Admin UW NetIDs are not eligible to opt-in to ‘UW Duo 2FA for the Web‘, because they are not allowed to sign into https://identity.uw.edu. UW Azure AD customers would like to add this broad protection on their admin UW NetID. Previously to get that protection, each customer would have to ask for a custom conditional access policy, which obviously does not scale.
We’ve created a self-service opt-in solution which meets this broad need outside of https://identity.uw.edu–using an Active Directory based group. We were unable to use the UW Groups membership opt-in feature because Admin UW NetIDs are also not allowed to sign in https://groups.uw.edu. So instead, we’ve created an AD group based membership opt-in solution to meet this need.
Members of u_uwnetid_admin (all Admin UW NetIDs) can add themselves to ad_aad2FA_optin_AdminUWNetIDs to require Duo 2FA for sign in to all UW Azure AD based applications. After adding your Admin UW NetID, the membership syncs to Azure AD within 30m, and then your Admin UW NetID is subject to a conditional access policy which requires Duo 2FA for all Azure AD applications. If you encounter issues, you can remove your Admin UW NetID until you’ve resolved those issues.
To add or remove your admin UW NetID to ad_aad2FA_optin_AdminUWNetIDs you have one primary option. There are other ways to make AD group membership changes–but the PowerShell module is the easiest method usable by the broadest set of people.
Prerequisites
- You have an Admin UW NetID with a password set, which has not been disabled or deleted due to the MI Inactive user policy
- You have installed the ActiveDirectory PowerShell module
- You have permitted your Admin UW NetID via the Provisioning Request Tool (PRT) — this is required for an Admin UW NetID to actually get the licensing which comes from one of the service levels.
- Note: Today, PRT also results in UW Microsoft Transitional service level, so this step is sufficient to meet the next requirement.
- Your Admin UW NetID has either UW Microsoft Transitional service level or UW Microsoft Advanced service level. One of these service levels is required to be able to leverage the Azure AD Conditional Access feature.
- You have setup a Duo 2FA method for your personal UW NetID
Use the ActiveDirectory PowerShell module to add your account
- Get the ActiveDirectory module installed
- Get Powershell.exe started with your Admin UW NetID signed in
- e.g. runas.exe /user:netid\sadm_barkills powershell.exe
- PS: import-module ActiveDirectory
- Add-ADGroupMember -Identity ad_aad2FA_optin_AdminUWNetIDs -Members <netid>
- e.g. Add-ADGroupMember -Identity ad_aad2FA_optin_AdminUWNetIDs -Members sadm_barkills
Important Details
- This solution is scoped to Admin UW NetIDs only. No other users can add or remove themselves from ad_aad2FA_optin_AdminUWNetIDs
- To remove use: Remove-ADGroupMember -Identity ad_aad2FA_optin_AdminUWNetIDs -Members <netid>
- You will not be able to use Active Directory Users & Computers (ADUC) to add yourself to this group. That is because ADUC has undocumented requirements on the permissions required for a given action which are not the same as the minimum permissions required. This is an unfortunate design flaw of ADUC.
- All of your Admin UW NetIDs are mapped to the Duo enrollment methods of your personal UW NetID. You do not need to re-enroll for Duo for your Admin UW NetIDs. “Admin UW NetIDs are eligible for 2FA based on employee affiliation (per above). Admin UW NetIDs are only available for use by employees (and authorized exceptions). They are linked to an employee’s Personal UW NetID, such that they can use the same 2FA devices for both accounts. Therefore, 2FA eligibility is linked to employee eligibility for 2FA.” per https://itconnect.uw.edu/tools-services-support/access-authentication/2fa/eligibility/.
- AD Groups are an emerging feature to complement, not replace the UW Groups service. There are a variety of use cases for which UW Groups doe not meet the business need. Some set of those use cases are appropriate for AD groups. See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/ous/ad-groups/ for more about this solution.