2025: Security Advisory, Enforcement of Per User MFA

Summary

Please Note: The below information ONLY applies to customers that are NOT utilising their own IDP (Identity Provider) and tenant admin accounts.

NT-ware takes product and customer security very seriously. Over the last 6 months we have made changes and improvements to the way MFA has been applied to uniFLOW Online tenant users. This is to maintain or improve the security at or above industry best practice.

uniFLOW Online for long has MFA enforced per user for all tenant admin and privileged user accounts. This was using the Azure ‘Per user MFA’ and enabled for any account promoted to a privileged account or tenant admin.

NT-ware was informed that the mechanism we used to implement the Per User MFA was to be deprecated. The recommendation was to move to Azure ‘Security Defaults’ but this would immediately enforce MFA for all users not just admins. Moving all users to MFA was already a planned action but needed to be communicated. NT-ware temporarily implemented Conditional Access Polices to provide MFA for new tenants until we were ready to move to full Security Default.

At the beginning of 2025 we communicated through our sales and marketing channels that we would enable Security Defaults enabling MFA on all user accounts not just the privileged. In March with the release of 2025.1 we enabled Security Defaults and reverted the temporary Conditional Access Polices as the business model does not allow for the required Microsoft license coverage once we included all user accounts.

Security Defaults was expected to provide criteria and behaviour-based MFA. This would implement risk and behaviour analytics to produce a metric which Microsoft uses to determine how often the MFA prompt is applied. It was reported that MFA prompts were not being shown or rarely. Reacting to field queries NT-ware began an investigation along with Microsoft and concluded that Security Defaults have a very high threshold and would not provide consistent MFA prompt to users.

It was decided to revert to the original ‘Per User’ model as a supplement to Security Defaults. Microsoft have also recently released an updated programmatic method to enable to replace the deprecated version from 2024, this can be found here: Enable per-user multifactor authentication - Microsoft Entra ID | Microsoft Learn.

As this needs to be built into the product we have scheduled this for 2025.3. This ensures we have completed all required evaluation and testing required. In the interim Security defaults will enable MFA for all new accounts and a scheduled nightly task will enforce the Per User MFA.

Severity

Important to note that MFA was NEVER disabled at any time and all accounts remained under a Microsoft MFA platform. NT-ware observed no security incidents at any time and remains confident in the security and effectiveness of the authentication process.

Affected Versions

Fixed Versions

What You Need to Do

There is no user action required as this will be brought in seamlessly by NT-ware Operations.

Considerations

We took this opportunity during the work effort this week to change the days remembered from 365 to 30 days in alignment with industry best practice. With ‘Per User MFA’ now enabled as the default you will be prompted for MFA on each login. You can defer this by up to 30 days per unique login device.

Open

Recommendations:

For customers who have strict identity protection requirements or wants to manage the configuration directly should implement their own iDP (Identity provider) such as Entra ID. This can be applied to all user accounts except for the tenant Root Admin created during tenant provisioning.

Support

If you have further questions, please contact your Canon / Canon Business Partner representative.