DEV Community

SUNIL KUMAR
SUNIL KUMAR

Posted on

Azure AD Multi-Factor Authentication

What id MFA?
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN. MFA is a core component of a strong identity and access management (IAM) policy.

How does it work?
Azure AD Multi-Factor Authentication secure user sign-in events. We can implement it by various methods but the best way to deploy MFA is deploying it with a conditional access policy. When a user tries to access Azure AD protected resource Azure AD try to verify identity using Something you know, something you have, something you are.

Is this solution for you?
If your organization is using Azure single sign-on solution and if you are worried about the security of your user accounts then Azure AD MFA is the right solution for you. You can implement risk-based MFA for your users that will ensure the security of your users.

Now let's understand about prerequisites to deploy an MFA with Azure AD-

  1. We need a working Azure AD tenant with an Azure AD Premium P1 or P2 license enabled. (You can use the trial as well)
  2. A account with Global administrator privilege.

How to Deploy MFA in Azure AD?
To deploy MFA we will log in to our Azure portal and will navigate to Azure AD>Security> Conditional Access
MFA

Now we will create a New policy to force MFA for the "MFA Test"
(test@99daysofgcp.tech) user.
Alt Text

Here we created a conditional access policy that if the User sign-in risk is medium or above then force the user to register and perform Multi-Factor Authentication.

Now let's configure various MFA-
To configure MFA navigate to MFA by searching it in the global search bar and then click on configure MFA.

Alt Text

Now if test@99daysofgcp.tech user faces medium or above level risk then conditional access policy will force the user to register and perform MFA.

Let's have a look at what different setting and functionalities available inside MFA-

Account lockout-
It temporarily locks accounts in the multi-factor authentication service if there are too many denied authentication attempts in a row. This feature only applies to users who enter a PIN to authenticate.
Alt Text

Block/unblock users-
A blocked user will not receive Multi-Factor Authentication requests. Authentication attempts for that user will be automatically denied. A user will remain blocked for 90 days from the time they are blocked. We can manually unblock a user as well.

Alt Text

Fraud Alert-
It allows your users to report fraud if they receive a two-step verification request that they didn't initiate.
Alt Text

Notification-
Email notifications can be configured when users report fraud alerts. These notifications are typically sent to identity administrators, as the user's account credentials are likely compromised.
Alt Text

One-time bypass
It allows a user to authenticate without performing two-step verification for a limited time. The bypass goes into effect immediately and expires after the specified number of seconds. This feature only applies to MFA Server deployment.
Alt Text
Caching rules
Set up caching rules so that consecutive authentications don't require two-step verification. This feature only applies to MFA Server deployment.

Hopefully, you got an idea about how to deploy and configure MFA in Azure AD. Thanks for reading please hit follow if it helped.

Top comments (0)