Showing posts with label Azure MFA. Show all posts
Showing posts with label Azure MFA. Show all posts

Wednesday, June 7, 2017

PowerShell to automate turning on two-step verification in azure

To change the state using Azure AD PowerShell, you can use the following. You can change $st.State to equal one of the following states:
  • Enabled
  • Enforced
  • Disabled
Note: It's not recommended to move users directly from the Disable state to the Enforced state. Non-browser-based apps will stop working because the user has not gone through MFA registration and obtained an app password. If you have non-browser-based apps and require app passwords, we recommend that you go from a Disabled state to Enabled. This allows users to register and obtain their app passwords. After that, you can move them to Enforced.

PowerShell would be an option for bulk enabling users. Currently there is no bulk enable feature in the Azure portal and you need to select each user individually. This can be quite a task if you have many users. By creating a PowerShell script using the following, you can loop through a list of users and enable them

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName -StrongAuthenticationRequirements $sta

Below is an example

$users = "",""
foreach ($user in $users)
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = "Enabled"
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

Azure Multi-Factor Authentication in the cloud

This post walks through how to get started using Azure Multi-Factor Authentication in the cloud (office 365)

The following provides information on how to enable users using the Azure Classic Portal

Enable Azure Multi-Factor Authentication

As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security
If you don't have one of these three licenses, or you don't have enough licenses to cover all of your users, that's ok too. You just have to do an extra step and Create a Multi-Factor Auth Provider in your directory.

Turn on two-step verification for users

To start requiring two-start verification on for a user, change the user's state from disabled to enabled. User States are as below

User accounts in Azure Multi-Factor Authentication have the following three distinct states:
StateDescriptionNon-browser apps affected
DisabledThe default state for a new user not enrolled Azure Multi-Factor Authentication (MFA).No
EnabledThe user has been enrolled in Azure MFA, but has not registered. They will be prompted to register the next time they sign in.No. They continue to work until the registration process is completed.
EnforcedThe user has been enrolled and has completed the registration process for Azure MFA.Yes. Apps require app passwords.
Use the following procedure to enable MFA for your users.

To turn on multi-factor authentication

  1. Sign in to the Azure classic portal as an administrator.
  2. On the left, click Active Directory.
  3. Under Directory, select the directory for the user you wish to enable. 
  4. Click Users at the top

  5. At the bottom of the page, click Manage Multi-Factor Auth. A new browser tab opens.
  6. Find the user that you wish to enable for two-step verification. You may need to change the view at the top. Ensure that the status is disabled. 
  7. Place a check in the box next to their name and click Enable
  8. Click enable multi-factor auth
  9. You can now notice that the user's state has changed from disabled to enabled
Once you enabled, inform the user via email as the next time they try to sign in, they will be asked to enrol their account for two-step verification (MFA). Once they start using two-step verification, they would also need to set up app passwords to avoid getting locked out of non-browser apps.

Monday, June 5, 2017

Create Azure Multi-Factor Auth Provider

Two-step verification is available by default for global administrators who have Azure Active Directory, and Office 365 users

An Azure Multi-Factor Authentication Provider is used to take advantage of features provided by the full version of Azure MFA. It is for users who do not have licenses through Azure MFA, Azure AD Premium, or EMS. Azure MFA, Azure AD Premium, and EMS include the full version of Azure MFA by default. If you have licenses, then you do not need an Azure Multi-Factor Authentication Provider.

Create a Multi-Factor Authentication Provider

Use the following steps to create an Azure Multi-Factor Auth Provider.
  1. Sign in to the Azure classic portal as an administrator.
  2. On the left, select Active Directory.
  3. On the Active Directory page, at the top, select Multi-Factor Authentication Providers
  4. Click New at the bottom
  5. Select Multi-Factor Auth Provider under App Services
  6. Select Quick Create and provide below details for MFA
    1. Name – The name of the Multi-Factor Auth Provider.
    2. Usage Model – Choose one of two options:
      • Per Authentication – purchasing model that charges per authentication. Typically used for scenarios that use Azure Multi-Factor Authentication in a consumer-facing application.
      • Per Enabled User – purchasing model that charges per enabled user. Typically used for employee access to applications such as Office 365. Choose this option if you have some users that are already licensed for Azure MFA.
    3. Directory – The Azure Active Directory tenant that the Multi-Factor Authentication Provider is associated with. Be aware of the following:
      • You do not need an Azure AD directory to create a Multi-Factor Auth Provider. Leave the box blank if you are only planning to use the Azure Multi-Factor Authentication Server or SDK.
      • The Multi-Factor Auth Provider must be associated with an Azure AD directory to take advantage of the advanced features.
      • Azure AD Connect, AAD Sync, or DirSync are only a requirement if you are synchronizing your on-premises Active Directory environment with an Azure AD directory. If you only use an Azure AD directory that is not synchronized, then this is not required. 
  7. Once you click create, the Multi-Factor Authentication Provider is created and you should see a message stating: Successfully created Multi-Factor Authentication Provider. Click Ok