Implementing MFA in Azure for Stronger Authentication

To start enforcing MFA in Azure, you'll need to navigate to the Azure portal and sign in with your Azure account credentials.

Azure Active Directory (Azure AD) offers a built-in MFA solution that can be enabled for all users or specific groups.

The Azure AD MFA solution can be configured to use authenticator apps, SMS, or voice calls for second-factor authentication.

For a more secure setup, consider using authenticator apps, as they provide a more secure and phishing-resistant form of authentication.

To enforce MFA in Azure, you'll need a few essential resources and privileges.

You'll need a working Microsoft Entra tenant with either Microsoft Entra ID P1 or trial licenses enabled. This will be the foundation for implementing MFA.

You'll also need an account with at least the Conditional Access Administrator role. This role will allow you to manage MFA settings.

Additionally, you'll need a non-administrator account with a password that you know. For this tutorial, we created such an account, named testuser, to test the end-user experience of configuring and using Microsoft Entra multifactor authentication.

To enable MFA for the testuser account, you'll also need a group that the non-administrator user is a member of. We created a group named MFA-Test-Group for this purpose.

Here are the specific resources and privileges you'll need:

To set up Azure AD MFA, you need to configure it in the Azure portal. You can select "Browser", "Mobile apps and desktop clients", "Exchange ActiveSync clients" and "Other clients" as the clients to be configured.

First, you'll need to enable Azure AD Multi-Factor Authentication. This involves navigating to the "Azure AD Identity Protection" page in the Azure portal.

To configure the multifactor authentication policy, click on "Multifactor authentication policy" and set the policy as follows: Assignments: Click on “All users”, Include: “Select individuals and groups” and select your Azure AD group with your Azure Virtual Desktops users, Policy enforcement: Set the switch to “Enabled”, and Save.

Azure AD recommends switching from per-user MFA to Conditional Access MFA.

To configure access for multifactor authentication, you'll need to select Grant access under Access controls. This lets you define the requirements for a user to be granted access.

You can then choose Require multifactor authentication, and select it to enforce MFA during sign-in events. This is a crucial step in ensuring that your users are properly authenticated before accessing your applications or services.

To apply this access control, you'll need to switch back to the Microsoft Entra admin center and select Identity, then Protection, and then Conditional access. From there, you can create a new policy and assign it to your users or groups.

Here's a step-by-step guide to configuring multifactor authentication for access:

By following these steps, you'll be able to enforce multifactor authentication for your users and protect your organization from unauthorized access.

Microsoft Entra is a key component in enforcing MFA in Azure. It's a multifactor authentication solution that provides an additional layer of security to protect your organization's resources.

You can test Microsoft Entra multifactor authentication by signing in to a resource that doesn't require MFA, then closing the browser window and signing in again to the Microsoft Entra admin center. This will prompt you to use Microsoft Entra multifactor authentication or to configure a method if you haven't yet done so.

A user's state in Microsoft Entra multifactor authentication reflects whether an Authentication Administrator enrolled them in per-user MFA. There are three distinct states: Disabled, Enabled, and Enforced. Here's a brief overview of each state:

Administrators can move users between states, including from Enforced to Enabled or Disabled.

Microsoft Entra multifactor authentication is a security feature that requires users to provide an additional form of verification beyond their password.

You can test Microsoft Entra multifactor authentication by signing in to a resource that doesn't require MFA, then trying to sign in to the Microsoft Entra admin center, where you'll be prompted to register for and use MFA.

To configure Microsoft Entra multifactor authentication for user accounts, switch to the Microsoft Entra admin center and navigate to the Identity left-hand navigation menu, then select Users and All users.

A user's MFA state reflects whether an Authentication Administrator has enrolled them in per-user MFA, with three distinct states: Disabled, Enabled, and Enforced.

Here are the three MFA states and their descriptions:

All users start out in a Disabled state for per-user Microsoft Entra multifactor authentication.

A user's state reflects whether an Authentication Administrator enrolled them in per-user Microsoft Entra multifactor authentication. The three distinct states are Disabled, Enabled, and Enforced.

To manage user settings for Microsoft Entra multifactor authentication, see Manage user settings with Microsoft Entra multifactor authentication.

To change the per-user Microsoft Entra multifactor authentication state for a user, complete the following steps:

To change multifactor authentication state for a user, use the user's strongAuthenticationRequirements. The user's state changes to Enabled when enrolled in per-user Microsoft Entra multifactor authentication.

Here are the three distinct states for a user's per-user Microsoft Entra multifactor authentication:

To enforce MFA in Azure, you need to understand how accounts and users are affected. All users who sign into Azure applications to perform CRUD operations must complete MFA when enforcement begins.

Users aren't required to use MFA if they access other applications, websites, or services hosted on Azure, but each application owner controls the authentication requirements. Break glass or emergency access accounts are also required to sign in with MFA once enforcement begins.

Here are the three user states for Microsoft Entra multifactor authentication:

You can change a user's state to Enforced by signing in to the Microsoft Entra admin center as an Authentication Policy Administrator, selecting the user account, and clicking Enable MFA.

All users who perform CRUD operations in the listed applications must complete MFA when enforcement begins.

Users aren't required to use MFA if they access other applications, websites, or services hosted on Azure.

Break glass or emergency access accounts must sign in with MFA once enforcement begins.

We recommend updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA, which satisfy the MFA requirement.

Workload identities, like managed identities and service principals, aren't impacted by MFA enforcement.

User identities used to sign in as service accounts to run automation must sign in with MFA once enforcement begins, but user identities aren't recommended for automation.

To update a user's status in Microsoft Entra multifactor authentication, administrators can use the Microsoft Entra admin center. To do this, sign in as at least an Authentication Policy Administrator and browse to Identity > Users > All users.

Select a user account and click Enable MFA, but be aware that enabled users are automatically switched to Enforced when they register for multifactor authentication.

Administrators can also change the user state directly to Enforced if the user is already registered or if it's acceptable for the user to experience an interruption in connections to legacy authentication protocols.

However, if per-user MFA is re-enabled on a user and they don't re-register, their MFA state won't transition from Enabled to Enforced in the MFA management UI. In this case, administrators must move the user directly to Enforced.

Here are the three distinct states a user can have in Microsoft Entra multifactor authentication:

To confirm the user's status, administrators can view the per-user multifactor authentication state for a user by using the user's strongAuthenticationRequirements.