Accounts with Multi-factor Authorization are not supported for UI login or Browser-based sensors – they can’t be. The reason why we say “they can’t be” is because MFA, by its very design, prevents automated logins.
When automating browser-based logins to test the performance and availability of a cloud or web application, the CloudReady sensors fully support Single Sign-on, Active Directory Federation Services, Azure AD and more. And testing from a corporate LAN with conditional access will usually work. MFA accounts can’t be supported because:
- There is just a single factor, a password for the user account. There aren’t multiple factors involved.
- UI-oriented logins do not accept an application specific password. This would defeat the purpose of MFA.
What Is Supported
There are a few things that can be done to help when a tenant requires MFA accounts and non-MFA accounts can’t be allocated.
Use Service Watch
Exoprise Service Watch is for real-user monitoring of specific domains and URLs like Microsoft 365, SharePoint Online, OneDrive, Outlook Web Access and more.
Service Watch Desktop is for real-time monitoring of the performance of thick-client applications like OneDrive, Outlook and Microsoft Teams.
Use OAuth Based Sensors
In many cases we have OAuth-based API sensors such as SharePoint API and OneDrive API sensors. Use these sensors when all you have are MFA-based accounts. And read-up on how they work: https://www.exoprise.com/2019/11/19/onedrive-sharepoint-monitoring-oauth-api/
Application Specific Passwords and API Tests
Accounts with MFA configured usually support Application Passwords which are for API tests. Application Passwords can be configured and accepted for the account and those application passwords can be supported for CloudReady API sensors such as Exchange Online, Azure Blob and more. Read this article for more information about Office 365 Application Passwords and how to create them:
Use Conditional Access for MFA Accounts
You can configure and enable MFA conditional access so that the accounts are not prompted when executed from inside the corporate network. This is a common configuration.
Use Single Sign-On
CloudReady Monitoring fully supports accounts with Single Sign-on and all Single Sign-on Solutions. When monitoring SaaS services from inside the firewall as federated accounts, usually MFA is not required or enabled.
Test Web Application Uptime With Web Monitor Sensors
The CloudReady Web Monitor (WMON) sensor can access any web application and test for uptime and availability. You won’t be able to sign into the application with a WMON sensor but you can still test the application and overall network health to the application from any site or location.