AD Multi Factor Authentication
MFA is included in the P2 plan, otherwise it costs round $1 per month per user
You can only enable MFA for users that are part of your domain, not invited guests.
You can have a local MFA server (you download the software and install it your environment) or a cloud MFA server
Turning on and configuring MFA
- In the Portal, go to “Users -> All Users -> Multi Factor Authentication”. This will bring you to a page with a list of your users
- Select the users for which you want to enable MFA
- If you click on “Service Settings” at the top it brings you to the configuration page
- You can set trusted IP’s here to bypass MFA if on a certain IP range
- Scroll down on this page and you can see the verification options:
– phone call
– SMS message
– notification through mobile app
– verification code from mobile app or hardware token
- Click on Save
- Click on Enable
- The next time the users sign in through a web browser they are asked to setup MFA
AAD Conditional Access
Conditional Access is another way you can turn on MFA. Instead of just applying MFA to certain users, it allows you to set a policy to require MFA under certain circumstances.
Setting up Conditional Access
- Go to “Users -> Conditional Access”. There is a baseline policy here that is requiring all admins to use MFA. This is turned off by default.
- Click on the + to create a new policy
- The options are:
– Which users and groups?
– Which apps?
– What are the conditions? (location, sign in risk, device state, device platform)
– Actions: block access, grant access but require MFA
You can set these from within the “Conditional Access” section. You can add locations and trusted IP ranges.
Configuring Fraud Alerts
A Fraud Alert allows users to report if they receive a two-step verification request that they didn’t initiate.
The settings for this are in the MFA section. The options here are:
- Allow users to submit fraud alerts
- Automatically block users who report fraud
If a user gets blocked, they on the “Block list” in the MFA section. They will remain blocked for 90 days or until someone manually unblocks them.
MFA One Time Bypass
If a user doesn’t have access to the device they use for MFA (lost their phone or got a new number), you can allow them use the “One time bypass” feature.
- This is in the MFA section under “Manage MFA Server- > One Time Bypass”
- You can set the amount of time in seconds for them to bypass MFA
- Click on add and then select the user you wish to grant the bypass too
- It is effective immediately