Running Delegated Admin PowerShell Scripts with MFA enabled accounts
Microsoft have introduced some important security requirements for users who access customer tenants via delegated administration. Admins and users with access to customer tenants must use multi-factor authentication when accessing customers’ Office 365 environments.
While this is great for security, it will likely break any scripts you have that use the credentials of a delegated admin and don’t prompt for modern authentication.
To keep these scripts operational, you can use MFA whitelisting to exclude the MFA requirement for specific public IPs – eg. your own environment, or your Azure Function apps.
How to retrieve the IP of your own environment
In many cases, you can retrieve your own IP by searching for ‘what is my ip address’. However, before you add this to your whitelist, you should confirm that this is a static, non-changing IP.
Retrieving IPs for Azure Function Apps
- To retrieve the IP Address for your Azure Function App , login to https://portal.azure.com
- Navigate to your Azure Function app
- Navigate to Platform Features and click Properties under the General Settings section
- Retrieve the IPs used by the function app under Outbound IP Addresses and Additional Outbound IP Addresses
Add the IP addresses to your MFA Whitelist
- You can add your IPs to your whitelist by either visiting this link or by navigating via the Azure AD portal using these steps.
- Navigate to Azure AD on the left menu.
- Scroll down to Conditional Access under the security section in the Azure AD submenu.
- Click Named Locations
- Click Configure MFA trusted IPs
- Provided you have the right licensing (I think it may require a plan with at least Azure AD P1), you should be presented with a screen that looks like this:
- You can enter your IP addresses into the Trusted IPs section. Remember to add /32 to each address and enter each one on a new line.
- You should now be able to run your delegated administration scripts from your own environment or Azure Functions without them failing the MFA requirement.