Configure Azure Multi-factor authentication (MFA)

-

     In today's world of cloud technology, security is a an ever growing requirement. In Microsoft Azure, you can enhance the security for your cloud platform by enabling MFA, often referred to as 2-step verification. MFA enables a secondary method of authentication for your Azure tenant, in the form a text message, phone call or mobile app code.

     Many platforms on the internet use this technology, including Facebook, Google and Apple. It only makes sense to enable this for your own user base, for the purpose of enhanced network security and the protection of your data and applications in the cloud and if you wish, on-premises networks too! Even if attackers manage to guess the password for one of your users, its completely useless as without the secondary verification method, they will not get in.

Image result for azure mfa
Image source: 


MFA requirements

 MFA requires Azure AD Premium licenses to be assigned for all users that will have MFA enabled. It is good practice to enable all employees in the organisation for MFA. At a minimum, privileged accounts that have administrator access to systems and data should have MFA enabled.

Microsoft services are not available in all locations. Before assigning an Azure premium license to a user, you need to have their usage location set on the user profile.

To do this, go into Azure AD and then into Users. Select the user you need to edit


At the bottom you can see the option "Usage Location", you need to set this.


Now go back to the users settings and choose licenses then assign license:

Ensure an Azure Premium license is selected under 'Products':

Now configure the options you need, we want MFA so ensure that is enabled:

Now that a license has been assigned to our most privileged account 'Kirk Whetton', we need to create a conditional access policy, this basically depicts what conditions prompt MFA to kick in (Using a specific SaaS app or mobile device for instance). Mobile devices are potentially more of a threat to a network than regular laptops because they are very easy to steal and often contain stored credentials, forcing MFA for these devices is a very good idea.


Go to Azure Active Directory, in the blade select 'Conditional Access', then 'New Policy' at the top of that window.

  • Give the policy a name.
  • Under users and groups either select "All Users" or "Select users and groups"
  • Under cloud apps, choose "All Apps", in production you may not want to do that.
  • Under Access Control, the 'Grant' tab, ensure 'Grant Access' is selected and the check box 'Require multi-factor authentication'
  • Be sure to 'Enable Policy' at the bottom.
Save the Policy. Now logout of the Azure Portal and back in again. It's important that you remember your password as this can lock you out of your account.

I had already setup my account for MFA so I was challenged to provide a code to the mobile phone I registered with my account in AAD. If you have not set that up beforehand, you can configure a method to use be it phone or text etc...




MFA setup complete! There is a way to do this in bulk, which most organisations will probably do. Under users in Azure AD there is an MFA button along the top, go into there and you will see what to do next :)





Comments

Post a Comment

Popular posts from this blog

VM Tools fail to upgrade with vix error 21007

-
Image
The reason for the failure in my findings, is because the virtual machine hardware version is old and needs upgrading. Perform a compatibility upgrade on the VM and then try the tools again. This is the error you may get from PowerShell, the same is true using the vSphere web client: This is how you fix it in the vSphere web client:
Read more

Deploy Multiple VM's with PowerCLI and a vCenter Custom Spec.

-
This blog post assumes you have a working vCenter server with at least one host, datastore, network etc...requirements are listed below:  What is required:  Admin access to a running vCenter environment, preferably a lab! Powershell v5 and PowerCLI 6.5. A premade template, EG Windows Server 2016. A vCenter custom spec for the configuration of guest operating systems. Details of my lab are below. I am fortunate to have access to real servers where I work but a computer with enough disk space and maybe 16gb of ram will suffice. You may not be able to run as much simultaneously. My Lab: Dell PowerEdge server 128GB RAM VMware Workstation Pro 12 3 Virtual Machines located inside VMware Workstation.  2 ESXi Servers, 1 Active Directory domain controller. My vCenter server appliance (VCSA.contoso.com) is running on one of my virtual ESXi servers. The Environment: Active Directory and DNS: 10.1.1.1 DHCP provided by VMware workstation network manager. vCenter Se
Read more