and click on New Policy.
Step 12
Insert the new Policy. Insert the name of the policy (Example: Safelist CoreView endpoints) and add all CoreView service users and cloud applications. To do that, make edits to the areas under Assignments.
First click on Users and groups.
In the “Include” tab select “Users and groups” and press on “Select.” From the select bar search for all CoreView service users and add them as the policy members. Note: The number of service users depends on the size of your tenant. The rules for the names are:
- cvroa<randomicnumber>@<onmicrosoft domain>
- coreview.reports<randomicnumber>@<onmicrosoft domain>
- 4ward365.admin@<onmicrosoft domain>
Press the “Select” button to select the users for the policy.
In the "Cloud apps or actions" section, click on “No cloud apps or actions selected.” Choose “All cloud apps” in the “Include” tab as shown in the screenshot. "No cloud apps or actions selected" will change to say "All cloud apps.”
In the Conditions section, you must include all locations and exclude the location created previously, so click on 0 conditions selected and then Locations. Set the Configure toggle to Yes.
In the Include tab of the Locations section, set Any location as shown in the screenshot above.
In the Exclude tab of the Locations section, ensure that Selected locations is selected, then click on None. Search for the location created previously to set it to be excluded.
Check the location and press Select.
Under the Access Controls section, click 0 controls selected under Grant.
In this step. we recommend blocking the access. Select Block access and press Select.
.
Alternatively, you can enable the Multi-Factor Authentication for CoreView service users from non-excluded IP addresses. To do that choose Grant access in the Grant section and check Require multi-factor authentication:
As the last step, enable this policy and click Create.
Now the policy is listed in Conditional Access – Policies
<p id="anchor">Section 2</p>
Method 2: Without Azure Active Directory P1
If you have only Office365 E1 licenses (or above) and do not have Azure AD Premium P1 (or above), this guide will show you how to disable Multifactor Authentication for CoreView service users.
Disabling MFA for CoreView Service Accounts
Step 1
Login to Admin Office 365 portal (https://admin.microsoft.com)
Step 2
In the navigation menu navigate to Users > Active Users
Step 3
Click on any active user. The user properties tab will appear on the right of your screen. Scroll down and click on Manage multifactor authentication.
Step 4
Disable MFA for the CoreView Service Accounts. You should disable the Multifactor Authentication for the CoreView service users. To do that, click on the magnifying glass to open the search field.
Search for and select all service users and click on “Enable” in the property menu.
Note: The number of service users depends on the size of your tenant. The rules for the names are:
- cvroa<randomicnumber>@<onmicrosoft domain>
- coreview.reports<randomicnumber>@<onmicrosoft domain>
- 4ward365.admin@<onmicrosoft domain>
If they already have the “Disabled” status, then you do not need to make any changes.
If the status is set to "Enabled", then select the users that need to be disabled and click the "Disable" option on the right side of the screen.
Another window will open, confirming your choice. Click "yes" to disable multi-factor authentication.
Close the confirmation window.
You have now completed the process.