We have had some recent requests regarding Multi Factor Authentication (MFA) and the CiraSync service account. You can’t use MFA for CiraSync, but you can mitigate your risk using the steps shown below. Requiring MFA for all Global Administrators is good idea. Although weak admin passwords are not that common, it is possible for an admin to reuse a password across several different accounts. For example, if a hacker knows someone’s Yahoo password, there is the chance that they can guess a related username for Office 365. It happens all the time and it can be devastating to you and your company.
Steps to Secure the Service Account
CiraSync Enterprise Edition is an Azure application. It does not need or use passwords to operate. Instead, a Global Administrator grants consent and CiraSync receives an access token. The access token is used in a Daemon service. It is not possible to communicate directly with this type of service and therefore MFA cannot be used. To mitigate the lack of MFA, I recommend these simple steps:
- Use a dedicated account for CiraSync. To set this up, click here.
- When you create this account, use a very strong 16 character password. For example: @bE6CwqCW!1l0nw6.
- Consider using an account login name that would be hard to guess. For example, instead of CiraSync, use Secure-A-Sink.
- Do not reuse this account anywhere else.
- Do not logon to this account to manage the CiraSync Dashboard. Instead, setup Roles Based Administration and use your default Office 365 account to launch the CiraSync Dashboard. Launch this roles configuration in the top right corner of the dashboard.
- Grant consent and force the new service account to be the exclusive identity used by the the CiraSync Daemon service.
- Remove the Global Admin role from the CiraSync Service account. Once it has granted consent, the Global Admin role is no longer required.
We recommend that a Service Administrator has minimal permissions. Go back into the user, click “Customized Administrator” and choose “Service Administrator” In the event that you need to reset the service account password, you will need to temporarily add back the Global Admin role and login one time to the dashsboard.