{"id":814,"date":"2022-05-03T19:39:42","date_gmt":"2022-05-03T19:39:42","guid":{"rendered":"https:\/\/www.spktechfit.com\/?p=814"},"modified":"2022-05-03T19:39:42","modified_gmt":"2022-05-03T19:39:42","slug":"9-planning-and-implementing-azure-multifactor-authentication-mfa","status":"publish","type":"post","link":"https:\/\/www.spktechfit.com\/?p=814","title":{"rendered":"9. Planning and Implementing Azure Multifactor Authentication (MFA)"},"content":{"rendered":"<h1 style=\"margin: 0in; font-family: Calibri; font-size: 16.0pt; color: #1e4e79;\">Understanding the Concepts of Multifactor Authentication<\/h1>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<h2 style=\"margin: 0in; font-family: Calibri; font-size: 14.0pt; color: #2e75b5;\">What is MFA?<\/h2>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\"><span style=\"font-weight: bold;\">Authentication methods:<\/span><\/p>\n<ul style=\"direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in;\" type=\"disc\">\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Something you know: password, pin etc\u2026<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Something you have: smart card, key fob, mobile phone etc\u2026<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Something you are: biometrics<\/span><\/li>\n<\/ul>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">MFA is using a combination of these methods.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">No single step authentication is strong enough on its own in today&#8217;s cyber security climate.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">Two step verification significantly increases security by adding an additional layer of protection.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<h1 style=\"margin: 0in; font-family: Calibri; font-size: 16.0pt; color: #1e4e79;\">Administration of MFA<\/h1>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<h2 style=\"margin: 0in; font-family: Calibri; font-size: 14.0pt; color: #2e75b5;\">MFA Licence<\/h2>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">You need an MFA licence before being able to set it up for your users. You can check the licences which have this feature.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-mfa-licensing\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-mfa-licensing<\/a><\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">Azure AD Free: this has MFA for admins only<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">Azure Actie Directory Premium 1 and 2: his has MFA for all users<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">M365 E3 Licence: this has Azure premium 1 (so it has MFA)<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">M365 E5 Licence: this has Azure premium 2 (so it has MFA)<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<h2 style=\"margin: 0in; font-family: Calibri; font-size: 14.0pt; color: #2e75b5;\">Configuring MFA<\/h2>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">For a single user<\/p>\n<ol style=\"direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;\" type=\"1\">\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\" value=\"1\"><span style=\"font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;\">Go to Azure AD -&gt; Users -&gt; Multi Factor Authentication (if the resolution of the monitor is low you may need to click the ellipse symbol to get this option)<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Select the user you want<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Click on Enable<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">The next time this user goes to authenticate it will make them register for MFA (enter phone number \/email for MFA)<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">You can then click Enforce to force it on for this user (see note below about non browser applications)<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Click Save<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Click on Service Settings at the top of the page<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">There is an &#8220;App passwords&#8221; setting here where you can allow users to create app passwords to login to legacy apps<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Trusted Ips: you can set Ips which don\u2019t have to use MFA<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Verification options: turn on or off different verification options (text to phone, mobile app etc\u2026)<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Remember MFA on trusted device: once a device has authenticated the user can trust the device and it can bypass MFA for a specified time (default is 90 days)<\/span><\/li>\n<\/ol>\n<p style=\"margin: 0in; margin-left: .375in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\"><span style=\"font-weight: bold;\">NOTE: About Non-browser Applications<\/span><\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">If you enforce MFA for users you may see the pop up about &#8220;Non browser applications&#8221; and how users will need to create app passwords.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">This refers to legacy apps(EG: Outlook 2010). If you enforce MFA and you are using legacy apps, the users won&#8217;t be able to logon as legacy apps don\u2019t support MFA<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-mfa-app-passwords#:~:text=Select%20Multi%2DFactor%20Authentication%20from,to%20non%2Dbrowser%20apps%20option\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/authentication\/howto-mfa-app-passwords#:~:text=Select%20Multi%2DFactor%20Authentication%20from,to%20non%2Dbrowser%20apps%20option<\/a>.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">App passwords are automatically generated and not known to the user.<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<h1 style=\"margin: 0in; font-family: Calibri; font-size: 16.0pt; color: #1e4e79;\">Looking into Reporting Data for MFA<\/h1>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<ol style=\"direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;\" type=\"1\">\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\" value=\"1\"><span style=\"font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;\">Go to Azure AD<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Go to Monitoring -&gt;Sign ins<\/span><\/li>\n<li style=\"margin-top: 0; margin-bottom: 0; vertical-align: middle;\"><span style=\"font-family: Calibri; font-size: 11.0pt;\">Click on Sign in and go to the Authentication Details tab. This will show if they used MFA and if it was successful. It will give info if it failed.<\/span><\/li>\n<\/ol>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">You can filter this view to show different dates, users, apps, etc\u2026<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">\n<p>&nbsp;<\/p>\n<p style=\"margin: 0in; font-family: Calibri; font-size: 11.0pt;\">If you search for Azure MFA reports there is a good article on running MFA reports and using powershell for this.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Understanding the Concepts of Multifactor Authentication &nbsp; What is MFA? &nbsp; Authentication methods: Something you know: password, pin etc\u2026 Something you have: smart card, key fob, mobile phone etc\u2026 Something you are: biometrics MFA is using a combination of these methods. No single step authentication is strong enough on its own in today&#8217;s cyber security [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[13,12,3],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/814"}],"collection":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=814"}],"version-history":[{"count":2,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/814\/revisions"}],"predecessor-version":[{"id":816,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=\/wp\/v2\/posts\/814\/revisions\/816"}],"wp:attachment":[{"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spktechfit.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}