Azure Two Factor Authentication Setup and Configuration Guide

Setting up Azure Two Factor Authentication can seem daunting, but don't worry, it's easier than you think.

You can use the Azure portal to set up two-factor authentication, which is the recommended method. To get started, navigate to the Azure portal and sign in with your Azure account.

The Azure portal offers a user-friendly interface to guide you through the setup process. It's a great option if you're not comfortable with the command line or scripting.

To set up Azure Two Factor Authentication, you need to meet certain requirements. Your Office 365 tenant must support MFA, which can be checked by running the command `Get-OrganizationConfig | Format-Table name, *OAuth*` in the Exchange Management Shell.

Not all Office 365 tenants have ADAL functionality enabled by default, especially older tenants. To enable it on an organization level, use the command `Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true`.

For Skype for Business Online clients, check the ADAL support by running `Get-CsOAuthConfiguration | select *client*`. If it's not enabled, use `Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed` to enable it.

Older apps or apps that don't support MFA through ADAL can use an AppPassword, which is a special password for a specific device. You can create an AppPassword the first time you use MFA on a device.

To make authentication easier on mobile devices, install the Microsoft Authenticator app. This app stores MFA information on the device and is only available on that specific machine.

To set up Duo MFA with Entra ID, you need an active Entra ID P1 or P2 subscription, including Conditional Access, with P1/P2 licenses assigned to each user. You also need a designated Entra ID admin service account with the Entra ID Global Administrator role.

A designated Entra ID admin service account is required to authorize the Duo application access. This account may or may not require Entra ID MFA for admins at login.

To enable MFA for cloud accounts, you'll need to log in to the Microsoft Online Portal and select Active Users, then click on the More drop-down box and select Multifactor Authentication Setup.

You can change variables like whether or not to have users create AppPasswords, what authentication options can be used, and the timeframe to remember MFA authentications in the service settings.

Make sure the Allow users to create app passwords to sign in to non-browser apps radio button is checked. This will allow users to access non-browser apps without needing to re-authenticate with MFA.

If you purchased your subscription after October 21, 2019, security defaults have been automatically enabled for your subscription, and you won't need to take any further action.

To enable security defaults for subscriptions purchased before October 2019, follow these steps: sign in to the Microsoft Entra admin center as a Security Administrator, browse to Identity > Overview > Properties, select Manage security defaults, set Security defaults to Enabled, and select Save.

Microsoft Entra offers multiple ways to enable MFA for users, including Microsoft Authenticator, FIDO2 security keys, certificate-based authentication, passkeys, and SMS or voice approval.

Here are the different MFA options available through Microsoft Entra:

Conditional Access policies can offer more control over sign-in security needs, allowing you to create policies that react to sign-in events and request additional actions before granting access to an application or service.

Conditional Access is available for customers who bought Microsoft Entra ID P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. This feature lets you create and define policies that evaluate user access attempts to applications and grant access only when the access request satisfies specified requirements.

To get started with Conditional Access, you can use templates, which can be found in the Microsoft Entra admin center. This will help you create and apply policies quickly and easily.

Duo's custom control for Microsoft Entra ID Conditional Access provides strong secondary authentication to Entra ID logons. This control can be used to create policies that require Duo MFA for specific users or applications.

To create a Duo Conditional Access policy, follow these steps:

You can also create multiple Duo Conditional Access policies with unique Duo policy settings to apply to different Entra ID applications or users. To do this, you'll need to edit the custom control JSON text provided by Duo with some unique values before saving the new control.

By using Conditional Access policies, you can ensure that your users are authenticated securely and that your organization's data is protected.

To integrate Duo with Azure Active Directory, you'll need to create a Duo Entra ID application. This involves signing up for a Duo account and logging in to the Duo Admin Panel.

First, navigate to Applications → Protect an Application and click Protect this Application. You'll then need to authorize Duo to access your Entra ID tenant, which involves signing in with the designated Entra ID service administrator account.

Once you've authorized Duo, you'll need to create a Duo MFA custom control. This involves logging in to your Entra ID tenant and going to Protection → Conditional Access, where you can create a new custom control by pasting in the custom control JSON text from the Duo Admin Panel.

To apply this custom control, you'll need to create a new conditional access policy. This involves clicking Policies on the left and then clicking New Policy, where you can enter a descriptive name for the new policy and make your desired policy assignments.

To enable the policy, click the On toggle switch underneath "Enable policy", and then click Create. Entra ID creates and enables the new policy.

Here's a summary of the steps involved in creating a Duo Entra ID application and custom control:

By following these steps, you can integrate Duo with Azure Active Directory and require Duo MFA for users to access certain resources.

To test your Azure Two Factor setup, log in to Entra ID as a user assigned the Duo MFA policy. This will redirect you to the Duo Prompt or Duo user enrollment if you've applied the policy to "All cloud apps".

If you've applied the policy to specific applications, you won't be prompted for Duo MFA during the initial Office portal login, but you will be prompted when accessing the protected application from within the Office portal or directly.

To test your setup, log in to Entra ID as a user assigned the Duo MFA policy.

You'll be redirected to the Duo Prompt or Duo user enrollment if you applied the Duo Conditional Access policy to "All cloud apps". Completing Duo authentication returns you to Entra ID to complete your login.

If you applied the policy to specific applications, accessing a protected application from within the Office portal after logging in will prompt for Duo MFA.

This is different from accessing the protected application directly, which won't prompt for Duo MFA if you logged in initially without being redirected to the Duo Prompt.

If you're trying to use two-step verification but keep getting an "incorrect password" error, it's likely because security codes aren't available for your app or device.

Some apps, like mail apps on phones, and devices, like the Xbox 360, can't use regular security codes.

If you see this error, you'll need to create an app password for that app or device, which is only available if you have two-step verification turned on.

App passwords are a special type of password that's just for certain apps or devices, and they can be used instead of regular security codes.

You can read more about creating and using app passwords in a separate section.