Azure MFA StrongAuthenticationService: Secure Your Azure AD with MFA

Azure MFA StrongAuthenticationService is a game-changer for securing your Azure AD.

It's designed to protect your organization's sensitive data from unauthorized access, and it's surprisingly easy to set up.

The StrongAuthenticationService uses a combination of authentication methods to verify user identities, including phone calls, SMS messages, and authenticator apps.

This multi-factor authentication approach significantly reduces the risk of phishing and password attacks.

By using Azure MFA, you can ensure that only authorized users can access your Azure AD resources.

Enabling Azure MFA is a straightforward process that can be completed in a few simple steps. To start, log in to your Azure Portal and navigate to Active Directory.

You'll find the list of all users associated with your account by going to All Users. From there, click on Azure Multi-Factor Authentication.

To enable MFA for a specific user, click on the Enable option and follow the prompts to enter your credentials and install the Microsoft Authenticator App on your mobile phone.

Once you've installed the app, scan the QR code displayed on your screen to link your device to your Azure account.

The next time you log in, you'll receive a notification on your mobile phone asking you to Approve or Deny the sign-in attempt. Simply click Approve to complete the authentication process.

By following these simple steps, you can enable Azure MFA and add an extra layer of security to your account.

Here's a summary of the steps to enable Azure MFA:

With Azure MFA enabled, you can rest assured that your account is protected with an additional layer of security.

Registration and settings for Azure MFA are crucial for a seamless user experience. You can access the Registration tab to view the number of users capable of multifactor authentication, passwordless authentication, and self-service password reset.

To get started, click on any of the pre-filter options to show a list of user registration details. This includes users capable of Azure multifactor authentication, passwordless authentication, and self-service password reset.

Users registered by authentication method shows how many users are registered for each authentication method. Recent registration by authentication method shows how many registrations succeeded and failed, sorted by authentication method. This can help you identify any issues with user registration.

To configure service settings, sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Protection > Multifactor authentication > Getting started > Configure > Additional cloud-based MFA settings.

You can enable trusted IPs by using service settings. This allows you to configure trusted IPs without using Conditional Access policies. To do this, select the Trusted IPs option and choose one or both of the following options: Allow users to register their devices and Allow users to bypass MFA on trusted devices.

Here are some key options to consider when configuring service settings:

To enable remember multifactor authentication, sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Browse to Identity > Users, select Per-user MFA, and then select service settings.

User registration details are a crucial aspect of managing your organization's security. You can access these details through the Registration tab.

The registration details report shows information for each user, including their user principal name and name. This report is a valuable tool for understanding who has access to your organization's authentication methods.

The report also indicates whether a user is capable of multifactor authentication (MFA), passwordless authentication, and self-service password reset (SSPR). This information is essential for ensuring that your users have the necessary security measures in place.

Here are the details that can be found in the report:

You can access service settings for Microsoft Entra multifactor authentication from the Microsoft Entra admin center.

This is a legacy portal, and you can find the settings by going to Protection > Multifactor authentication > Getting started > Configure > Additional cloud-based MFA settings.

A window or tab will open with additional service settings options.

You can configure the service settings to enable trusted IPs, which allows users to access your system from specific IP addresses without needing to enter a second form of verification.

To enable trusted IPs, you need to sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

Then, browse to Protection > Multifactor authentication > Additional cloud-based MFA settings.

On the Service settings page, under Trusted IPs, choose one or both of the following options:

Phone call settings are a crucial part of Microsoft Entra multifactor authentication. You can configure users' experiences, such as caller ID or the voice greeting they hear.

In the United States, if you haven't configured MFA caller ID, voice calls from Microsoft come from a default number: +1 (855) 330-8653. Users with spam filters should exclude this number.

Microsoft Entra multifactor authentication always sends caller ID, but it's not always guaranteed due to carrier routing issues. This applies to both phone calls and text messages.

To configure your own caller ID number, go to Protection > Multifactor authentication > Phone call settings. Set the MFA caller ID number to the number you want users to see on their phones. Only US-based numbers are allowed.

Here are the default caller ID numbers for various countries:

Azure MFA StrongAuthenticationService is designed to detect and prevent security threats. It monitors Active Directory Object Modification, Application Log Content, and Logon Session Creation for suspicious activity.

To monitor for changes made to AD security settings related to MFA logon requirements, the system uses detection ID DS0026, which tracks Active Directory Object Modification. This includes monitoring for changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

Analytic 1, which is associated with detection ID DS0015, tracks changes to MFA settings outside of normal maintenance windows. It looks for events such as UserAddedToMFAExcludedGroup, MFASettingsModified, MFASettingsDisabled, AddMFAOption, RemoveMFAOption, and MFAEnforcementDisabled.

To report suspicious activity, users can use Microsoft Authenticator or their phone to report fraudulent attempts. This integration with Microsoft Entra ID Protection provides better reporting capabilities and least-privileged administration.

The system also monitors for logon sessions for user accounts and devices that did not require MFA for authentication. This is done using detection ID DS0028, which tracks Logon Session Creation.

To enable trusted IPs via service settings, sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

You can access service settings from the Microsoft Entra admin center by going to Protection > Multifactor authentication > Getting started > Configure > Additional cloud-based MFA settings.

This is a legacy portal, but it still provides the necessary options to configure trusted IPs. Specifically, you can configure the service settings for Microsoft Entra multifactor authentication by using the following steps.

To do this, browse to Protection > Multifactor authentication > Additional cloud-based MFA settings, and on the Service settings page, under Trusted IPs, choose one or both of the following options: Specific range of IP addresses or All Federated Users.

Note that if you select the All Federated Users option, users will bypass multifactor authentications by using a claim that's issued by Active Directory Federation Services (AD FS).

Also, keep in mind that trusted IP bypass works only from inside the company intranet, so users signing in from outside the company intranet will still need to authenticate using multifactor authentication.

To strengthen your security defenses, it's essential to implement effective mitigations. Implementing a robust audit process is crucial, as seen in Mitigation M1047, which involves reviewing MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended.

Regularly reviewing user accounts to ensure that all accounts have MFA enabled is also vital. This helps prevent unauthorized access to sensitive information.

To further enhance security, consider configuring MFA solutions to "fail closed" rather than grant access in case of serious errors, as suggested in Mitigation M1032. This ensures that even in the event of an error, access is denied.

Having proper policies in place for user account management is also crucial. Mitigation M1018 emphasizes the importance of implementing policies that dictate the secure enrollment and deactivation of MFA for user accounts.

Detection is a crucial aspect of security, and it's essential to monitor for potential threats. You can detect suspicious activity using various data sources, including Active Directory, Application Log, Logon Session, and User Account.

Active Directory Object Modification can be detected by monitoring changes made to AD security settings related to MFA logon requirements. This includes changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

Application Log Content can be monitored for changes made to global multi-factor authentication settings in Identity-as-a-Service providers. For example, in Okta environments, the events system.mfa.factor.activate and system.mfa.factor.deactivate will trigger when an MFA factor is globally activated or deactivated.

Logon Session Creation can be monitored for logon sessions for user accounts and devices that did not require MFA for authentication. This includes successful logons without MFA, which can be detected by searching for event IDs such as 4624, 4648, or AuthenticationSuccess.

User Account Authentication can be monitored for account authentications in which MFA credentials are not provided by the user account to the authenticating entity. This can be done by searching for event codes such as UserAddedToMFAExcludedGroup, MFASettingsModified, or MFASettingsDisabled.

Here are some examples of detection methods:

These detection methods can help you identify potential security threats and take action to prevent them.

You can specify how many failed attempts to allow before the account becomes locked out for a period of time. The account lockout settings include three options: the number of MFA denials that trigger account lockout, the minutes until the account lockout counter is reset, and the minutes until the account is automatically unblocked.

To configure account lockout settings, you'll need to sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. Then, browse to Protection > Multifactor authentication > Account lockout, and enter the values for your environment.

The settings are as follows:

These settings can be configured by following the steps outlined above.

Report Suspicious Activity is a crucial feature in Microsoft Entra ID Protection that replaces legacy features like Fraud Alert and Notifications. Report Suspicious Activity allows users to report unknown and suspicious MFA prompts, which are then integrated with Microsoft Entra ID Protection for comprehensive coverage and capability.

The feature is designed to help administrators identify and mitigate potential security threats by setting users who report suspicious activity to High User Risk. This enables administrators to limit access for these users or enable self-service password reset (SSPR) for users to remediate problems on their own.

To enable Report Suspicious Activity, administrators need to sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator and browse to Protection > Authentication methods > Settings. They then need to set Report suspicious activity to Enabled and select All users or a specific group.

The feature also allows administrators to specify a custom voice reporting value, which is only applicable if custom greetings are uploaded by an Authentication Policy Administrator. If a custom voice reporting value is specified, it will be used instead of the default code of 0.

Here is a summary of the steps to enable Report Suspicious Activity:

Note that Report Suspicious Activity replaces Fraud Alert and Notifications due to its integration with Microsoft Entra ID Protection for risk-driven remediation, better reporting capabilities, and least-privileged administration. The Fraud Alert feature will be removed on March 1, 2025.