How to set up and enforce Azure multifactor authentication
Azure Active Directory offers multifactor authentication to further secure login credentials. Get started with these instructions to set up this Microsoft cloud service.
As most administrators know, a data breach can devastate an organization. Azure multifactor authentication is one way to add an additional layer of security to prevent unsanctioned access.
Multifactor authentication via Microsoft Azure is one way to strengthen logon security. For example, if a company develops web applications and uses Azure Active Directory for authentication, administrators can implement two-step verification for all of the cloud app's users, end users and administrators alike. This practice can thwart an account breach and the ensuing setbacks that can devastate a company.
Multifactor authentication refers to user credential validation and comes in a few variants. Factors used to confirm identity include passwords, smart cards and retinal scans. Multifactor authentication confirms a user's claimed identity and grants access when it is supplied with two or more factors from the user.
Azure supports two-step verification, a subset of multifactor authentication, which requires the user to supply a second factor beyond something the user has. For example, the administrator might require two-step verification in Azure AD using a one-time passcode generated by an authenticator mobile app in addition to a password. The user demonstrates their identity by what they have physically -- the smartphone that runs the authenticator app -- and the passcode Azure delivers.
Using multifactor authentication for end users requires an upgrade to an Azure AD Premium P1 or P2 license.
Azure AD administrators assigned the global administrator role have free access to Azure multifactor authentication. Using multifactor authentication for end users requires an upgrade to an Azure AD Premium P1 or P2 license. Microsoft licenses Azure AD on a per-user basis. The administrator assigns the licenses to the appropriate users.
There is an alternative method to enforce multifactor authentication called conditional access policy that requires an Azure AD Premium P2 license. This tutorial will focus on the direct assignment method used with an Azure AD Premium P1 license.
Select multifactor authentication and service options
Open the Azure AD tenant in the Azure portal and navigate to the Users blade. Choose multifactor authentication from the toolbar to open a browser tab to specify the multifactor authentication service settings for the tenant and to manage the user multifactor authentication policy.
Administrators configure the Azure multifactor authentication service settings in this tab.
The administrator specifies the following from the service settings screen:
App passwords: An Azure-generated code used to bypass two-step verification on older, non-browser apps that do not support multifactor authentication.
Trusted IPs: IPv4 address ranges whitelisted to bypass multifactor
Verification options: The available methods to supply the second authentication factor.
Remember multifactor authentication: The number of days users can bypass two-factor verification after completing it once during a browser session.
Verification options explained
Azure multifactor authentication provides several verification options. With the Call to phone option, Microsoft makes a prerecorded voice call to the user. To approve the authentication request, the user must press # on his or her cellphone.
The Text message to phone option uses SMS to transmit the one-time code from Microsoft to the user's phone. Some information security professionals advise against using text messages for two-step authentication due to certain vulnerabilities.
The Notification through mobile app option saves the user from typing a one-time code. Instead, the user approves the authentication request by tapping a push notification message on their smartphone.
The Verification code from mobile app or hardware token option provides a one-time code from an authenticator app. Azure multifactor authentication works best with Microsoft Authenticator, but other authenticator apps, such as Authy, will do.
Apply a multifactor authentication policy to users
After configuring the service settings, navigate back to the Users tab to designate a multifactor authentication policy for specific users.
Azure AD users have one of three states: disabled with no multifactor authentication required, enabled with optional multifactor authentication or enforced with multifactor authentication required.
Select the user, then choose Enable in the quick steps section and, finally, click enable multi-factor auth to enforce the policy.
Set users to have optional or required multifactor authentication
Test the user experience
With the setup work complete, see what the new policy looks like from the users' perspective.
After a user authenticates to an Azure AD-backed web application with their user ID and password, the application prompts them to supply more information to complete the multifactor authentication enrollment process.
Users enter their information to enroll in multifactor authentication.
The user selects a default multifactor authentication option, which they can change from the Azure AD user profile page at myapps.microsoft.com based on the choices the administrator configured, such as a text message to their phone, a notification through a mobile app or a verification code from a mobile app.
A user received a verification code from the Azure AD mobile app.
A user with more than one Azure multifactor authentication option can switch between them on the logon page.
Azure offers users the option to choose a verification option.
For users with the remember multifactor authentication option, the maximum interval to suppress the second-step verification is 60 days.
Before administrators configure Azure multifactor authentication, it could be helpful to see the different scenarios listed on this site to determine which method might work best for their organization.
