How to enforce MFA on CoreView service accounts

Modified on Tue, 06 Dec 2022 at 10:49 AM

This article will cover the steps required to enforce multi-factor authentication (MFA) on CoreView service accounts. 

 

Overview 

To ensure maximum security for your tenant and CoreView, you must enforce MFA on our service accounts. This document will guide you through the steps required to ensure that CoreView services will still be able to run properly from the data center you are hosted in, while maintaining high levels of security. 

 

If you have Azure Active Directory Premium (part of EMS or Microsoft 365 licensing), please follow this guide how to configure the Conditional Access in your Azure AD environment and allow specific IP addresses for CoreView service users.   

 

Note: Please choose only one of the two methods to secure CoreView service users based on the requirements applicable to your tenant’s specific case. 

 

If you use Azure AD Conditional Access, you canblock legacy authenticationfor these accounts.  

 
There are two methods to secure CoreView service users. Please click the links below and follow the directions for the method that applies to your tenant.  


  • Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges 
  • Method 2: Without Azure Active Directory P1  

  

Method 1: With Azure Active Directory P1 - CoreView Data Center IP Address Ranges 


Requirement: This process requires an Azure Active Directory Premium P1 or P2 subscription.   

 

Step 1

Exclude CoreView service accounts from existing policies 

  

Step 2

Login to Azure portal (portal.azure.com) as an Administrator.  

 

Step 3

Open the Azure Active Directory blade.  

Graphical user interface, application 
Description automatically generated 

Note: If the Azure Active Directory is not present among the recently used Azure services or in the dashboard, search for it in the search bar at the top of the Azure Web Portal or click on more services.


 
Graphical user interface, text, application 
Description automatically generated 

 

Step 4

Click on the Security menu and then on “Conditional Access”:  

 
Graphical user interface, application 
Description automatically generated 

Graphical user interface, text, application, email 
Description automatically generated 

 

The “Conditional Access – Policies” menu will be opened:  


Graphical user interface, text, application, email 
Description automatically generated 

 
If you have a policy that enforces MFA on the admin accounts, you must exclude CoreView service user accounts from it.  

 

If you do not have a conditional access policy that enforces MFA on the admin accounts, please go to the Step 3 below. 

 
 

Step 5

Click on the policy name to open its details. Click on Users and Groups underAssignment, then the Exclude tab on the right side.  

Graphical user interface, application 
Description automatically generated 

 
 

Step 6

Check the box for "Users and Groups." Then in the ‘Select excluded users’ pane, search for the CoreView service user(s).   

Note: The number of service users depends on the size of your tenant. The rules for the names are: 

  • cvroa<randomnumber>@<onmicrosoft domain> 

  • coreview.reports<randomnumber>@<onmicrosoft domain>  

  • 4ward365.admin@<onmicrosoft domain> 

 
 

Step 7

Click on a user account to select it, and it will appear in the Selected items area below the search. Perform this action for all the CoreView service users and press the Select button. The Select excluded users menu will close. 

Step 8

Click the Save button on the left side of the window to save your policy changes.   

Now we can proceed, and setup allowed IP addresses for those users. 

 

Graphical user interface, application, Teams 
Description automatically generated 

 
 
 

Step 9 

Create named location and add IP addressesA new Named Location must be created. Select Named locations under the Manage section and click on + IP ranges location.

 

Graphical user interface, text, application, email 
Description automatically generated 

 

 
 

               

Step 10

Insert the name for the location (Recommended: CoreView <region form> Platform IPs) and all IP addresses with the subnets in the table below. Once the list is complete, click "Create.” 

 
 

Graphical user interface 
Description automatically generated with medium confidence 

 

Note: We have used European data center’s IP addresses for this example. 

 
 Please refer to the following table for the current list of trusted CoreView Data Center IP Addresses, below. Note: you can check the “Mark as trusted location” for a lower user sign-in risk. 

 
 

Azure CCC (EU)  

52.178.220.169/32 

 
 

13.79.166.132/32 

 
 

52.164.205.60/32 

 
 

40.69.61.123/32 

 
 

191.239.215.199/32 

 
 

20.191.46.79/32 

Azure CCC (US East)  

52.225.217.154/32   

 
 

104.209.147.75/32   

 
 

40.70.44.94/32   

 
 

137.116.90.35/32  

 
 

52.225.222.18/32 

 
 

40.65.233.115/32 

Azure CCC (Canada East) 

52.229.116.78/32 

 
 

40.69.100.107/32 

 
 

52.242.35.38/32 

 
 

52.242.126.90/32 

 
 

52.235.47.42/32 

 
 

52.155.24.77/32 

Azure GCC (US East)  

13.72.21.184/32 

 
 

52.247.175.28/32 

 
 

13.72.21.53/32 

 
 

52.247.150.99/32 

 
 

52.227.178.31/32 

 
 

52.227.179.120/32 

 
 

52.227.221.240/32 

 
  

 

Step 11

Create a new policy for CoreView service accountsA new policy must be created. Select Policy and click on New Policy.  

 
 

Graphical user interface, application 
Description automatically generated 

 
 

          

Step 12

Insert the new PolicyInsert the name of the policy (Example: Safelist CoreView endpoints) and add all CoreView service users and cloud applications. To do that, make edits to the areas under Assignments. 

 

First click on Users and groups.

 
 

Graphical user interface, text, application 
Description automatically generated 

 

            

Graphical user interface, application 
Description automatically generated 

 
In the “Include” tab select “Users and groups” and press on “Select.” From the select bar search for all CoreView service users and add them as the policy members.  Note: The number of service users depends on the size of your tenant. The rules for the names are: 


  • cvroa<randomicnumber>@<onmicrosoft domain>  
  • coreview.reports<randomicnumber>@<onmicrosoft domain>  
  • 4ward365.admin@<onmicrosoft domain>  

 

 

Press the “Select” button to select the users for the policy.    

 

In the "Cloud apps or actions" section, click on “No cloud apps or actions selected.” Choose “All cloud apps” in the “Include” tab as shown in the screenshot. "No cloud apps or actions selected" will change to say "All cloud apps.”  

 
 

Graphical user interface, application 
Description automatically generated 

 
 

          

In the Conditions section, you must include all locations and exclude the location created previously, so click on 0 conditions selected and then Locations. Set the Configure toggle to Yes.

 

Graphical user interface, application 
Description automatically generated 

 

 

In the Include tab of the Locations section, set Any location as shown in the screenshot above.  

 

In the Exclude tab of the Locations section, ensure that Selected locations is selected, then click on None. Search for the location created previously to set it to be excluded. 

 
 

Graphical user interface, text, application 
Description automatically generated 

 

Check the location and press Select.  

 
 

Graphical user interface, text, application, email 
Description automatically generated 

 
 

Under the Access Controls section, click 0 controls selected under Grant.  

Graphical user interface, text, application 
Description automatically generated 

 
            

In this step. we recommend blocking the access. Select Block access and press Select.

Graphical user interface, text 
Description automatically generated .

 

              

Alternatively, you can enable the Multi-Factor Authentication for CoreView service users from non-excluded IP addresses. To do that choose Grant access in the Grant section and check Require multi-factor authentication:  

 
 

Graphical user interface, text, application, email 
Description automatically generated 

 
  

As the last step, enable this policy and click Create.

Graphical user interface 
Description automatically generated with medium confidence 

         

 
 Now the policy is listed in Conditional Access – Policies  

 
 

Graphical user interface, text, application 
Description automatically generated  

<p id="anchor">Section 2</p>

 Method 2: Without Azure Active Directory P1 


If you have only Office365 E1 licenses (or above) and do not have Azure AD Premium P1 (or above), this guide will show you how to disable Multifactor Authentication for CoreView service users. 


Disabling MFA for CoreView Service Accounts  

Step 1

Login to Admin Office 365 portal (https://admin.microsoft.com) 

 
 

Step 2

In the navigation menu navigate to Users  >  Active Users

 
 

Graphical user interface 
Description automatically generated with low confidence 

 
 

Step 3

Click on any active user. The user properties tab will appear on the right of your screen. Scroll down and click on Manage multifactor authentication.

 

Graphical user interface, text, application, email 
Description automatically generated 

 
 

Step 4

Disable MFA for the CoreView Service Accounts.  You should disable the Multifactor Authentication for the CoreView service users. To do that, click on the magnifying glass to open the search field. 

 
 

Graphical user interface, text, application, email 
Description automatically generated 

          

 
 

Search for and select all service users and click on “Enable” in the property menu.  

Note: The number of service users depends on the size of your tenant. The rules for the names are: 


  • cvroa<randomicnumber>@<onmicrosoft domain> 
  • coreview.reports<randomicnumber>@<onmicrosoft domain>  
  • 4ward365.admin@<onmicrosoft domain>  

 
 

If they already have the “Disabled” status, then you do not need to make any changes. 

 
 

Graphical user interface, application 
Description automatically generated 

 
 

            

If the status is set to "Enabled", then select the users that need to be disabled and click the "Disable" option on the right side of the screen. 

 
 

Graphical user interface, text, application, email 
Description automatically generated 

          

          

Another window will open, confirming your choice. Click "yes" to disable multi-factor authentication. 

Graphical user interface, application 
Description automatically generated 

         

          

Close the confirmation window. 

Graphical user interface, text, application, email 
Description automatically generated 

 
 

 You have now completed the process.  

 


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article