Multi-Factor Authentication in Azure
Setup your own MFA policy in Azure Active Directory
In my previous article, I explained about MFA and the advantages of it. This article would give you an Introduction to the MFA in Azure and a brief tutorial on how to set up MFA in Azure AD.
Authentication Modes for Cloud-based Azure MFA
Azure offers various methods of authentication, the important ones are,
- Phone Call Mode
- SMS Mode
- Microsoft Authenticator App
Enabling MFA Using Conditional Access Policies
MFA can be enforced using Conditional Access Policies. This a capability of Azure Active Directory that lets you create policies to enable or restrict to cloud-based applications. It applies to users or groups. This can be equipped to protect cloud-based applications such as :
- Azure App Services
- Azure AD Application Proxy
- Microsoft Services
Users included in the policy can have other conditions to be met for the policy to be applied, such as:
- When the user accesses the application from a particular country
- The platform or device the user is using to access the application
- Users accessing the cloud application from outside the corporate network
To configure custom policies, an Azure Active Directory Premium License is required.
Let’s try enforcing Conditional Access Policy when users login to the Azure Portal.
Navigate to the Conditional Access Policy page.
Active Directory > Security > Conditional Access
Click the “New Policy” button to create a new policy.
I’ll explain each of the options available to get a good understanding. For this tutorial, I will name this Conditional Access Policy as “MFA Test”.
Assignments Section
- Users and Groups
The targeted individuals must be selected here. It can be none, all users, or particular users and groups. Moreover, we can select individuals to exclude from this policy too.
- Cloud apps or actions
In this tutorial, I will be enforcing this policy on the Azure Portal (portal.azure.com). Therefore, click “Select Apps” and choose “Microsoft Azure Management”.
- Conditions
Conditions panel will define the situations when the policy will apply. The available options are :
- Sign-in risk: Likelihood that the sign-in is coming from someone other than the user
- Device Platforms: The platform the user is signing in from (ios, Android, Windows Phone, Windows, macOS)
- Locations: Location the user is signing from. The users IP range determines this.
- Client apps: Software which user tries to log in from (Browser, Mobile Apps, Desktop Client)
- Device State: Whether the device user is signing in from is ‘Hybrid Azure AD joined’ or ‘marked as compliant’.
Using conditions are out of scope for this tutorial.
Access Control Section
- Grant panel
In this panel, we can block access or select additional requirements which need to be satisfied to allow access. To let users use MFA when logging in to Azure Portal, let’s enable ‘Require Multi-Factor Authentication’.
- Session panel
Session controls enable limited experience within a cloud app through on Sign-in Frequency or Persistent browser session. This would be out of scope for this tutorial.
Enable Policy
To apply all these requirements we have to enable this policy.
Additionally, there is a ‘Report-only’ mode which lets the policies to be evaluated and logged at sign-in but it does not impact users.
Testing The Policy
Once this policy has been created, it can be tested. When the users in the “MFA Test” group login next time, they would receive instructions to set up Multi-Factor Authentication.
In here, the user can set up the “Microsoft Authenticator App” as the Second factor of Authentication.
To do this, choose “Mobile App” and select “Recieve notifications for verification”. Every time the user tries to log in, they only have to approve or deny the request through a notification.
👉Get the Microsoft Authenticator App
There would be a prompt to add this account to the Authenticator App by scanning a QR code. In the authenticator app, you can add the account like this,
Once you have added it, a 6 digit One Time Passcode (OTP) token would be generated every 30 seconds. For verification, the website would request you to enter the OTP.
Next, the user can provide their phone number as an alternative method in case they lose access to the mobile app.
Hereafter, when the user logs in, the conditional access policy would be enforced.
Conclusion
Conditional Access Policies are a convenient way of adding security measures to Microsoft services. Combining it with the Microsoft Authenticator app is also efficient because the extra authentication factor is only one-tap away. Use Conditional Access Policies provided by Azure, and elevate your security mechanisms.
The Video Version of this article can be found at Microsoft Student Champs Sri Lanka’s Youtube Page.
If there is anything I missed, let me know.
