Having completed MFA in Azure AD, you've taken a significant step towards enhancing the security of your organization's cloud infrastructure. MFA adds an extra layer of protection against unauthorized access.
With MFA enabled, users are required to provide a second form of verification, such as a code sent to their phone or a biometric scan, in addition to their password. This makes it much harder for attackers to gain access to sensitive data.
The benefits of MFA are numerous, including reduced risk of password compromise and improved compliance with regulatory requirements. MFA also helps to prevent phishing attacks, where attackers try to trick users into revealing their passwords.
Azure AD's MFA capabilities can be configured to work seamlessly with existing identity and access management systems.
Enable MFA
To enable multifactor authentication (MFA) in Azure AD, you can use security defaults or Conditional Access policies. If you purchased your subscription after October 21, 2019, security defaults have likely been automatically enabled for your subscription.
To turn on security default MFA, sign in to the Microsoft Entra admin center as a Security Administrator, browse to Identity > Overview > Properties, select Manage security defaults, and set Security defaults to Enabled. Then, select Save.
Alternatively, you can use Conditional Access policies to define events or applications that require MFA. This provides more granular controls than security defaults.
Here are the steps to enable MFA using Conditional Access policies:
- Enable Microsoft Entra multifactor authentication to prompt users and groups for additional verification during sign-in.
- Use Conditional Access policies to define events or applications that require MFA.
- Allow regular sign-in when the user is on the corporate network or a registered device, but prompt for additional verification factors when the user is remote or on a personal device.
You can also use Okta MFA to satisfy the Azure AD MFA requirement. Here's a summary of the scenarios:
To enable multifactor authentication in Azure AD B2C, sign in to the Azure portal, select Azure AD B2C, and select User flows. Then, select the user flow for which you want to enable MFA, select Properties, and set the desired Type of method under Multifactor authentication. Select Save to enable MFA for this user flow.
Verification Methods
Azure AD's multifactor authentication (MFA) is a robust security feature that helps protect user accounts from unauthorized access. You can configure it to challenge users for MFA based on your administrator decisions.
There are several methods of multifactor authentication available, including email, which sends a one-time password (OTP) to the user's email address. The user must then provide the OTP code to access the application.
SMS or phone call is another option, where the user is prompted to provide and verify a phone number during sign-up or sign-in. The user can then choose to receive a text message or a phone call to verify their identity.
Authenticator app - TOTP is a stronger security option that requires users to install an authenticator app, such as Microsoft Authenticator, on their device. The app generates a time-based one-time password (TOTP) that the user must type in to access the application.
Here are the available verification methods:
- SMS or phone call
- Phone call only
- SMS only
- Authenticator app - TOTP
It's worth noting that Authenticator app - TOTP provides stronger security than SMS/phone-based multifactor authentication, while email is the least secure option.
Conditional Access Policies
Conditional Access policies offer more control over sign-in security, allowing you to create policies that react to sign-in events and request additional actions before granting access.
You can get started with conditional access templates to streamline the process.
Conditional Access is available for customers who bought Microsoft Entra ID P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3.
Don't forget to disable per-user MFA after enabling Conditional Access policies to avoid inconsistent user experiences.
Risk-based conditional access is available through Microsoft Entra ID P2 license, or licenses that include risk-based conditional access, like Microsoft 365 E5.
For more information on creating a Conditional Access policy, see the Microsoft documentation.
Azure AD Security
You've completed MFA in Azure AD, but you're not done yet. You need to consider Conditional Access policies for more granular sign-in security.
Conditional Access policies can offer you more control over who accesses your applications and services. They let you create policies that react to sign-in events and request additional actions before access is granted.
Don't forget to disable per-user MFA after enabling Conditional Access policies, or you'll get inconsistent user experiences.
Conditional Access is available for customers with Microsoft Entra ID P1 licenses or licenses that include this, such as Microsoft 365 Business Premium and Microsoft 365 E3.
Okta MFA Satisfies
Okta MFA can satisfy the Azure AD MFA requirement, preventing an infinite sign-in loop.
To configure Okta MFA to satisfy the Azure AD MFA requirement, Okta org-level MFA must be enabled.
If Okta app-level MFA is also enabled, users will complete an MFA prompt in Okta, which Okta will then pass to Azure AD.
Azure AD will accept the MFA from Okta and won't prompt for a separate MFA.
Here's a breakdown of the possible scenarios:
By enabling Okta org-level MFA, you can prevent the infinite sign-in loop and ensure a smooth user experience.
Frequently Asked Questions
How do I check my Azure AD MFA status?
To check your Azure AD MFA status, sign in to the Azure portal as a Global administrator and navigate to Azure Active Directory > Users > All users > Per-user MFA. Here, you can view the user state and check the MFA status.
Where to check MFA logs?
To check MFA logs, navigate to the Azure portal's Azure AD section, specifically the "Sign-ins" and "Audit logs" subsections. Here, you'll find records of successful and unsuccessful MFA events.
Sources
- https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication
- https://www.safesystems.com/blog/2023/09/using-conditional-access-policies-and-mfa-to-enhance-azure-ad-security/
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/multi-factor-authentication
- https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks
- https://help.okta.com/en-us/content/topics/apps/office365/use_okta_mfa_azure_ad_mfa.htm
Featured Images: pexels.com