Azure Tutorials
Published in

Azure Tutorials

Configure Azure Multi-Factor Authentication in Azure


Block and unblock users

Use the block and unblock users feature to prevent users from receiving authentication requests.Users remain blocked for 90 days from the time that they are blocked.

Block a user

Unblock a user

Fraud alert

Configure the fraud alert feature so that your users can report fraudulent attempts to access their resources.

Turn on fraud alerts

Configuration options

View fraud reports


Configure email addresses here for users who will receive fraud alert emails in Azure Active Directory > Security > Multi-Factor Authentication > Notifications.

Phone call settings

Caller ID

MFA caller ID number — This is the number your users will see on their phone. Only US-based numbers are allowed.

When Multi-Factor Authentication calls are placed through the public telephone network, sometimes they are routed through a carrier that doesn’t support caller ID. Because of this, caller ID is not guaranteed, even though the Multi-Factor Authentication system always sends it.

Custom voice messages

You can use your own recordings or greetings for two-step verification with the custom voice messages feature. These messages can be used in addition to or to replace the Microsoft recordings.

Before you begin, be aware of the following restrictions:

Custom message language behavior

When a custom voice message is played to the user, the language of the message depends on these factors:

For example, if there is only one custom message, with a language of German:

Set up a custom message

One-time bypass

The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

Create a one-time bypass

View the one-time bypass report

Caching rules

You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature. Subsequent authentication attempts for the user within the specified time period succeed automatically. Caching is primarily used when on-premises systems such as VPN, send multiple verification requests while the first request is still in progress.

Set up caching

MFA service settings

Settings for app passwords, trusted IPs, verification options, and remember multi-factor authentication for Azure Multi-Factor Authentication can be found in service settings. Service settings can be accessed from the Azure portal by browsing to Azure Active Directory > Security > MFA > Getting started > Configure > Additional cloud-based MFA settings.

The trusted IP address ranges can be private or public.

App passwords

You can use an app password in place of your traditional password to allow an app to bypass two-step verification and continue working.

App passwords do not work with Conditional Access based multi-factor authentication policies and modern authentication.

Considerations about app passwords

When using app passwords, consider the following important points:

Guidance for app password names

App password names should reflect the device on which they’re used. If you have a laptop that has non-browser applications like Outlook, Word, and Excel, create one app password named Laptop for these apps.

Federated or single sign-on app passwords

Azure AD supports federation, or single sign-on (SSO), with on-premises Windows Server Active Directory Domain Services (AD DS). If your organization is federated with Azure AD and you’re using Azure Multi-Factor Authentication, consider the following points about app passwords.

The following points apply only to federated (SSO) customers.

Allow users to create app passwords

By default, users can’t create app passwords. The app passwords feature must be enabled. To give users the ability to create app passwords, use the following procedure:

Trusted IPs

The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet.

Enable named locations by using Conditional Access

Enable the Trusted IPs feature by using Conditional Access

Enable the Trusted IPs feature by using service settings

Verification methods

When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled.

Enable and disable verification methods

Remember Multi-Factor Authentication

The remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users.

How the feature works

The remember Multi-Factor Authentication feature sets a persistent cookie on the browser when a user selects the Don’t ask again for X days option at sign-in. The user isn’t prompted again for Multi-Factor Authentication from that same browser until the cookie expires. If the user opens a different browser on the same device or clears their cookies, they’re prompted again to verify.

Enable remember Multi-Factor Authentication



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store