Enable multi-factor authentication for SMS Provider calls
Starting in Configuration Manager current branch version 1702, you can enable multi-factor authentication (MFA) for Systems Management Server (SMS) Provider calls to prevent unauthorized administrative accesses.
Original product version: Configuration Manager (current branch)
Original KB number: 4042963
How to enable MFA for SMS Provider calls
You must be a member of the Full Administrator role that has access to the All scope to set and change MFA setting for SMS Provider calls.
To enable MFA, follow these steps:
Connect to the Configuration Manager primary site namespace
root\sms\site_<site code>. Then, select Execute Method.
In the Object Path field, enter sms_site, and then select OK.
In Method list, select
SetAuthenticationLevel, and then select Edit In Parameters.
ExceptionListproperties, and then select Save Object.
ExceptionListare global properties that are used on all primary sites.
Refer to the following table to set the value of
Value Description 0 This is the default value. For this value, a second layer of authentication isn't required. Everyone can make SMS Provider calls based on their role-based access. 10 For this level, users who are logged on by using a PIN or smart card can make SMS Provider calls if they have the appropriate permissions to access the respective provider. 20 For this level, users who are logged on by using a PIN can make provider calls if they have the appropriate permissions to access the respective provider.
You can bypass MFA for users in the
ExceptionList, such as service accounts. Add the
ExceptionList. To determine the SIDs, see Well-Known SID Structures.
Users in the
ExceptionListcan't call the
select Execute!, and then select Dismiss.