More and more companies are looking to use two factor authentication for external connections to their cloud environment. It used to be an onerous process to set it up and it was aggressive as hell. I think to anyone trying to setup MFA, it’s still confusing because you have so many paths to achieve it and they are not all equal. I want to talk about the paths and how to combine them and which path not to consider. I will start by naming them.
- The old way
- The limited way
- The new way
The way I have named them may denote some bias on my part, and I must admit that there is as I have set them all up, but I am using a combination of the the limited way and the new way to achieve the security desired.
- The Old Way
The old way of turning on MFA, I would consider is still the most confusing and frustrating to use. It involves either going to the old portal (Azure) or within the user settings in Office 365 and clicking on “Manage multi-factor authentication”. You would then have to enable the settings for every user
Once you turn this on, you will get a prompt on everything. There are no options to exclude applications. It is very limited.
It’s confusing because when you are looking at articles online, and when you are looking through the options, this will likely be the first option you find and it’s the most restrictive. I would’t consider using it.
2. The limited way or use it if you are licensed for it
This is only available to those that have Azure Active Directory P2 licenses. It is a feature, and it has its limitations but it’s very useful for some scenarios. This falls under a feature called Azure AD Identity Protection and is designed to use intelligence to detect odd behaviours with your identities they then send you a report and a digest weekly so you can action any issues with your community. The multi-factor authentication feature is configured via two policies.
a. MFA registrations – which forces everyone to register for multi-factor authentication. This is a process by which you are requested to select the type of authentication you wish to setup.
b. Sign-in risk policy – You set this to be triggered on low/medium/high risk slider, and the system will trigger MFA if a risk event is triggered such as impossible travel or a sign in from an unusual location (intelligence) or an anonymous network. These are the most common ones I’ve seen.
This policy doesn’t require you turn on any individual user settings but does require that you have Azure AD P2 licenses.
3. The new way or using conditional access
Conditional Access policies are really the new way to do MFA or really any conditional access action and you have many options such as block access, require MFA etc. This version of MFA will detect if you have previously registered and either require MFA or request that you register for MFA. The scope it gives you is wide as well. You can apply this to users, groups or everyone and there is the ability to provide exceptions for things like service accounts that can’t do MFA.
What do I do? I do a combination of 2 and 3. It gives me the ability to require MFA and considers special situations as well. More on the details later.