The issue is related to enforced MFA rules by default and ephemer accounts. An Entra ID account is created on the fly and configured with administrative privileges, but when the session is initiated and the account tries to authenticate for the first time, Microsoft triggers an MFA setup request.
As I understand it, the user would need to be dynamically added to an MFA exclusion list to allow seamless access. Is that correct, or is there another recommended approach to handle MFA in such ephemeral scenarios?
Welcome to the Netwrix Community and thanks for your question! I’ve been actively discussing this issue with the Privilege Secure team. Microsoft’s plan makes the MFA requirement mandatory, meaning it will not be possible to exempt specific users. You can read more about the full plan here:
The current work-around is to have the user complete the MFA enrollment with their device. We recognize that this is not a desirable solution long-term and are researching options for Privilege Secure to manage the MFA factors for ephemeral accounts. @martin.cannard or I will able to share more about our approach and timelines once this research is complete.
With this new requirement, as a temporary work around, you can provision a managed account rather than an ephemeral one in Azure/Entra. The users will need to setup MFA for the persistent managed accounts once but then can use that with the account going forward. Once our fix is released you can change back the activity to provision ephemeral Activity Token accounts again.