Multi-Factor Authentication can add a good layer of security to your environment. It postures that in addition to what you know, it is unlikely that a hacker also has access to what you have. Typically that’s a cell phone or an office phone line where you can get a code via SMS or phone call.
In Office 365/Azure, setting it up is not challenging but you have to know all of the places you need to go before it will work. Missing a step may lock your users out of your environment. I am going to approach setting up MFA through a scenario. You might want to do this differently which is fine, but I’d like to show you a little bit of Azure AD Identity Protection too.
I have EMS E5 and I want to set MFA registration and MFA for medium and high risk logins. These are logins that originate from
- Anonymous ip’s
- Impossible travel
- Atypical locations
You can find out more information on these type of risk events here
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection is a feature of Azure AD P2 (premium) that adds some intelligence to identity events on logon to Azure AD enabled services. It allows you to add risk mitigation policies and gives you insight into what types of suspicious login activity is occurring with your identities. You can then work with your environment to accept or mitigate these risks by creating policies that all you to block, prove you are who you are via MFA or force a password change (if you are cloud only or have password write back working)
Setting this up.
Here’s what we want to do for the purpose of this case.
- Enable MFA registration for everyone
- Enable MFA for medium or high risk sign ins
- Enable MFA
MFA registration will allow your consumers to setup their MFA profile. They will be prompted with a screen saying that your organization requires you to setup additional verification information, and then allow you to set this up. You may see this on whatever Microsoft service you sign into (Office 365, Visual Studio Team Services, Azure, Dynamics 365 etc)
To setup MFA registration in Azure AD Identity Protection, Go to Azure AD Identity Protection blade in the Azure portal and click on Multi-factor authentication registration under configure
When the blade opens to the right you can set your settings.
Setting the sign-in risk policy
On the left click on Sign-in risk policy. Here I was a little bit more granular. I wanted to exclude a group from MFA. This allows me to create an Azure AD Group to allow things like service accounts to not be required to use MFA. The important setting here is the Sign-in risk, I set it to medium and above.
I wouldn’t turn this policy on just yet. If you haven’t turned on MFA for your users, they will get blocked from the service should the service require they use MFA
Enable MFA settings for your users.
There are a few ways to find the MFA users screen, and in my mind none of them are in an entirely logical spot. The first place, if you have Office 365 you can access it off of any user in the Admin Center
- Pick any user
- Bring up their information
- under more settings click “Manage multi-factor authentication”
Why do I think this is in a strange place? Well to access a setting for multiple users, you need to click on a setting for one user. Typically all of the other settings around an individual user pertains to what groups they belong to, or what licensing. Generally what settings apply directly to them. However, this particular setting pertains to all users and can be found within any users settings.
If you don’t have Office 365 and are using this for some other service, there is another way to get it and it’s also in a strange place. If you’ve been using Azure for the last year or so you may have only ever used the new modern portal https://portal.azure.com
There is the classic portal that Microsoft is trying to migrate away from, but there are a few crucial settings such as multi-factor authentication hiding away in there. Let me help you find it.
The classic portal can be found at https://manage.windowsazure.com
Once in it, you will click on Active Directory on your left, and select your directory on the right.
Once inside, click on Configure at the top.
Then scroll down to multi-factor authentication and click “Manage service settings”
Once completed, remember to go back and set your policy to on.