Design an MFA solution

Azure AD P1, P2, EMS E3 & EMS E5 includes the option to enable Azure Multi factor Authentication. As a Microsoft 365 Enterprise Customer, you need to design MFA authentication to protect your organization data access by authenticated users.

Design a solution like below

• Implement Conditional Access to enable MFA for the required applications.
• If required, set MFA exception is the application is accessed from Compliant / Hybrid Azure AD Joined / Corporate Trusted Location
• Irrespective of any application force Users with Admin Roles to challenge MFA
• In addition, keep the below questions to design your MFA solution
• Does your company need to protect privileged accounts with MFA?
• Does your company need to enable MFA for certain application for compliance reasons?
• Does your company need to enable MFA for all eligible users of these application or only administrators?
• Do you need have MFA always enabled or only when the users are logged outside of your corporate network?

Configure MFA for Apps or Users

Configured MFA for Apps

Use Azure AD Conditional Access Policies to enable MFA for Azure On-boarded Application.

To create a Conditional Access Policy

Azure Portal -> Azure AD -> Conditional Access -> New CA Policy -> Select the Users -> Select the Application -> review the other settings -> enabled MFA on the Grant section and save

Configured MFA for Users

We can enable MFA on the user level so that whenever user access an Office 365 services or Azure AD Integrated Application, user will be prompted for MFA challenge for second factor authentication.

Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Search for the User -> Enabled MFA

Administer MFA Users

Manage MFA Service Settings:

We can configure below MFA service settings as an administrator for the organization.

App Passwords: Users can use the app password to sign in to non-browser apps. We have the option to allow or restrict.

Verification Options:

If MFA enabled, what are the verification options allowed for users. We can control the options here.

Remember Multi factor Authentication: If a user passed the MFA validation, it will be a annoying prompt every time they access the service. We can control the option on how long to remember the MFA authentication on that device. By default, this is not enabled.

Azure Portal -> Azure AD -> Users -> Open the Multi-Factor Authentication -> Service Settings

And, from Azure AD Portal -> Security -> MFA -> MFA Server -> Activity Report

Mange User Settings

If MFA enabled on an account, we have the below options to administer on the account

Above 3 options are self-explanatory. Please know the available options.

Report MFA utilization

MFA activity reports are available for administrator review.

To monitor MFA usage, we have the option to use the below PowerShell

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Navigate to Azure Portal -> Azure AD -> Security -> MFA -> Manage MFA Server -> Reports -> Activity Reports

Identify users who have registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Identify users who have not registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName