Configure Azure Multi-factor authentication (MFA)
In today's world of cloud technology, security is a an ever growing requirement. In Microsoft Azure, you can enhance the security for your cloud platform by enabling MFA, often referred to as 2-step verification. MFA enables a secondary method of authentication for your Azure tenant, in the form a text message, phone call or mobile app code.
Many platforms on the internet use this technology, including Facebook, Google and Apple. It only makes sense to enable this for your own user base, for the purpose of enhanced network security and the protection of your data and applications in the cloud and if you wish, on-premises networks too! Even if attackers manage to guess the password for one of your users, its completely useless as without the secondary verification method, they will not get in.
Image source:
MFA requirements
MFA requires Azure AD Premium licenses to be assigned for all users that will have MFA enabled. It is good practice to enable all employees in the organisation for MFA. At a minimum, privileged accounts that have administrator access to systems and data should have MFA enabled.
Microsoft services are not available in all locations. Before assigning an Azure premium license to a user, you need to have their usage location set on the user profile.
To do this, go into Azure AD and then into Users. Select the user you need to edit
At the bottom you can see the option "Usage Location", you need to set this.
Now go back to the users settings and choose licenses then assign license:
Ensure an Azure Premium license is selected under 'Products':
Now configure the options you need, we want MFA so ensure that is enabled:
Now that a license has been assigned to our most privileged account 'Kirk Whetton', we need to create a conditional access policy, this basically depicts what conditions prompt MFA to kick in (Using a specific SaaS app or mobile device for instance). Mobile devices are potentially more of a threat to a network than regular laptops because they are very easy to steal and often contain stored credentials, forcing MFA for these devices is a very good idea.
Go to Azure Active Directory, in the blade select 'Conditional Access', then 'New Policy' at the top of that window.
- Give the policy a name.
- Under users and groups either select "All Users" or "Select users and groups"
- Under cloud apps, choose "All Apps", in production you may not want to do that.
- Under Access Control, the 'Grant' tab, ensure 'Grant Access' is selected and the check box 'Require multi-factor authentication'
- Be sure to 'Enable Policy' at the bottom.
Save the Policy. Now logout of the Azure Portal and back in again. It's important that you remember your password as this can lock you out of your account.
I had already setup my account for MFA so I was challenged to provide a code to the mobile phone I registered with my account in AAD. If you have not set that up beforehand, you can configure a method to use be it phone or text etc...
Comments
Post a Comment