Disclaimer
Before implementing the conditional access policies outlined in this guide, it is crucial to note that turning off Security Defaults in Entra ID is a necessary step. By doing so, you are removing a set of predefined security measures provided by Entra ID. To maintain a secure environment, it is imperative that you create additional conditional access policies that adequately cover the protections previously offered by the security defaults.
Failure to do so may expose your organization to increased security risks.
We will provide you with a link to a Microsoft guide on how to do so.
When you make changes to security settings, it is highly important that you consult IT security experts prior to making the changes.
This guide aims to specifically help disable MFA for SimplerQMS and should therefore not be considered as IT security advice.
General info about MFA and Entra ID
If a user continues to get MFA requests every time the user signs documents or training assignments in SimplerQMS, it is because of the security settings in Entra ID (Azure).
There are currently 3 different MFA authentication setups an organization can choose between in Microsoft Entra ID and the Microsoft Admin Portal:
- Per-user (legacy) MFA authentication: Microsoft recommends organizations to change setup to option 2) or 3) below.
- Security Defaults: This is now the standard setting for all new Entra ID tenants, unless you want to use the more advanced option 3).
- Conditional Access Policies: Is recommended by Microsoft if your organization has more granular sign-in security needs.
Why do some or all users get MFA requests every time they sign in SimplerQMS?
Situation A: All users will usually be asked to use MFA if option 1) is used above.
Solution A: Switch to the more modern security settings 3) based on input from your IT security responsible/advisor. See also this MS article.
Situation B: Users with elevated admin rights in Entra ID, are required to use MFA more frequently due to their Microsoft privileged rights. This usually happens when option 2) Security Defaults is used and when option 3) Conditional Access policies are fully implemented (article).
Solution B: Microsoft recommends admins to separate their admin account from the normal administrative work account (for browsing, emails etc), hence the solution would be to separate accounts. See this MS article.
Situation C: In rare cases, users could be asked for MFA authentication due to a specific conditional access policy that dictates this requirement.
Solution C: Adjust the conditional access policy.
Turning Off Security Defaults
If you already have Conditional Access policies implemented, go to next section “Create or adjust Conditional Access Policy.
In Entra ID, by default, there is a security set of rules turned on to give the user a basic layer of protection called Security Defaults. To adjust when MFA is used, Conditional Policies should be used instead. First step is therefore to disable Security Defaults.
Login to https://portal.Entra ID.com with a global admin account, under Overview click Properties on the right. Set the Security defaults to Disable.
Create or adjust Conditional Access Policy
Log in to https://intune.microsoft.com and on the left go to Endpoint Security. Under Manage on the right, select Conditional Access and then Policies.
Go to “New Policy” and use these options for disabling MFA specifically for SimplerQMS/M-Files:
- Users’ category: Select the users or groups that the policy should apply for.
- Target resource: Select Cloud Apps and Include “All cloud apps”, then go to Exclude and click on “Select excluded cloud apps” and select these 3 M-Files Enterprise applications (see image below).
- Network: leave it as not configured
- Conditions: Select Device Platforms and select “Any device”, leave the rest as Not Configured
- Grant: Select Grant access and check the box “Require multifactor authentication”
- Session: Check the box Sign in frequency and choose the number of days after which your users will have to enter MFA again. This option is up to you.
Attention: It is critical that all the needed Conditional Access policies are created when Security Defaults are turned off. Please consult a security experts and review this MS article.