This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EDR can't use live response because need MFA

Good morning,

in our eviroment we can't use live response on uor EDR beacuase we need to activate the MFA for admin account, but at this moment we use azure federation for login with microsoft account(who already has mfa anabled), but we still have the message that same mfa is needed. It' a normal behavior? You can usa live response only with local account and MFA?


Best regards.

This thread was automatically locked due to age.
  • Hi,

    Can you share with us the MFA notification that you’re getting upon activating the Live response setting? in addition, was the account being used to activate the Live response was a supper admin account on your central dashboard? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi,

    yes my user is a super admin.

    I maked a test with my colleague's user, who is a super admin but only local not synched. He can use live response. When i use my user who is a super admin but it's a azure ad synched profile, i can't. If i try to add a local user with my email, obviusly it said that this username already exist(the synched one). Seems that you can only use local account for live response, on my azure ad synched profile it'a enabled mfa but sophos central can't recognized that.


  • Sophos Central should be able to recognize that an admin is using Azure for MFA and should allow Live Response to work,  but we know there are some instances where MS Azure isn't reliably passing the info to Central that the admin has used MFA and this therefore fails. It is something we have been investigating.  A work around to the problem would be for the admins you want to be able to use Live Response, along with the Azure Federation, you can also enable Central MFA and while a bit painful this should allow you to work around the problem for those select admins.  

  • Sophos Central should be able to recognize that an admin is using Azure for MFA and should allow Live Response to work,  but we know there are some instances where MS Azure isn't reliably passing the info to Central that the admin has used MFA and this therefore fails. It is something we have been investigating.  A work around to the problem would be for the admins you want to be able to use Live Response, along with the Azure Federation, you can also enable Central MFA and while a bit painful this should allow you to work around the problem for those select admins.  
