Wednesday, June 7, 2017

Azure Multi-Factor Authentication in the cloud

This post walks through how to get started using Azure Multi-Factor Authentication in the cloud (office 365)

The following provides information on how to enable users using the Azure Classic Portal

Enable Azure Multi-Factor Authentication

As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security
If you don't have one of these three licenses, or you don't have enough licenses to cover all of your users, that's ok too. You just have to do an extra step and Create a Multi-Factor Auth Provider in your directory.

Turn on two-step verification for users

To start requiring two-start verification on for a user, change the user's state from disabled to enabled. User States are as below

User accounts in Azure Multi-Factor Authentication have the following three distinct states:
StateDescriptionNon-browser apps affected
DisabledThe default state for a new user not enrolled Azure Multi-Factor Authentication (MFA).No
EnabledThe user has been enrolled in Azure MFA, but has not registered. They will be prompted to register the next time they sign in.No. They continue to work until the registration process is completed.
EnforcedThe user has been enrolled and has completed the registration process for Azure MFA.Yes. Apps require app passwords.
Use the following procedure to enable MFA for your users.

To turn on multi-factor authentication

  1. Sign in to the Azure classic portal as an administrator.
  2. On the left, click Active Directory.
  3. Under Directory, select the directory for the user you wish to enable. 
  4. Click Users at the top

  5. At the bottom of the page, click Manage Multi-Factor Auth. A new browser tab opens.
  6. Find the user that you wish to enable for two-step verification. You may need to change the view at the top. Ensure that the status is disabled. 
  7. Place a check in the box next to their name and click Enable
  8. Click enable multi-factor auth
  9. You can now notice that the user's state has changed from disabled to enabled
Once you enabled, inform the user via email as the next time they try to sign in, they will be asked to enrol their account for two-step verification (MFA). Once they start using two-step verification, they would also need to set up app passwords to avoid getting locked out of non-browser apps.

No comments:

Post a Comment