MFA设计查询 [英] MFA Design Queries

问题描述

您好，专家，我有一个客户端，该客户端将在2FA的Prem上部署MFA服务器，然后再进行一些查询. 尽可能详细地解决这个问题，我什至找不到一个谈论它的文档.我们尝试了不同的版本，但仍然看到相同的行为，不知道这是设计使然，还是我们做错了什么.以下是 我们所关注的问题:

Hello Experts, I have a client who will be deploying MFA servers on Prem of 2FA, before they do that they have some queries, Kindly address this in as much detail as possible, I could not able to find even a single doc which talks about it. We tried different versions but still see the same behavior, don't know if that is a product by design or we are doing something wrong. Following are the concerns we have:

1. 意外行为
2. MFA服务器之间的设置不一致  -主服务器显示发送 电子邮件"已检查所有用户，从属服务器将其显示为未选中
3. 用于 例如 ，如果我选中发送电子邮件"并修改用户的电话号码，他们将收到电子邮件，但如果Angela拥有用户取消选中并修改用户的电话号码，他们将不会收到电子邮件. FYI .我们正在运行MFA服务器8.0.0.3. 将推广到4,000多名员工.我们需要从MFA服务器向新雇用的员工发送电子邮件，而无需我们干预并跟踪正在招聘或转移到部门的每个员工 已经登上并进入MFA的广告.
4. -将所有员工/员工带入MFA残疾人并发送 电子邮件未选中.
5. 启用组 –在我们在船上关联时，我们添加了该安全组的部门.设置设置为选中发送电子邮件"和启用".同事被带进来 信息最少，以确保应根据服务器上的文档发送电子邮件(用户注册-已发送电子邮件给已添加但已启用但不完整的用户(未指定电话，未激活移动应用程序或没有OATH令牌密钥) 指定的密钥)；禁用并设置为成功认证；或已禁用，则设置为身份验证失败，并且以前未注册.仅当在用户门户"部分中选中允许用户注册"时，才发送电子邮件.我们确实允许用户注册.
6. 作为FYI，不确定是否可以预期行为，但我们也有经验丰富的用户进行了注册，因此安全组设置似乎会覆盖他们的登录和启用权限. 示例: 在上推出到部门，我们手动进行向该部门发送电子邮件，给他们2个星期的时间来注册自己的MFA，然后再将其部门添加到已启用" 团体.当时，它们仅在用户"组中.员工将进入MFA用户门户并注册到MFA，但是一旦进行了同步，则在MFA用户门户中的用户帐户上未选中启用".

1. Unexpected behaviors - If an admin changes one users "Send Email" setting, ALL other users send email is also checked
2. Inconsistent settings between MFA servers - Master server shows "Send Email" checked for all users, Slave server shows it Unchecked
3. Inconsistencies between Admins - One admin sees all users checked, another admin sees all users Unchecked from the SAME server, even after having both admins completely log out. Whether the email sends or doesn’t send is dependent on the admins setting who is modifying the users account.For example, if I check "send email" and modify a user’s phone number they will get an email, but if Angela had the users unchecked and modified a user’s phone number they would not receive an email. FYI. We are running MFA server 8.0.0.3.We require these settings to work as documented to do a phased roll out to over 4,000 associates. We need newly hired associates to be sent an email from the MFA server without us having to intervene and keep track of each associate that is being hired or transferred to departments that have already been on boarded into MFA. We are using Security Groups to control this setting within the MFA server.
4. Users Group - ALL Associates/Employees are brought into MFA Disabled and Send Email unchecked.
5. Enabled Group – As we on board associates, we add departments to this security group. The settings are set to have Send Email checked and Enabled Checked. Associates are brought in with minimal information to ensure the email should be sent according to the documentation on the server (User Enrollment - An email is sent to a user added that is enabled, but incomplete (no phone specified, mobile app not activated, or no OATH token secret key specified); disabled and set to succeed authentication; or disabled, set to fail authentication, and not previously enrolled.  The email is only sent if Allow User Enrollment is checked in the User Portal section). We do allow user enrollment.
6. As an FYI, not sure if this is expected behavior but we have also experienced users who enrolled themselves and the security group settings seems to override them logging in and enabling themselves. Example: Upon roll out to a department, we manually send an email to that department giving them 2 weeks to enroll themselves in MFA before we add their department to the Enabled group. At that time, they are only in the Users Group. The associate will go out to the MFA User Portal and enroll themselves in MFA but once the Synchronization takes place, the Enabled is unchecked on the users account in the MFA User Portal.

CreedHameed

CreedHameed

推荐答案

选中此链接可以使用天蓝色多因素身份验证来管理用户设置.

Check this link to manage the user settings with azure multifactor authentication.

https://docs.microsoft.com/zh-cn/azure/active-directory/authentication/howto-mfa-userdevicesettings

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

您需要选择如何通过更改用户状态来启用启用

you need to choose how to enable enabled by changing user state

https://docs.microsoft.com/zh-cn/azure/active-directory/authentication/howto-mfa-userstates

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

这篇关于MFA设计查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！