Azure, Technology

6. Implement Multi Factor Authentication

AD Multi Factor Authentication

MFA is included in the P2 plan, otherwise it costs round $1 per month per user

You can only enable MFA for users that are part of your domain, not invited guests.

You can have a local MFA server (you download the software and install it your environment) or a cloud MFA server

Turning on and configuring MFA

  • In the Portal, go to “Users -> All Users -> Multi Factor Authentication”. This will bring you to a page with a list of your users
  • Select the users for which you want to enable MFA
  • If you click on “Service Settings” at the top it brings you to the configuration page
  • You can set trusted IP’s here to bypass MFA if on a certain IP range
  • Scroll down on this page and you can see the verification options:
    – phone call
    – SMS message
    – notification through mobile app
    – verification code from mobile app or hardware token
  • Click on Save
  • Click on Enable
  • The next time the users sign in through a web browser they are asked to setup MFA


AAD Conditional Access

Conditional Access is another way you can turn on MFA. Instead of just applying MFA to certain users, it allows you to set a policy to require MFA under certain circumstances.

Setting up Conditional Access

  • Go to “Users -> Conditional Access”. There is a baseline policy here that is requiring all admins to use MFA. This is turned off by default.
  • Click on the + to create a new policy
  • The options are:
    – Which users and groups?
    – Which apps?
    – What are the conditions?  (location, sign in risk, device state, device platform)
    – Actions: block access, grant access but require MFA

Trusted Locations

You can set these from within the “Conditional Access” section. You can add locations and trusted IP ranges.


Configuring Fraud Alerts

A Fraud Alert allows users to report if they receive a two-step verification request that they didn’t initiate.

The settings for this are in the MFA section. The options here are:

  • Allow users to submit fraud alerts
  • Automatically block users who report fraud

Blocked Users

If a user gets blocked, they on the “Block list” in the MFA section. They will remain blocked for 90 days or until someone manually unblocks them.


MFA One Time Bypass

If a user doesn’t have access to the device they use for MFA (lost their phone or got a new number), you can allow them use the “One time bypass” feature.

  • This is in the MFA section under “Manage MFA Server- > One Time Bypass”
  • You can set the amount of time in seconds for them to bypass MFA
  • Click on add and then select the user you wish to grant the bypass too
  • It is effective immediately

Leave a Reply

Your email address will not be published. Required fields are marked *