Setting up Azure Multi-Factor Authentication (MFA) is a crucial step in securing your Azure Active Directory (Azure AD) and protecting your organization's sensitive data.
To get started, you'll need to register for an Azure AD account if you haven't already. This will give you access to the Azure portal, where you can manage your Azure AD settings.
First, navigate to the Azure portal and sign in with your Azure AD account. Once you're in, click on the "Azure Active Directory" tab in the left-hand menu.
From there, click on "Security" and then select "Conditional Access" to set up policies for your users.
Before You Begin
Before you begin setting up Azure MFA, there are a few things to keep in mind. You'll need to be a Global admin to manage MFA.
To ensure a smooth setup process, you should first turn off legacy per-user MFA if it's currently enabled.
If you have third-party directory services with Active Directory Federation Services (AD FS), you'll need to set up the Azure MFA Server for advanced scenarios.
To get started, make sure you meet these basic requirements:
- You must be a Global admin to manage MFA.
- If you have legacy per-user MFA turned on, Turn off legacy per-user MFA.
- Advanced: If you have third-party directory services with Active Directory Federation Services (AD FS), set up the Azure MFA Server.
Download and Install
To download the Azure Multi-Factor Authentication Server, you can do so via the Azure portal. There are two ways to download it, both of which are done via the Azure portal.
You can download it by managing the Multi-Factor Auth Provider directly, or via the service settings. The second option requires either a Multi-Factor Auth Provider or an Azure AD Premium license.
To download it via the service settings, you'll need to sign in to the Azure Portal as an Administrator, select Active Directory, and then click on your instance of Azure AD. From there, click on Configure, and under multi-factor authentication, select Manage service settings.
Here are the steps to download the Azure Multi-Factor Authentication Server:
- Sign in to the Azure Portal as an Administrator.
- On the left, select Active Directory.
- Double click on your instance of Azure AD.
- At the top click Configure
- Under multi-factor authentication select Manage service settings
- On the services settings page, at the bottom of the screen click Go to the portal.
- This will open a new page. Click Downloads.
- Above Generate Activation Credentials, click Download.
- Save the download.
Make sure the server you're downloading it to meets the system requirements, which include 200 MB of hard disk space, a x32 or x64 capable processor, and 1 GB or greater RAM.
Download the
To download the Azure Multi-Factor Authentication Server, you have two options.
You can download it by managing the Multi-Factor Auth Provider directly or via the service settings. The second option requires either a Multi-Factor Auth Provider or an Azure AD Premium license.
To download the Azure Multi-Factor Authentication Server, you'll need to sign in to the Azure Portal as an Administrator. This is a crucial step, as you won't be able to download the server without proper access.
Once you're signed in, you can select Active Directory on the left side of the screen. This will take you to the Active Directory page.
From there, click on Multi-Factor Auth Providers at the top of the page. You'll then see the option to Manage at the bottom of the screen.
Clicking on Manage will open a new page with the option to click Downloads. Above Generate Activation Credentials, click Download to start the download process.
Alternatively, you can download the Azure Multi-Factor Authentication Server via the service settings. This option also requires you to sign in to the Azure Portal as an Administrator.
Once you're signed in, select Active Directory on the left side of the screen. Double click on your instance of Azure AD to proceed.
At the top of the page, click Configure to access the service settings. Under multi-factor authentication, select Manage service settings to continue.
On the services settings page, click Go to the portal at the bottom of the screen. This will open a new page with the option to click Downloads.
From there, follow the same steps as before to click Download and start the download process.
Installation and Configuration
To download the Azure Multi-Factor Authentication server, you can do so via the Azure portal. You'll need to sign in as an Administrator, then select Active Directory and click on Multi-Factor Auth Providers. From there, click Manage and then Downloads, and finally, click Download to save the server.
The server requires a specific set of hardware and software to function properly. You'll need at least 200 MB of hard disk space, a 32 or 64-bit capable processor, and 1 GB or greater of RAM. Additionally, the host server must be running Windows Server 2003 or greater if it's a server OS, or Windows Vista or greater if it's a client OS.
To install the server, simply double-click on the executable, which will begin the installation process. Once installed, you'll need to configure the server by launching the configuration wizard. You can skip using the authentication configuration wizard and start the server by closing the wizard and clicking Activate.
Here are the server requirements:
The configuration wizard will guide you through the process of setting up the server, but you can also re-run the authentication wizard by selecting it from the Tools menu on the server. Once configured, you can quickly import users into the Azure MFA Server.
Firewall and Security
To set up Azure MFA, you'll need to ensure your firewall allows communication on port 443 to the PhoneFactor servers. This means opening a connection to https://pfd.phonefactor.net, https://pfd2.phonefactor.net, and https://css.phonefactor.net.
If your outbound firewalls are restricted on port 443, you'll need to open the IP address ranges listed below.
Here are the IP address ranges that need to be opened:
Alternatively, if you're not using Azure MFA Event Confirmation features and users aren't authenticating with the Multi-Factor Auth mobile apps from devices on the corporate network, you can reduce the IP ranges to the following:
Configuring Email
To configure email for Azure MFA, you need to click on the email icon on the left. This is where you can enter the SMTP information of your mail server.
You can also send a blanket-wide email by adding a check to the Send mails to users check box. This allows you to notify all users at once.
On the Email Content tab, you'll see various email templates to choose from. These templates are tailored to different user configurations and authentication methods.
Configuring Email
To configure email, you can click on the email icon on the left to set up the settings for sending these emails. This is where you can enter the SMTP information of your mail server.
You can send a blanket-wide email by adding a check to the "Send mails to users" check box. This allows you to notify all users at once about their multi-factor authentication setup.
On the Email Content tab, you'll see various email templates available to choose from. Depending on how you've configured your users, you can pick the template that best suits your needs.
The content of the email will vary depending on the method of authentication set for the user, such as phone call, SMS, or mobile app. If the user is required to use a PIN, the email will include their initial PIN and instructions to change it.
You can include a hyperlink in the email that directs users to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. This makes it easy for users to access the portal and finish their setup.
Available Verification Methods
In Entra MFA, users can provide a second form of authentication in addition to their password when signing in.
Some of the authentication mechanisms offered by Entra MFA include fingerprint and face scan verification.
A mobile app notification can also serve as a second form of authentication, requiring users to confirm their identity through the app.
Phone calls can be used as another verification method, with users receiving a call to enter a verification code.
These additional verification methods can be set up in the Access controls section of your policy, where you can choose to Require multi-factor authentication.
Advanced Configurations
You can configure Azure Multi-Factor Authentication (MFA) in various ways to suit your organization's needs.
The User Portal is a great place to start, allowing you to set up and configure the User portal, including deployment and user self-service.
For more complex setups, you can use Active Directory Federation Service to integrate Azure MFA with your existing AD infrastructure.
You can also use RADIUS Authentication to set up and configure the Azure MFA Server with RADIUS.
Additionally, you can configure the Azure MFA Server with IIS, Windows Authentication, or LDAP Authentication for different authentication methods.
Here's a summary of the available advanced configuration options:
Advanced Configurations
Advanced Configurations are a crucial aspect of Azure Multi-Factor Authentication. You can deploy the Azure MFA Server Mobile App Web Service for a more seamless user experience.
To configure the User Portal, you'll need to set up deployment and user self-service. This will enable users to easily manage their own accounts and settings.
The User Portal is a great way to provide users with a self-service experience, but you may also want to consider setting up Azure Multi-Factor Authentication with AD FS. This will allow you to integrate with your existing Active Directory infrastructure.
If you're looking for a more flexible authentication solution, you can use RADIUS Authentication. This will allow you to authenticate users through a variety of methods, including tokens and smart cards.
Here are some advanced configuration options to consider:
Remembered Devices and Certificates
Remembered Devices and Certificates is a powerful feature that can simplify the authentication process for your users.
Each Entra ID CA custom control is a single application in Duo, even though you may opt to apply that single control to multiple Entra ID or Office applications.
If you enable Remembered Devices on the Microsoft Azure Active Directory Duo application, then if a user signs into one application that has that control applied and chooses to remember that device when performing Duo authentication, they won't need to perform Duo MFA again for other Entra ID and Office applications with that same Duo control applied.
You can create multiple Duo custom controls with different settings if you want the Entra ID and Office applications you protect with Duo to have distinct Remembered Devices settings, or any other combination of Duo settings.
Active Directory
Active Directory is a crucial component of Azure MFA setup. To enable MFA in Azure AD, you need to sign in to the Azure portal as a global administrator and follow the steps outlined in the Azure AD MFA Setup article.
You can access the Azure AD MFA settings by going to Azure Active Directory > Security > MFA. From there, you can enable MFA for your organization and choose the authentication methods you want to allow, such as phone call, text message, or authentication app. Clicking the "Save" button will save your changes.
By following these steps, you can help protect your users' accounts and sensitive information from cybercriminals and other threats.
Active Directory: Securing Sign-in and Sign-up Flows
Securing sign-in and sign-up flows is crucial for protecting sensitive information and assets. Traditional username and password authentication has become less secure over time, as cybercriminals become more sophisticated in their methods of stealing login credentials.
Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide a second form of verification in addition to their username and password. This can be in the form of a security code sent to a mobile phone, a fingerprint scan, or a code generated by an authentication app.
To set up MFA in Azure Active Directory (AAD), you'll need to sign in as a global administrator and follow these steps: navigate to Azure Active Directory > Security > MFA, select the “Users” tab, click “Multi-factor authentication,” and then click the “Get started” button to enable MFA for your organization.
To set up MFA for sign-in and sign-up flows, you'll need to use custom policies in Azure AD B2C. This involves creating a new policy, choosing the “Sign-up or sign-in policy” option, and configuring the policy settings as desired.
Here are some common authentication methods you can allow for MFA:
- Phone call
- Text message
- Authentication app
By adding this extra layer of security, you can help protect your users' accounts and sensitive information from cybercriminals and other threats.
Configure ID
To configure ID, you'll need to set up multi-factor authentication (MFA) in Azure Active Directory. This adds an extra layer of security to protect your users' accounts and sensitive information.
First, sign in to the Azure portal as a global administrator. Then, go to Azure Active Directory > Security > MFA. Select the "Users" tab and click "Multi-factor authentication." Click the "Get started" button to enable MFA for your organization.
Next, choose the authentication methods you want to allow, such as phone call, text message, or authentication app. Click the "Save" button to save your changes.
To set up MFA for sign-in and sign-up flows, you'll need to use custom policies in Azure AD B2C. Go to Azure Active Directory B2C > Policies and create a new policy by clicking the "New policy" button. Choose the "Sign-up or sign-in policy" option and then click the "Create" button.
Here's a list of the steps to configure ID:
- Go to Azure Active Directory B2C > Policies.
- Create a new policy by clicking the “New policy” button.
- Choose the “Sign-up or sign-in policy” option and then click the “Create” button.
- Configure the policy settings as desired, such as specifying sign-up attributes.
- Go to the “Orchestration steps” section and click the “Add step” button.
- Choose the “MFA” step and then click the “Add” button.
- Configure the MFA settings as desired, such as specifying authentication methods.
To configure Duo Entra ID, you'll need to sign up for a Duo account and log in to the Duo Admin Panel. Navigate to Applications → Protect an Application and click Protect an Application. Locate Microsoft Azure Active Directory in the applications list and click Protect this Application.
You'll need to authorize Duo to read your Entra ID tenant, so click the Authorize button. Sign in with the designated Entra ID service administrator account that has the global administrator role for this Entra ID. Check the box next to Consent on behalf of your organization and then click Accept to grant Duo the read rights needed to access and read from your Entra ID tenant.
Note the Custom control JSON text in the "Details" section of the page. You'll need to provide this information to Entra ID to complete Duo authentication setup.
Frequently Asked Questions
What is the URL for MFA setup?
The URL for MFA setup is https://aka.ms/mfasetup. Sign in with your work email address and network password to access the setup page.
Sources
- https://github.com/Huachao/azure-content/blob/master/articles/multi-factor-authentication/multi-factor-authentication-get-started-server.md
- https://arindam-das.medium.com/azure-active-directory-mfa-setup-a-step-by-step-guide-to-securing-sign-in-and-sign-up-flows-49c829206c7f
- https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication
- https://duo.com/docs/azure-ca
- https://frontegg.com/guides/multi-factor-authentication-in-azure
Featured Images: pexels.com