Step by step: Configuring multi-factor authentication (MFA) in Azure AD

Step by step: Configuring multi-factor authentication (MFA) in Azure AD

02/01/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and implementing Multi-Factor Authentication (MFA) in Azure Active Directory (now Microsoft Entra ID). MFA is an essential security layer that requires users to provide two or more forms of verification to prove their identity before gaining access, significantly reducing the risk of account compromise [1].

Introduction

In today's cyber threat landscape, passwords alone are no longer enough to protect user accounts. Phishing attacks, password spraying, and credential theft are common tactics used by attackers. Multi-Factor Authentication (MFA) adds a critical layer of security by requiring users to provide something they know (password), something they have (phone, hardware token), or something they are (fingerprint, facial recognition). Implementing MFA is one of the most effective security measures an organization can take to protect its resources in Microsoft Entra ID and associated services [2].

This how-to guide will cover the steps for setting up MFA in Azure AD, focusing on different implementation methods, from basic configurations to using Conditional Access Policies for more granular control. Step-by-step instructions, example configurations, and validation methods will be provided to ensure that the reader can effectively apply MFA in their environment.

Why is MFA crucial?

  • Risk Reduction: Dramatically reduces the likelihood of account compromise, even if passwords are stolen.
  • Compliance: Many security standards and regulations require the implementation of MFA to protect sensitive data.
  • Phishing Protection: Adds a barrier against phishing attacks, as the attacker would need not only the password, but also the second factor.
  • Flexibility: Azure AD offers multiple second-factor options such as Microsoft Authenticator app, SMS, phone call, and hardware tokens, allowing users to choose the most convenient and secure method.

Prerequisites

To set up MFA in Azure AD, you'll need the following items:

  1. Licensing: A license that includes Azure AD MFA features. This can be Azure AD Free (with Security Defaults), Azure AD Premium P1 or P2 (for Conditional Access), or Microsoft 365 licenses that include Azure AD Premium [3].
  2. Administrative Access: An account with Global Administrator or Authentication Administrator permissions in the Azure portal (portal.azure.com) or Microsoft Entra admin center (entra.microsoft.com).
  3. Test Devices: At least one test user account and one device (smartphone) to configure and validate MFA.
  4. Emergency Access Accounts: It is good practice to create and secure break-glass accounts that are exempt from MFA to avoid lockouts in case of problems with the MFA system [4].

Step by Step: Configuring Multi-Factor Authentication (MFA) in Azure AD

There are a few ways to enable MFA in Azure AD. We'll cover the two most common: Security Defaults (for quick, basic configurations) and Conditional Access Policies (for granular control).

Option 1: Enable MFA using Security Defaults (Recommended for small and medium businesses)

Security Defaults provide a basic set of Microsoft-recommended security policies, including requiring MFA for all users and administrators. It's a simple and effective way to quickly increase security.

  1. Access the Microsoft Entra admin center: https://entra.microsoft.com.
  2. In the left navigation pane, go to Protection > Security Overview.
  3. In the Enable Security Defaults section, click Manage Security Defaults.
  4. In the Security Defaults pane, set the Enable Security Defaults option to Yes.
  5. Click Save.

Note: Once enabled, Security Defaults will require all users to configure MFA on their next login. They will be asked to register the Microsoft Authenticator app. Security Defaults are ideal for organizations that do not havem Azure AD Premium P1 or P2 licenses and need a fast, standardized MFA implementation. It is not possible to use Conditional Access and Security Defaults simultaneously; one disables the other.

Option 2: Enable MFA using Conditional Access Policies (Recommended for granular control and larger enterprises)

Conditional Access (CA) Policies allow you to define specific conditions under which MFA will be required, offering much more flexibility than Security Defaults. This option requires an Azure AD Premium P1 or P2 license.

2.1. Create a Test User Group

It's a good practice to test Conditional Access policies on a small group of users before deploying to your entire organization.

  1. In the Microsoft Login admin center, go to Identity > Groups > All Groups.
  2. Click New Group.
  3. Fill in the details:
    • Group type: Security
    • Group name: MFA_Users_Test
    • Azure AD roles can be assigned to group: No
    • Membership Type: Assigned
  4. Add test users as members and click Create.

2.2. Create a Conditional Access Policy to Require MFA

  1. In the Microsoft Login admin center, go to Protection > Conditional Access.
  2. Click New Policy > Create New Policy.
  3. Name: Require MFA for all users (or Require MFA for Test Group if testing).
  4. Responsibilities:
    • Identity Users or Workloads: Select All Users (or the MFA_Users_Test group for testing).
    • Delete: It's crucial to delete your emergency access accounts here to avoid getting blocked. Also add any service accounts that cannot use MFA.
  5. Cloud Resources or Actions: Select All Cloud Applications.
  6. Conditions (Optional, for additional granularity):
    • You can configure conditions based on location, devices, client applications, etc. For example, require MFA only for access from outside the corporate network.
  7. Grant:
    • Select Grant access.
    • Check Require multi-factor authentication.
    • Click Select.
  8. Session (Optional):
    • You can configure login frequency control or session persistence.
  9. Enable Policy: Set to Report Only to test the impact before applying, or On to apply immediately.
  10. Click Create.

2.3. Configure Authentication Methods

It's important to define which MFA methods are available to users.

  1. In the Microsoft Login admin center, go to Protection > Authentication Methods > Policies.
  2. Here you can enable or disable methods like Microsoft Authenticator, SMS, Voice Call, etc. It is recommended to enable Microsoft Authenticator and SMS as primary methods.
  3. Configure options for each method, such as Authenticator registration mode (no password or push notification).

Validation and Testing

After configuring MFA, it is essential to validate that it is working as expected.

1. Test a User Login

  1. Open a browser window in incognito/private mode.
  2. Navigate to an application that the MFA policy covers (ex: portal.office.com).
  3. Log in with the account of a user who is included in the MFA policy.
  4. The user should be asked to configure MFA (if this is the first login after enabling) or to provide the second factor (e.g. approve the notification in Microsoft Authenticator, enter SMS code).

2. Check MFA Registration Status

  1. In the Microsoft Login admin center, go to Identity > Users > All Users.
  2. Click a user and then Authentication Methods.
  3. Check the authentication methods registered for the user. This will confirm that the user has successfully set up MFA.

3. Use Report Only Mode (for Conditional Access)

If you configured the Conditional Access policy in Report only mode, you can verify the results without enforcement.

  1. In the Microsoft Login admin center, go to Protection > Conditional Access.
  2. Click on the policy you created and go to the Report only tab.
  3. Analyze the results to see which users and applications would be affected by the policy and whether MFA would be required.

Security Tips and Best Practices

  • Require MFA for Administrators: Always require MFA for administrative accounts, regardless of other policies. These accounts are prime targets for attacks.
  • User Education: Train users on the importance of MFA and how to configure and use it correctly. Explain how to identify and report MFA phishing attempts.
  • Microsoft Authenticator: Promote the use of the Microsoft Authenticator app with push notifications, as it is considered one of the safest and easiest methods to use, as well as being resistant to some types of phishing attacks.
  • Granular Conditional Access Policies: Use Conditional Access to refine when MFA is required (e.g. outside the corporate network, for high-risk applications, for users in privileged roles).
  • Periodic Review: Regularly review your MFA policies and user-registered authentication methods to ensure they remain effective and secure.
  • Emergency Accounts: Maintain a rigorous process for emergency access accounts, including securely storing credentials and regularly auditing their usage.

Common Troubleshooting

  • User is unable to configure MFA: Verify that the user has an appropriate license and that the desired authentication methods are enabled. Guide the user to follow the registration instructions carefully.
  • User blocked after enabling MFA: Check if the user has been excluded from a Conditional Access policy or if there is a problem with the configured MFA method. Use emergency access accounts if necessary.
  • MFA is not requested: Verify that the Conditional Access policy is enabled and assigned to the correct users and applications. If you are using Security Defaults, ensure that there are no conflicting Conditional Access policies.
  • Authenticator app issues: Check your mobile device's network connectivity and whether notifications are enabled for the app. Try removing and adding the account again in the app.

Conclusion

Multi-Factor Authentication is a fundamental pillar of modern identity security. Configuring MFA in Azure AD, especially through Conditional Access Policies, provides a robust defense against unauthorized access. By following the guidelines in this article, your organization will be better equipped to protect user identities and critical resources, mitigating risks and strengthening your overall security posture. Remember, security is an ongoing process that requires constant adaptation and improvement.

References:

[1] Microsoft Learn. What is Multi-Factor Authentication?. Available at: https://learn.microsoft.com/pt-br/entra/identity/authentication/concept-mfa-howitworks [2] Microsoft Learn. Plan a Microsoft Entra multi-factor authentication deployment. Available at: https://learn.microsoft.com/pt-br/entra/identity/authentication/howto-mfa-getstarted [3] Microsoft Learn. Microsoft Entra Multi-Factor Authentication Licensing. Available at: https://learn.microsoft.com/pt-br/entra/identity/authentication/concept-mfa-licensing [4] Microsoft Learn. Create emergency access accounts on Microsoft Entra ID. Available at: https://learn.microsoft.com/pt-br/entra/identity/role-based-access-control/security-emergency-access-accounts