Introduction:
This is going to be my 2nd or 3rd blog on Azure MFA (Multifactor authentication). Azure MFA is Two-step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the verification methods.
You can take one of two approaches for requiring two-step verification. The first option is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on). The second option is to set up a conditional access policy that requires two-step verification under certain conditions.
By default,all users that are sync/created in azure AD have the MFA status in disabled state (user not enrolled in Azure MFA). When Admin enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced.
Enabled : The person has been enrolled in MFA, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
Enforced : The person may or may not have completed registration. If they have completed the registration process, then they are using MFA. Otherwise, theywill be prompted to complete the process the next time they sign in.
For more information about MFA refer https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states and pricing https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/.
Problem:
Had a requirement from business to setup up MFA (force users to setup MFA) for all users as 2nd factor authentication as part of their security requirement but they have condition that, MFA should not be prompted when user access cloud application who is on corporate network and allowed only for the first time (trusted IP Addresses). What is means is ,when user is trying to access all cloud applications ,it must prompt to setup MFA (if not set) ,once user setup MFA ,there should not be any MFA afterwards on corporate network but only from external network(untrusted ).
In this blog post ,we are going to see ,different options available for MFA registration and which method are we going to use for this requirement.
What are the method available for MFA registration / Configure Azure Multi-Factor Authentication settings ?
There are 3 methods for MFA registrations listed below.
1.Enable MFA for users individually/scripted (per user MFA)
2. Azure AD conditional access (application based MFA)
3.Azure AD Identity Protection (AAD IP)
1.Enable MFA for users individually:
You can get list of users who need to be enabled MFA manually or scripted (change the status from disabled to enable) . This is more of manual method and not dynamic. Every time when you have new user ,you must go MFA portal and enable the MFA for the user .Once the MFA is enabled ,user can login (portal.office.com) and register for Azure MFA .Enabled users are automatically switched to Enforced when they register for Azure MFA. Do not manually change the user state to Enforced.
How to enable MFA for users manually :
Go to https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx?
Choose the account that you want to enable MFA and click enable.
For multiple users ,you can use PowerShell script.
PowerShell reporting:
Identify users who have registered for MFA using the PowerShell that follows.
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName
Identify users who have not registered for MFA using the PowerShell that follows.
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName
Is this supported for business requirement : No
2. Azure AD conditional access:
Using this option,we don't have to go MFA portal like step 1 to configure MFA or run script ,instead we can configure conditional access policy to prompt MFA for applications.
Create Azure AD conditional access with access control ,grant ‘Require Multi-factor authentication’ and applications you to be configured with MFA option.
When user try to access application ,it will challenge user to setup MFA. Once the user setup MFA ,the MFA status will be changed from Disabled to Enforced .
Microsoft recommends to use Azure conditional access which is app based MFA via Conditional Access.
Is this supported for customer requirement : No but why ?
If you see the problem description ,business requested to supress the MFA prompt when user try to access cloud applications on corporate network hence there will be conditional access to supress MFA while users on intranet (with list of trusted IP address) .
We cannot have a conditional access to supress MFA and other to setup MFA while users on corporate network.
For more information about ,prompt MFA if user coming from untrusted location a.k.a exclude MFA from company intranet http://eskonr.com/2018/03/conditional-access-to-prompt-mfa-if-user-coming-from-untrusted-location-a-k-a-exclude-mfa-from-company-intranet/
3.Azure AD Identity Protection (AAD IP):
Now we have 3rd option which is called Azure AD Identity Protection .Azure AD Identity Protection helps you manage the roll-out of multi-factor authentication registration by configuring a policy that enables you to Set the users and groups .
We will use Identity protection to challenge MFA for users without using method 1 and method 2 and this is independent on above methods.
Though Identity protection has many other features ,we don't discuss all in this blog since our requirement is to setup MFA . You can read more about https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
To configure You can either be a Security Reader, a Security Admin or a Global Admin to use Identity Protection.
Login to https://portal.azure.com
Click on all services ,type Azure Identity
On the Azure AD Identity Protection blade, in the Configure section, click Multi-factor authentication registration
Under Multiple-factor authentication registration policy
Assignments: Add users that you want to prompt to setup MFA and you also have option to exclude users and groups in case no MFA for users(super VIPs).
Controls access ,choose require Azure MFA registration.
Review is to view the current registration status in your infra .
Once all the settings are configured, choose enforce policy ON and save .
Once this is done, user will get prompt notifying to setup the MFA if not already done.
End user experience:
When user try to access applications hosted on cloud ,user will get following screen
Hope you enjoy reading this article. See you in next post.
References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identity-protection-faqs
9 Comments
Pingback: mfa registration policy - loginfinance.com
At least if you obtain P2 licenses you are able to authenticate using hardware tokens. Of course there are additional costs using tokens, but it can be an ideal way to compliment other authentication methods (e.g. for those that ware not in possession of a mobile phone).
Hi Eswar
Nice clear post summarising the issues. I had been coming to the same conclusion with how to enrol users for MFA with conditional access so it was great to see this explained so clearly.
Thanks
Julian
Hi Julian,
Glad you liked it.
Thanks,
Eswar
Hi,
When using option 3 does the MFA state (as shown in option 1) change from disabled to enforced once a user registers to MFA?
Hi,
Yes ,it does change but when you look at the MFA portal,it wont change appear there as enforced .when you use powershell script ,it will display as enforced .
Thanks,
Eswar
Pingback: Azure: MFA in the cloud or MFA onpremise server? | Jacques DALBERA's IT world
I like option 3 however Azure AD Identity Protection requires P2 licenses which is worth highlighting 🙂
Hi,
Yes,thats true but it save lot of time enabling MFA and also give us nice summary on MFA.
Regards,
Eswar