Opt-in to 2FA for UW Entra ID for Admin UW NetIDs

Last updated: April 10, 2024
Audience: IT Staff / Technical

Admin UW NetIDs are not eligible to opt-in to ‘UW Duo 2FA for the Web‘, because they are not allowed to sign into https://identity.uw.edu. UW Entra ID customers would like to add this broad protection on their admin UW NetID. Previously to get that protection, each customer would have to ask for a custom conditional access policy, which obviously does not scale.

We’ve created a self-service opt-in solution which meets this broad need outside of https://identity.uw.edu–using an Active Directory based group. We were unable to use the UW Groups membership opt-in feature because Admin UW NetIDs are also not allowed to sign in https://groups.uw.edu. So instead, we’ve created an AD group based membership opt-in solution to meet this need.

Members of u_uwnetid_admin (all Admin UW NetIDs) can add themselves to ad_aad2FA_optin_AdminUWNetIDs to require Duo 2FA for sign in to all UW Entra ID based applications. After adding your Admin UW NetID, the membership syncs to Entra ID within 30m, and then your Admin UW NetID is subject to a conditional access policy which requires Duo 2FA for all Entra ID applications. If you encounter issues, you can remove your Admin UW NetID until you’ve resolved those issues.

To add or remove your admin UW NetID to ad_aad2FA_optin_AdminUWNetIDs you have one primary option. There are other ways to make AD group membership changes–but the PowerShell module is the easiest method usable by the broadest set of people.

Prerequisites

Use the ActiveDirectory PowerShell module to add your account

  1. Get the ActiveDirectory module installed
  2. Get Powershell.exe started with your Admin UW NetID signed in
    1. e.g. runas.exe /user:netid\sadm_barkills powershell.exe
  3. PS: import-module ActiveDirectory
  4. Add-ADGroupMember -Identity ad_aad2FA_optin_AdminUWNetIDs -Members <netid>
    1. e.g. Add-ADGroupMember -Identity ad_aad2FA_optin_AdminUWNetIDs -Members sadm_barkills

Important Details

  • This solution is scoped to Admin UW NetIDs only. No other users can add or remove themselves from ad_aad2FA_optin_AdminUWNetIDs
  • To remove use: Remove-ADGroupMember -Identity ad_aad2FA_optin_AdminUWNetIDs -Members <netid>
  • You will not be able to use Active Directory Users & Computers (ADUC) to add yourself to this group. That is because ADUC has undocumented requirements on the permissions required for a given action which are not the same as the minimum permissions required. This is an unfortunate design flaw of ADUC.
  • All of your Admin UW NetIDs are mapped to the Duo enrollment methods of your personal UW NetID. You do not need to re-enroll for Duo for your Admin UW NetIDs. “Admin UW NetIDs are eligible for 2FA based on employee affiliation (per above). Admin UW NetIDs are only available for use by employees (and authorized exceptions). They are linked to an employee’s Personal UW NetID, such that they can use the same 2FA devices for both accounts. Therefore, 2FA eligibility is linked to employee eligibility for 2FA.” per https://itconnect.uw.edu/tools-services-support/access-authentication/2fa/eligibility/.
  • AD Groups are an emerging feature to complement, not replace the UW Groups service. There are a variety of use cases for which UW Groups doe not meet the business need. Some set of those use cases are appropriate for AD groups. See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/ous/ad-groups/ for more about this solution.