Sophos Central

Suggest, discuss, and vote on new ideas for Sophos Central. The unified console for managing your Sophos products.
Please raise all product releated feature requests in the respective product forum

Suggest an Idea for Sophos Central...

MFA - Create Non Admin role for AD Synch so that all addmins can be marked as needing MFA

MFA - It should be that you can specify that All admins need MFA, however when using AD synch this does not support MFA meaning you have to switch to select admins need MFA. This is a security risk as you then have a user with full admin and no MFA, the simple fix would be to create a role which has the rights to synch AD only no other rights. Then it can be switched to all admins need MFA to avoid the chances of new admins using MFA and an admin account used for AD synch not using MFA.

2 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • sso
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    James Tewes shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Shane Burke commented  ·   ·  Flag as inappropriate

        Another issue with this is that you cannot set MFA for all admin accounts. Instead you need to set to "Select admins who will need MFA. (All others sign in with password only.)" and add an extra step to the process of creating any admin accounts to add to this list or MFA is not enabled. This is another security risk as you are trusting admins to follow this step on every account creation where creating either this type of account or giving an option to provide MFA to all users but a list of users. I don't believe having this role for AD Sync an admin account is as big a risk as this. If you set the password to a secure randomly generated long alpha numeric password and never use the account the risk is very low.

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.