Azure, Office 365, Technology

9. Planning and Implementing Azure Multifactor Authentication (MFA)

Understanding the Concepts of Multifactor Authentication

 

What is MFA?

 

Authentication methods:

  • Something you know: password, pin etc…
  • Something you have: smart card, key fob, mobile phone etc…
  • Something you are: biometrics

MFA is using a combination of these methods.

No single step authentication is strong enough on its own in today’s cyber security climate.

Two step verification significantly increases security by adding an additional layer of protection.

 

Administration of MFA

 

MFA Licence

You need an MFA licence before being able to set it up for your users. You can check the licences which have this feature.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing

Azure AD Free: this has MFA for admins only

Azure Actie Directory Premium 1 and 2: his has MFA for all users

M365 E3 Licence: this has Azure premium 1 (so it has MFA)

M365 E5 Licence: this has Azure premium 2 (so it has MFA)

 

Configuring MFA

For a single user

  1. Go to Azure AD -> Users -> Multi Factor Authentication (if the resolution of the monitor is low you may need to click the ellipse symbol to get this option)
  2. Select the user you want
  3. Click on Enable
  4. The next time this user goes to authenticate it will make them register for MFA (enter phone number /email for MFA)
  5. You can then click Enforce to force it on for this user (see note below about non browser applications)
  6. Click Save
  7. Click on Service Settings at the top of the page
  8. There is an “App passwords” setting here where you can allow users to create app passwords to login to legacy apps
  9. Trusted Ips: you can set Ips which don’t have to use MFA
  10. Verification options: turn on or off different verification options (text to phone, mobile app etc…)
  11. Remember MFA on trusted device: once a device has authenticated the user can trust the device and it can bypass MFA for a specified time (default is 90 days)

 

NOTE: About Non-browser Applications

If you enforce MFA for users you may see the pop up about “Non browser applications” and how users will need to create app passwords.

This refers to legacy apps(EG: Outlook 2010). If you enforce MFA and you are using legacy apps, the users won’t be able to logon as legacy apps don’t support MFA

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords#:~:text=Select%20Multi%2DFactor%20Authentication%20from,to%20non%2Dbrowser%20apps%20option.

App passwords are automatically generated and not known to the user.

 

Looking into Reporting Data for MFA

  1. Go to Azure AD
  2. Go to Monitoring ->Sign ins
  3. Click on Sign in and go to the Authentication Details tab. This will show if they used MFA and if it was successful. It will give info if it failed.

You can filter this view to show different dates, users, apps, etc…

 

If you search for Azure MFA reports there is a good article on running MFA reports and using powershell for this.

Leave a Reply

Your email address will not be published. Required fields are marked *