All, did anyone implement multi factor authentication for sccm console or sms provider calls? I need info about it
Question
I am looking for multi-factor authentication or 2 factor authentication for sccm console access
Arnab De 
Leave an answer
Sorry, you do not have permission to answer to this question .
Answers ( 5 )
Thanks Anoop for the answer. We can use jump boxes, but they are all virtual, do is it possible to achieve the 2FA on them?
And we are still not using CMG or any could management for SCCM.
Here is the gist of what I answered to my security team.
SCCM does not have the option at console level. As it’s closely bound with a windows server or a windows machine which has the console installed and authentication is via Active Directory. And it has well defined role based access rectrictions.
If the windows login has 2FA, it will suffice for sccm console as well.
Only feasibility may be the above one , however it would require a smart card or a finger print scanner(not tested and not used in Sccm context in the industry even in large banks as far as I am aware). Since we only use remote desktop for connection , that may not be feasible as well in this case.
I think this is very complex scenario. I don’t think we are going to get much help from this thread.
My recommendation is to raise a support case with Microsoft and take it away from there .
Did you checked Enable multi-factor authentication for SMS Provider calls
+ https://support.microsoft.com/en-in/help/4042963/multi-factor-authentication-for-sms-provider-calls-configuration-manag
I am aware of this. But this does not tell how you implement it when the servers are virtual and how you make use of a fingerprint scanner or PIN when you use RDP to the server and open the console.
On a senerio like today when most people are working remotely and from home, how do you achieve it?
I have heard about the organisation using a stepping stone (jump box) server with MFA and then connect to console…
So the basic question is:
Are you planning for WHfB MFA for the SCCM console or some other methods?
Windows Hello for Bussiness makes the setup very complex in the hybrid Azure AD join scenario. It might take months to implement if you have complex /legacy infra https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/plan-for-the-sms-provider#authentication-levels