Effective August 1, 2019, All Partner Center accounts will require MFA for all admin accounts. CloudRadial supports MFA on both user logins into CloudRadial and for the credentials used to run PowerShell scripts and perform Office 365 synchronization. PowerShell is used to run some partner-level and client-level reporting for items not yet moved into the Microsoft Graph. To enable PowerShell to work, you will need to whitelist the IP addresses used in processing the PowerShell commands.
Find the List of IP Addresses Used For PowerShell
- In CloudRadial, go to your Partner | Account tab (the first tab under Partner on the left side of the screen).
- On the right side of the screen under Region, click on the View IP Addresses link. This opens up a list of all IP addresses used.
- Copy the list of IP addresses identified as "CW-1 PowerShell (PowerShell Only)". This will be the list of IP addresses that will access.
Enabling MFA Access for a User
- Open your Azure portal: https://portal.azure.com
- Open the Azure Active Directory service.
- Open Users and choose the user account used for CloudRadial access.
- Choose the Authentication Methods option. Enter the Authentication contact info and click the Require re-register MFA option at the top.
- Assign a license to your CloudRadial user to allow for conditional access. This will require either a license for Azure Active Directory Premium P1 or P2 or Enterprise Mobility + Security.
Important: In a private window log in as this user. You will be prompted to confirm the phone number authentication method. If you don't get this prompt, then MFA may be disabled for your location. In this case, you will need to log in from a different IP address, to force the issue. (We use a VPN service to test from different IP addresses and countries).
Whitelisting CloudRadial IP Addresses
- From the Azure Active Directory settings page, choose the MFA option under Security.
- Choose the "Additional cloud-based MFA settings" under Configure. Which will take you to this link: https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
- Add the CloudRadial IP Addresses from the list you obtained earlier and add /32 to each to create a correct CIDR format. If you don't see the "trusted ips" option, you will to upgrade your Azure Active Directory (see step 5 above).
- Save the settings.
Testing Office 365 Access from CloudRadial
- In CloudRadial, go to Partner | Office 365. This will show all of your Office 365 accounts from your Microsoft Partner tenant. Click the Sync button at the top to force an update.
- Go to the Alerting | Jobs tab to see the results from the submitted job.
- If you have any issues, please reach out to firstname.lastname@example.org for assistance.
Restricting Access with Azure P1
If you want to further secure your credentials, you can add Azure Active Directory's P1 security to the account and restrict that credential to just the IP addresses required for the CloudRadial service. To setup this security:
- Setup a new user in Office 365 and grant them global administrator privileges. Make sure that no MFA policies apply to this user. For more information on setting up this user see https://radials.io/powershell
- Assign an Azure Active Directory P1 license to this user.
- Obtain the list of IP addresses used by CloudRadial. This is found on the Partner | Account page. Click the link "View IP Addresses" at the lower right of the screen. Typically you will want just the IP addresses required for PowerShell access.
- In your Azure Active Directory dashboard, look for the Conditional Access setting and open it.
- Create a named location and enter the IP Addresses shown in CloudRadial. This will require CIDR notation. For a single IP enter the IP address followed by /32.
- Create a conditional access policy to restrict access to the named location created above for the user.