In this post I will show you how to Secure Account using Multi-factor authentication (MFA) in Azure or we can say how to setup MFA (Multi-factor Authentication) in Azure. MFA is enabled automatically when you create account on Azure, this is done automatically as part of Security defaults. But this is not the only way (ie. Security Defaults) to achieve Multi-factor authentication. There are other methods and much suitable and recommended by Microsoft. Conditional Access is one the better way to achieve the MFA.
- What is Azure AD Multi-Factor Authentication
- Importance of Multi-Factor Authentication
- Azure AD Multi-Factor Authentication works upon following method:
- Prerequisites for enabling Azure AD Multi-Factor Authentication (MFA)
- Multiple methods to enable MFA
What is Azure AD Multi-Factor Authentication
Multi-factor authentication provides an extra layer of security during sign-in process, this additional information can be in form entering a code through Microsoft Authenticator, sending code on your mobile phone etc.
Importance of Multi-Factor Authentication
As the extra layer of security is implemented, it makes more difficult for hackers to login to your account. This makes your account more secure as password can be easily compromised but having additional authentication method provides another layer of authentication on top of first layer, and not an easy task for any hacker / attacker.
Azure AD Multi-Factor Authentication works upon following method:
- Something you know – This could be your password
- Something you have – This could be your cellphone, tab or hardware key.
- Something you are – This includes Biometrics such as fingerprint, face scan.
Prerequisites for enabling Azure AD Multi-Factor Authentication (MFA)
Following criteria must be met to utilize the Azure AD MFA.
- You need to have Azure AD Premium P1 or P2.
- You must have global administrator role assigned.
Multiple methods to enable MFA
There are multiple ways to enable to Multi-Factor authentication (MFA) which includes:
- Security Defaults
- Conditional Access (Recommended one)
- Per-User MFA
We will cover each scenario and understand the benefits.
Azure AD MFA using Security Defaults
As I told you earlier that with new Azure AD tenant, MFA automatically gets activated as part of Security Defaults which allows you to setup MFA by providing 14 days to configure it. This happens for each new account when they try to log in to Azure Portal.
You can find this setting when logging on to Azure Portal, navigate to Azure Active Directory > Properties > Manage Security Defaults
You will see Enable Security defaults set to Yes.
If you have already enabled custom Conditional Access policy, you won’t be able to Enable Security defaults, and will see following message:
It looks like you have a custom Conditional Access policy enabled. Enabling a Conditional Access policy prevents you from enabling Security defaults. You can use Conditional Access to configure custom policies that enable the same behavior provided by Security defaults.
I would prefer not to disable any Conditional Access policy as this is recommended way to enable MFA.
Enable Azure AD MFA using Conditional Access
Conditional Access is the recommended and better way to apply Multi-factor authentication. Conditional Access provides such an in-depth and rich feature which is not limited to just multi-factor authentication but so many other controls which we can have.
This is a topic which every Cloud administrator has to go through in detail before implementing it. If you wrongly implement any policy, you can lock down yourself also to login to Azure portal / access cloud applications.
To implement Conditional Access policy make sure to disable the Security Defaults by navigating to Azure Active Directory > Properties > Manage Security Defaults.
Conditional access settings can be accessed in 2 ways:
- Through Microsoft Endpoint Manager Admin Center, navigate to Home > Conditional access
- Through Azure Portal, navigate to Home > Conditional Access.
Microsoft have provided readymade templates for various Conditional Access policy which can be implemented very easily with very least efforts.
Once you are on Conditional Access | Policies page, click on New policy > Create new policy from templates (Preview).
On Customize your build, we have 2 options for template category,
- Identities: Select Identities policy template category to verify and secure each identity with strong authentication across your entire digital estate.
- Devices. Select Devices policy template category to gain visibility into devices accessing the network. Ensure compliance and health status before granting access.
Select Identities and click Next.
We can see list of all templates available:
- CA001: Require multi-factor authentication for admins
This policy requires multi—factor authentication for admins only for all Cloud apps.
- CA002: Securing security info registration
This policy requires MFA and requires users to register security information and self-service password.
- CA003: Block legacy authentication
This policy blocks access to legacy client apps such as Exchange ActiveSync clients and Other clients
- CA004: Require multi-factor authentication for all users
This policy requires MFA for all apps and for all users
- CA005: Require multi-factor authentication for guest access
This policy similar to CA004 but only applicable to guest and external users.
- CA006: Require multi-factor authentication for Azure management
This policy is again similar to CA004 & CA005 which requires MFA but only limited to Azure Management and applied to all users. This policy will apply to all Azure Management application such as:
- Azure portal
- Azure Resource Manager provider
- Classic deployment model APIs
- Azure PowerShell
- Azure CLI
- Visual Studio subscriptions administrator portal
- Azure DevOps
- Azure Data Factory portal
- CA007: Require multi-factor authentication for risky sign-ins
This policy applies to Sign-in risk related conditions where Risk levels are Medium or high.
- CA008: Require password change for high-risk users
This policy requires all users to change password when Risk levels are high, this is applicable to all cloud apps.
We will be selecting Require multi-factor authentication for Azure management, click on View policy summary to see what kind of policies it is going to apply.
Note: This policy is only applicable for enabling MFA for Azure management, hence accessing any azure portal, CLI etc will be the cloud apps prompting for MFA. This will not trigger MFA for accessing any other cloud apps.
Provide the Policy name something like “Enable MFA – Azure Management”, select Policy state as On. We have option to select Report-only which is a very handy option to simulate on how policies will be applied. Hence, be careful to make the Policy state as On so as you are not blocking yourself.
Under Review + Create page verify the settings. By default, current user is added in Excluded users list which helps in scenario where everyone getting locked getting access to portal but current user who implemented it. Click Create Policy.
You might see following error if Security defaults is enabled:
It looks like you're about to manage your organization's security configurations. That's great! You must first disable Security defaults before enabling a Conditional Access policy.
If that’s the case, go to Azure Active Directory > Properties > Manage Security Defaults and select “No” under Enable Security defaults.
By setting up this Conditional Access policy, we have set up condition to access Azure Management application to grant access only when multi-factor authentication is done, if it is not done it will prompt user to set this up as we have enabled the option Require multi-factor authentication under Grant access.
Next time when you try accessing Azure Portal, Intune Portal or any other Azure management app, you will get notification (if you haven’t set MFA before for that particular user)
“More information required”
Your organization needs more information to keep your account secure
Clicking on Next will take you to https://mysignins.microsoft.com/ register page to setup the app using Microsoft Authenticator, you may choose a different method such as “Phone” as for MFA setup
aka.ms/MFASetup is the Short URL which will take you to Security info page, you can bookmark which can be very handy for users if they wanted to add any different kind of Default sign-in method at later stage.
Enable MFA using Per-user MFA
We can also enable Multi-factor authentication (MFA) based upon per user basis, ie. we can manually select specific users to enable MFA.
Under Azure Portal, navigate to Azure Active Directory > All users and click on Per-user MFA.
Clicking on Per-user MFA will take you to another page where you can see list of all users. Select specific user / users and click on Enable under “quick steps” proceeding with clicking on enable multi-factor auth.
And that’s it, this is all you need to do. There are couple of another options as well when you click on Manage user settings under “quick steps” which is quite self-explanatory:
- Require selected users to provide contact methods again
- Delete all existing app passwords generated by the selected users
- Restore multi-factor authentication on all remembered devices
Note: Don’t use Per-user MFA settings if you are using Conditional Access Policy
We covered various different method of enabling the Multi-factor authentication (MFA), however setting it up using Conditional Access Policy is the recommended option. This provides more flexibility and better control over other MFA settings such as Security defaults and Per-user MFA. Conditional Access Policy should be implemented carefully as any wrong setting / implementation can lock yourself and whole organization. It is always recommended to start Conditional Access Policy with small group of users with Report-only setting so as to monitor the behavior.
Azure Active Directory security defaults | Microsoft Docs