Open Azdamus opened 2 months ago
In general, I would like to keep the recommendation to avoid voice call as MFA options. Integrate a kind of severity to identify a check as "hard recommendation" or "it depends" would be great addition. This is something what needs to implement in all checks. @Azdamus : Allow voice calls would be strongly scoped to a user group in your described scenario?
I agree. In terms of script logic, my thinking is something along the lines of:
Going to a "Hard recommendation" flag system can become tedious to manage and categorise. What classifies as a gentle recommendation, what classifies as hard recommendation, what is the criteria, etc.
@Azdamus : We will working on a feature to customize and/or waive the recommended value in Maester. Currently, the only option is to host a customized version of the EIDSCA.json file with the adjusted RecommendValue. You can build customized EIDSCA by providing AadSecConfigUrl
parameter in Update-EidscaTests
.
Stay tuned for any updates regarding an integrated option in Maester.
Some companies that use computers in sterile rooms where cell phones are not allowed because they can interfere with the manufacturing process, the only MFA method that works is FIDO2 / PIV / Phone Call (desk phone) – each location having different policies based on geographical location and local rules. I do admit that Phone Call is insecure. Perhaps a Warning should be added as flag?