Enable multi-factor authentication for SMS Provider calls

Starting in Configuration Manager current branch version 1702, you can enable multi-factor authentication (MFA) for Systems Management Server (SMS) Provider calls to prevent unauthorized administrative accesses.

Original product version:   Configuration Manager (current branch)
Original KB number:   4042963

How to enable MFA for SMS Provider calls

Important

You must be a member of the Full Administrator role that has access to the All scope to set and change MFA setting for SMS Provider calls.

To enable MFA, follow these steps:

  1. Open WBEMTEST.

  2. Connect to the Configuration Manager primary site namespace root\sms\site_<site code>. Then, select Execute Method.

    Screenshot of the Execute Method option in Windows Management Instrumentation Tester window.

  3. In the Object Path field, enter sms_site, and then select OK.

  4. In Method list, select SetAuthenticationLevel, and then select Edit In Parameters.

    Screenshot of the Execute Method dialog box where you can see the method list and Edit in parameters button.

  5. Edit the AuthenticationLevel and ExceptionList properties, and then select Save Object.

    Note

    Both AuthenticationLevel and ExceptionList are global properties that are used on all primary sites.

    Screenshot of the AuthenticationLevel and ExceptionList properties.

    • Edit the AuthenticationLevel property.

      Refer to the following table to set the value of AuthenticationLevel.

      Value Description
      0 This is the default value. For this value, a second layer of authentication isn't required. Everyone can make SMS Provider calls based on their role-based access.
      10 For this level, users who are logged on by using a PIN or smart card can make SMS Provider calls if they have the appropriate permissions to access the respective provider.
      20 For this level, users who are logged on by using a PIN can make provider calls if they have the appropriate permissions to access the respective provider.
    • Edit the ExceptionList property.

      You can bypass MFA for users in the ExceptionList, such as service accounts. Add the UserSID or SecurityGroupSID to the ExceptionList. To determine the SIDs, see Well-Known SID Structures.

      Note

      Users in the ExceptionList can't call the SetAuthenticationLevel method.

  6. select Execute!, and then select Dismiss.