Salaam, Namaste, Ola and Hello! My name is Shabaz Darr and this is the 6th day of the Azure Advent Calendar ( https://azureadventcalendar.com ). One of my main focuses in my role is Security, which is why I have chosen Azure Multi Factor Authentication as my topic for this blog.
Account passwords are historically one of the easiest security measures to hack, be it via ‘Brute Force attacks’ or users have simple passwords that are easy to guess. Attacks on organizations have become more complex over the years, however basic attacks, such as email phishing, that can be done by almost anyone are still a rather effective way of gaining access to an organizations most sensitive information.Multi-factor authentication is the process of identifying users by validating two of more characteristics that are unique to that users
Multi-factor authentication has evolved as the single most effective control to insulate an organization against remote attacks, and when implemented correctly (‘correctly’ being the key word), can prevent most attackers/threats from easily gaining an initial foothold into your environment.With so many MFA products out there, why use Azure MFA? It has most features that other leading MFA services offer, however I feel it’s the integration with the Microsoft Azure services as well as 3rd party applications that set it apart from other MFA services.
In the following blog, I will be discussing Microsoft interpretation of Multi Factor Authentication, requirements from a licensing perspective and finally the steps required within Azure to configure this.As I mentioned earlier, the definition of Multi Factor Authentication is when a user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism. This can be explained in a very simple and clever way:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a mobile phone)
- Something you are (biometrics like fingerprint or face)
Azure Multi-Factor Authentication helps protect access to data and applications with strong authentication via a range of different authentication methods:
Password: A users Azure AD password is considered an authentication method, one that cannot be disabled!
Security Questions: these are only available in Azure self-service password reset (SSPR) to non admin accounts. The questions can be less secure than other methods, so Microsoft recommend using them in conjunction with another method. There are many predefined questions to chose from, examples of which are:
- In what city did you meet you first spouse?
- What is your favourite food?
- In what city was your mother born?
- What is your father’s middle name?
Email Address: Microsoft recommends the use of an email account that would not require the user’s Azure AD password to access.
Microsoft Authenticator App: the Microsoft Authenticator app is available for Android, iOS and Windows Phone.
OATH hardware tokens: This open standard specifies how one-time password (OTP) codes are generated. Azure AD supports the use of OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety.
SMS: Text message is one of the two phone authentication methods. An SMS is sent to a mobile phone number containing a verification code. The user must enter this verification code in the sign in page to continue.
Phone Call: This is the second phone authentication method. An automated voice call is made to the phone number provided. The user must answer the call and follow the automated instructions to continue. In both the Phone call and the SMS methods the mobile number is configured in the users Azure AD account.
App Password: App passwords come in handy with certain non-browser apps that do not support multi-factor authentication, however applications that use conditional access policies to control access do not need app passwords.
Licensing Requirements: Multi-Factor Authentication comes as part of the following offerings:
- Azure Active Directory Premium or Microsoft 365 Business – Full featured use of Azure MFA using Conditional Access policies.
- Azure AD free or standalone Office 365 licenses – Use pre-created conditional access baseline protection policies to require MFA for your users and Administrators
Before starting an MFA deployment in Azure there are prerequisite items that should be considered.
Microsoft recommend using Conditional Access to define their network using named locations. If your organization is using identity Protection, consider using risk-based policies of named locations. To configure a named location:
- Open Azure AD in the Azure portal
- Click Conditional Access
- Click Named Locations
- Click New Location and enter a meaningful Name
- Select whether you are defining the location using IP ranges or Countries/Regions
- Click Create
If using IP ranges decide where to make the location as trusted and specify the IP range. To enable MFA for users, in the Azure AD portal:
- Go to all users
- click on the Multi-Factor Authentication button
From this window you can manage user settings either on an individual basis or bulk number of users. The settings available are shown in the below image:
You can also enable is disable the users MFA status. There is also a ‘Service Settings’ tab where you can configure the following settings:
- App Passwords
- Trusted IPs
- Verification Options
- Remember Multi-Factor Authentication
App Password: With this setting you can either allow or not allow users to create app passwords to sign to non-browser apps
Trusted IPS: With this setting you can specify IP addresses or full subnets where you want to bypass MFA. This maybe trusted offices within your business or locations where you don’t want the MFA policy to apply.
Verification Options: With this setting you can specify the verification options you want available to users:
- Call to phone
- Text message to phone
- Notification through mobile app
- Verification code form mobile app or hardware token
Remember multi-factor authentication: You can specify if you want to allow users to remember MFA on devices they trust for a certain amount of days before they need to re-authenticate.
In summary, Azure MFA should be one of the first items you enable and configure in your Office 365 tenant to ensure a secure environment. Hope you find this helpful, if you would like any more information feel free to tweet me @shabazdarr or ask a question in the comments section below!