in our eviroment we can't use live response on uor EDR beacuase we need to activate the MFA for admin account, but at this moment we use azure federation for login with microsoft account(who already has mfa anabled), but we still have the message that same mfa is needed. It' a normal behavior? You can usa live response only with local account and MFA?
Can you share with us the MFA notification that you’re getting upon activating the Live response setting? in addition, was the account being used to activate the Live response was a supper admin account on your central dashboard?
yes my user is a super admin.
I maked a test with my colleague's user, who is a super admin but only local not synched. He can use live response. When i use my user who is a super admin but it's a azure ad synched profile, i can't. If i try to add a local user with my email, obviusly it said that this username already exist(the synched one). Seems that you can only use local account for live response, on my azure ad synched profile it'a enabled mfa but sophos central can't recognized that.
Sophos Central should be able to recognize that an admin is using Azure for MFA and should allow Live Response to work, but we know there are some instances where MS Azure isn't reliably passing the info to Central that the admin has used MFA and this therefore fails. It is something we have been investigating. A work around to the problem would be for the admins you want to be able to use Live Response, along with the Azure Federation, you can also enable Central MFA and while a bit painful this should allow you to work around the problem for those select admins.
Thanks for your reply Kevin, Central MFA it's already setup for all central admin. I thing the only solution available at the moment, it's to create a separate local admin to use live response.
How are your settings configured on the Global Settings -> Federated Sign In page in Central? Wondering if how that is configured might matter...
It's set to sign in with Microsoft credential only.
Maybe worth a shot to try some custom rules for the admins who you want to be able to use Live Response. Hopefully that will get you there...
I will try, but at this moment when i click on Add Users nothing happen(same on two different browser).