Skip to content

Latest commit

 

History

History
85 lines (72 loc) · 5.01 KB

3.4. Multi-Factor Authentication (MFA).md

File metadata and controls

85 lines (72 loc) · 5.01 KB

Multi-Factor Authentication (MFA)

Enable MFA for an Azure tenant

  • First you need to install MFA server on Azure (managed).

Enabling options

Enabled by conditional access policy

  • E.g. wen any user is outside my company network, They're required to sign in with multi-factor authentication
  • Cloud only, premium feature of Azure AD
  • Flow:
    1. Choose verification options: Azure Active Directory -> Users -> Multi-Factor Authentication -> Service Settings -> Enable verification methods you want: call to phone, text message to phone, notification through mobile app, verification code from mobile app or hardware token
    2. Create conditional access policy: Azure Active Directory -> Conditional access -> New policy
      • Select users, groups.
      • Select which cloud apps
      • Select conditions
        • E.g. if you have enabled Azure Identity Protection, you can choose to evaluate sign-in risk as part of the policy.
        • E.g. If you have configured trusted locations or named locations, you can specify to include or exclude those locations from the policy.
      • Under Grant -> Ensure "Grant Access" and "Require multi-factor-authentication" is selected.

Enabled by Azure AD Identity Protection

  • Uses the Azure AD Identity Protection risk policy to require two-step verification based only on sign-in risk for all cloud applications
  • Cloud only
  • Flow: Azure AD -> Identity Protection -> (Configure) User risk policy

Enabled by changing user state

  • Requires users to perform two-step verification every time they sign in
    • Overrides conditional access policies
  • Works with both Azure MFA in the cloud and Azure MFA Server

User states

  • All users start out Disabled. When you enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced.
  • Do not manually change the user state to Enforced.
  • You can view states for users, and enable:
    • On Portal: Azure Active Directory > Users and groups > All users
    • Powershell script with iteration of users.

MFA settings

  • Block/unblock users: Azure Active Directory > MFA > Block/unblock users -> Add -> Type e-mail
  • Fraud alerts
    • Allows users to report fraudulent attempts to access their resources by using the mobile app or through their phone.
    • Specific to on-premises MFA server.
    • Azure Active Directory > MFA > Fraud alert > Set On for Allow users to submit fraud alerts
    • Configuration options:
      • Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account.
      • Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, user presses a code to report its not user itself.
        • It's 0# by default, you can change it, you should then also change voice greeting with your own recording.
    • View fraud reports: Azure Active Directory > Sign-ins
  • One-time bypass
    • Allows a user to authenticate a single time without performing two-step verification.
    • The bypass is temporary and expires after a specified number of seconds.
    • It's good when e.g. in situations where the mobile app or phone is not receiving a notification or phone call.
    • Create: Azure Active Directory > MFA > One-time bypass -> Enter user e-mail + seconds that the session will last
    • View: Azure Active Directory > MFA > One-time bypass.
  • Caching rules
    • You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature
    • It's not intended for Azure AD but on-premises.
    • Set-up: Azure Active Directory > MFA > Caching rules
  • Trusted IPs
    • Bypasses two-step verification for users who sign in from the company intranet.
    • Premium only feature
    • Options
      • Managed Azure AD Tenant: Specific range of IP addresses
      • Federated: All Federated Users (only from intranet), Specific range of IP addresses
    • End-user experience outside corpnet: Regardless of whether the Trusted IPs feature is enabled, two-step verification is required
    • Flow:
      • Via conditional access
        1. Enable named locations by using conditional access
          • Azure Active Directory > Conditional access > Named locations -> New location -> Enter name + IP range + mark as trusted location
        2. Enable the Trusted IPs feature by using conditional access
          • Azure Active Directory > Conditional access > Named locations -> Configure MFA trusted IPs
      • Via service settings
        • Azure AD -> Users -> Multi-Factor Authentication -> Service settings
      • Two options while enabling trusted IPs:
        1. For requests from federated users originating from my intranet
          • Ensure AD FS adds intranet claim with a rule.
        2. For requests from a specific range of public IPs
  • Remember Multi-factor Authentication: Remembers the device.
    • Azure Active Directory > Users and groups > All users -> MFA -> Service settings