Design an MFA solution
Azure AD P1, P2, EMS E3 & EMS E5 includes the option to enable Azure Multi factor Authentication. As a Microsoft 365 Enterprise Customer, you need to design MFA authentication to protect your organization data access by authenticated users.
Design a solution like below
-
Implement Conditional Access to enable MFA for the required applications.
-
If required, set MFA exception is the application is accessed from Compliant / Hybrid Azure AD Joined / Corporate Trusted Location
-
Irrespective of any application force Users with Admin Roles to challenge MFA
-
In addition, keep the below questions to design your MFA solution
-
Does your company need to protect privileged accounts with MFA?
-
Does your company need to enable MFA for certain application for compliance reasons?
-
Does your company need to enable MFA for all eligible users of these application or only administrators?
-
Do you need have MFA always enabled or only when the users are logged outside of your corporate network?
Configure MFA for Apps or Users
Configured MFA for Apps
Use Azure AD Conditional Access Policies to enable MFA for Azure On-boarded Application.
To create a Conditional Access Policy
Azure Portal -> Azure AD -> Conditional Access -> New CA Policy -> Select the Users -> Select the Application -> review the other settings -> enabled MFA on the Grant section and save
Configured MFA for Users
We can enable MFA on the user level so that whenever user access an Office 365 services or Azure AD Integrated Application, user will be prompted for MFA challenge for second factor authentication.
Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Search for the User -> Enabled MFA
Administer MFA Users
Manage MFA Service Settings:
We can configure below MFA service settings as an administrator for the organization.
App Passwords: Users can use the app password to sign in to non-browser apps. We have the option to allow or restrict.
Verification Options:
If MFA enabled, what are the verification options allowed for users. We can control the options here.
Remember Multi factor Authentication: If a user passed the MFA validation, it will be a annoying prompt every time they access the service. We can control the option on how long to remember the MFA authentication on that device. By default, this is not enabled.
Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Service Settings
And, from Azure AD Portal -> Security -> MFA -> MFA Server -> Activity Report
Mange User Settings
If MFA enabled on an account, we have the below options to administer on the account
Above 3 options are self-explanatory. Please know the available options.
Report MFA utilization
MFA activity reports are available for administrator review.
To monitor MFA usage, we have the option to use the below PowerShell
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName
Navigate to Azure Portal -> Azure AD -> Security -> MFA -> Manage MFA Server -> Reports -> Activity Reports
Identify users who have registered for MFA using the PowerShell that follows.
Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName
Identify users who have not registered for MFA using the PowerShell that follows.
Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName
Leave a Reply
You must be logged in to post a comment.