Enable MFA for Azure AD Users

11/22/2022

Azure Active Directory (Azure AD) Multi-Factor Authentication helps safeguard access to data and applications, providing another layer of security by using a second form of authentication. Organizations can enable multifactor authentication (MFA) with Conditional Access to make the solution fit their specific needs.

This post is to summarize some key steps to plan and implement an Azure AD Multi-Factor Authentication roll-out.

Diagram that shows how Conditional Access works to secure the sign-in process.

Prerequisites

Scenario	Prerequisite
Cloud-only identity environment with modern authentication	No prerequisite tasks
Hybrid identity scenarios	Deploy Azure AD Connect and synchronize user identities between the on-premises Active Directory Domain Services (AD DS) and Azure AD.
On-premises legacy applications published for cloud access	Deploy Azure AD Application Proxy

Authentication methods for MFA

Authentication method	Security	Usability	Availability
Windows Hello for Business	High	High	High
Microsoft Authenticator app	High	High	High
FIDO2 security key	High	High	High
Certificate-based authentication (preview)	High	High	High
OATH hardware tokens (preview)	Medium	Medium	High
OATH software tokens	Medium	Medium	High
SMS	Medium	High	Medium
Voice	Medium	Medium	Medium
Password	Low	High	High

The following table outlines when an authentication method can be used during a sign-in event:

Method	Primary authentication	Secondary authentication
Windows Hello for Business	Yes	MFA*
Microsoft Authenticator app	Yes	MFA and SSPR
FIDO2 security key	Yes	MFA
Certificate-based authentication (preview)	Yes	No
OATH hardware tokens (preview)	No	MFA and SSPR
OATH software tokens	No	MFA and SSPR
SMS	Yes	MFA and SSPR
Voice call	No	MFA and SSPR
Password	Yes

The following additional verification methods can be used in certain scenarios:

App passwords - used for old applications that don't support modern authentication and can be configured for per-user Azure AD Multi-Factor Authentication.
Security questions - only used for SSPR
Email address - only used for SSPR

Plan Conditional Access Policies

To create your own conditional access policies, and target specific conditions like Cloud apps, sign-in risk, and device platforms, you will need Azure AD Premium.

Azure Active Directory Premium P1

Annual commitment - $92.40 / Licenses / year

Billed monthly - $7.70 / Licenses / month

Azure Active Directory Premium P2: A comprehensive cloud Identity and access management solution with advanced identity protection for all your users and administrators. From ‎$11.50‎ ‎licenses‎/month.

Azure AD Multi-Factor Authentication is enforced with Conditional Access policies. These policies allow you to prompt users for MFA when needed for security and stay out of users' way when not needed.

For end-to-end guidance on Azure AD Conditional Access deployment, see the Conditional Access deployment plan.

Common use cases to require Azure AD Multi-Factor Authentication include:

Plan User Session Lifetime

Plan User Registration

Per-User MFA vs Conditional Access Based MFA

In your tenant, you can enable MFA on a per-user basis. In this scenario, your users perform MFA each time they sign in, with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on.

For Azure AD free tenants without Conditional Access, you can use security defaults to protect users. Users are prompted for MFA as needed, but you can't define your own rules to control the behavior.

More about per-user MFA can be found:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Enabling Per-User MFA:

While enabling MFA is a good practice, converting per-user MFA to MFA based on Conditional Access can reduce the number of times your users are prompted for MFA.

This recommendation shows up if:

You have per-user MFA configured for at least 5% of your users.
Conditional Access policies are active for more than 1% of your users (indicating familiarity with CA policies).

Convert per-user MFA enabled and enforced users to disabled

If your users were enabled using per-user enabled and enforced Azure AD Multi-Factor Authentication the following PowerShell can assist you in making the conversion to Conditional Access based Azure AD Multi-Factor Authentication.

Run this PowerShell in an ISE window or save as a .PS1 file to run locally. The operation can only be done by using the MSOnline module.

PowerShell

# Connect to tenant
Connect-MsolService

# Sets the MFA requirement state
function Set-MfaState {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $UserPrincipalName,
        [ValidateSet("Disabled","Enabled","Enforced")]
        $State
    )
    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
                [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }
        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
                     -StrongAuthenticationRequirements $Requirements
    }
}
# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

Enable Azure AD MFA

Your Azure AD Multi-Factor Authentication rollout plan should include a pilot deployment followed by deployment waves that are within your support capacity. Begin your rollout by applying your Conditional Access policies to a small group of pilot users. After evaluating the effect on the pilot users, process used, and registration behaviors, you can either add more groups to the policy or add more users to the existing groups.

Follow the steps below:

Meet the necessary prerequisites
Configure chosen authentication methods
Configure your Conditional Access policies
Configure session lifetime settings
Configure Azure AD MFA registration policies

Operation: Manage Azure AD MFA

Reporting and Monitoring

Azure AD has reports that provide technical and business insights, follow the progress of your deployment and check if your users are successful at sign-in with MFA. Have your business and technical application owners assume ownership of and consume these reports based on your organization's requirements.

You can monitor authentication method registration and usage across your organization using the Authentication Methods Activity dashboard. This helps you understand what methods are being registered and how they're being used.

Sign in report to review MFA events

The Azure AD sign-in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication.

NPS extension and AD FS logs for cloud MFA activity are now included in the Sign-in logs, and no longer published to Security > MFA > Activity report.

For more information, and additional Azure AD Multi-Factor Authentication reports, see Review Azure AD Multi-Factor Authentication events.

References

via Blogger http://blog.51sec.org/2022/11/enable-mfa-for-azure-ad-users.html
November 21, 2022 at 10:48PM Cloud

0 Comments

Build Confidence

Enable MFA for Azure AD Users

Prerequisites

Authentication methods for MFA

Plan Conditional Access Policies

Plan User Session Lifetime

Plan User Registration

Per-User MFA vs Conditional Access Based MFA

Convert per-user MFA enabled and enforced users to disabled

Enable Azure AD MFA

Operation: Manage Azure AD MFA

Reporting and Monitoring

Sign in report to review MFA events

References

Leave a Reply.

Categories

Archives