{"id":611,"date":"2021-06-23T19:31:43","date_gmt":"2021-06-23T19:31:43","guid":{"rendered":"https:\/\/www.spktechfit.com\/?p=611"},"modified":"2021-06-23T19:31:43","modified_gmt":"2021-06-23T19:31:43","slug":"6-implement-multi-factor-authentication","status":"publish","type":"post","link":"https:\/\/www.spktechfit.com\/?p=611","title":{"rendered":"6. Implement Multi Factor Authentication"},"content":{"rendered":"<h1>AD Multi Factor Authentication<\/h1>\n<p>MFA is included in the P2 plan, otherwise it costs round $1 per month per user<\/p>\n<p>You can only enable MFA for users that are part of your domain, not invited guests.<\/p>\n<p>You can have a local MFA server (you download the software and install it your environment) or a cloud MFA server<\/p>\n<h2>Turning on and configuring MFA<\/h2>\n<ul>\n<li>In the Portal, go to &#8220;Users -&gt; All Users -&gt; Multi Factor Authentication&#8221;. This will bring you to a page with a list of your users<\/li>\n<li>Select the users for which you want to enable MFA<\/li>\n<li>If you click on &#8220;Service Settings&#8221; at the top it brings you to the configuration page<\/li>\n<li>You can set trusted IP&#8217;s here to bypass MFA if on a certain IP range<\/li>\n<li>Scroll down on this page and you can see the verification options:<br \/>\n&#8211; phone call<br \/>\n&#8211; SMS message<br \/>\n&#8211; notification through mobile app<br \/>\n&#8211; verification code from mobile app or hardware token<\/li>\n<li>Click on Save<\/li>\n<li>Click on Enable<\/li>\n<li>The next time the users sign in through a web browser they are asked to setup MFA<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h1>AAD Conditional Access<\/h1>\n<p>Conditional Access is another way you can turn on MFA. Instead of just applying MFA to certain users, it allows you to set a policy to require MFA under certain circumstances.<\/p>\n<h2>Setting up Conditional Access<\/h2>\n<ul>\n<li>Go to &#8220;Users -&gt; Conditional Access&#8221;. There is a baseline policy here that is requiring all admins to use MFA. This is turned off by default.<\/li>\n<li>Click on the + to create a new policy<\/li>\n<li>The options are:<br \/>\n&#8211; Which users and groups?<br \/>\n&#8211; Which apps?<br \/>\n&#8211; What are the conditions?\u00a0 (location, sign in risk, device state, device platform)<br \/>\n&#8211; Actions: block access, grant access but require MFA<\/li>\n<\/ul>\n<h3>Trusted Locations<\/h3>\n<p>You can set these from within the &#8220;Conditional Access&#8221; section. You can add locations and trusted IP ranges.<\/p>\n<p>&nbsp;<\/p>\n<h1>Configuring Fraud Alerts<\/h1>\n<p>A Fraud Alert allows users to report if they receive a two-step verification request that they didn\u2019t initiate.<\/p>\n<p>The settings for this are in the MFA section. The options here are:<\/p>\n<ul>\n<li>Allow users to submit fraud alerts<\/li>\n<li>Automatically block users who report fraud<\/li>\n<\/ul>\n<h2>Blocked Users<\/h2>\n<p>If a user gets blocked, they on the &#8220;Block list&#8221; in the MFA section. They will remain blocked for 90 days or until someone manually unblocks them.<\/p>\n<p>&nbsp;<\/p>\n<h1>MFA One Time Bypass<\/h1>\n<p>If a user doesn\u2019t have access to the device they use for MFA (lost their phone or got a new number), you can allow them use the &#8220;One time bypass&#8221; feature.<\/p>\n<ul>\n<li>This is in the MFA section under &#8220;Manage MFA Server- &gt; One Time Bypass&#8221;<\/li>\n<li>You can set the amount of time in seconds for them to bypass MFA<\/li>\n<li>Click on add and then select the user you wish to grant the bypass too<\/li>\n<li>It is effective immediately<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>AD Multi Factor Authentication MFA is included in the P2 plan, otherwise it costs round $1 per month per user You can only enable MFA for users that are part of your domain, not invited guests. You can have a local MFA server (you download the software and install it your environment) or a cloud [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,3],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/611"}],"collection":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=611"}],"version-history":[{"count":2,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/611\/revisions"}],"predecessor-version":[{"id":613,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/611\/revisions\/613"}],"wp:attachment":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}