Enable multi-factor authentication for SMS Provider calls

Applies to: System Center Configuration ManagerSystem Center Configuration Manager (current branch - version 1702)

 

Summary


Starting in Microsoft System Center Configuration Manager current branch version 1702, you can enable multi-factor authentication (MFA) for Systems Management Server (SMS) Provider calls to prevent unauthorized administrative accesses. 

How to enable MFA for SMS Provider calls


Note You must be a member of the Full Administrator role that has access to the All scope to set and change MFA setting for SMS Provider calls. 

To enable MFA, follow these steps:

  1. Open WBEMTEST.
  2. Connect to the following Configuration Manager primary site namespace:
    root\sms\site_<site code>
    Then, click Execute Method.

    Click Execute Method
  3. In the Object Path field, enter sms_site, and then click OK.
  4. In Method list, select SetAuthenticationLevel, and then click Edit In Parameters.

    Execute Method dialog box
  5. Edit the AuthenticationLevel and ExceptionList properties, and then click Save Object

    Note Both AuthenticationLevel and ExceptionList are global properties that are used on all primary sites.

    Edit properties

     
    • Edit the AuthenticationLevel property.

      Refer to the following table to set the value of AuthenticationLevel.
       
      Value Description
      0 This is the default value. For this value, a second layer of authentication isn't required. Everyone can make SMS Provider calls based on their role-based access. 
      10 For this level, users who are logged on by using a PIN or smart card can make SMS Provider calls if they have the appropriate permissions to access the respective provider.
      20 For this level, users who are logged on by using a PIN can make provider calls if they have the appropriate permissions to access the respective provider.  
    • Edit the ExceptionList property.

      You can bypass MFA for users in the ExceptionList, such as service accounts. Add the UserSID or SecurityGroupSID to the ExceptionList. To determine the SIDs, see Well-Known SID Structures.

      Note Users in the ExceptionList can't call the SetAuthenticationLevel method. 
  6. Click Execute!, and then click Dismiss