Azure MFA (Multi Factor Authentication)

What is Azure MFA?

When accessing services like Office 365, passwords alone do not provide enough security.  Passwords are easy to intercept, for example over public Wi-Fi and though security professionals always advise using unique passwords, many of us don’t do that and use the same password on different sites, apps or services.   This weak security is a boon for hackers and other bad actors.

That’s not to mention, the almost regular occurrence, where data breaches often expose millions of account details including over the years from Adobe, Dropbox, Experian, Sony and Tesco, who have all been attacked.  If your password is ever leaked, hackers have a springboard to any other accounts where the same password has been used.      

How can Azure Multi-Factor Authentication (MFA) help?

Azure MFA means, even if someone knows your password, they can’t get in, they can’t log in or access Office 365, Outlook, Microsoft Teams and the rest.  This is because Azure MFA uses both:

Something you know, usually your password


Something you have, often using a trusted device like your phone

Azure MFA makes it difficult for attackers, even if they have your password, without access to your trusted device, meaning they can go no further.

What is Azure MFA?

Azure MFA is Microsoft’s version of Two-Factor Authentication (2FA), that’s often used with banks, apps and services like Twitter and Facebook.  Azure MFA can help safeguard access to applications and data, enhancing security without impacting productivity.  When using Azure MFA, users register additional authentication methods, which can be used during login to validate the user’s identity. 

Azure MFA authentication methods include:

  • app for iOS and Android
  • SMS
  • Voice calls

Microsoft Authenticator is a popular option, it’s easy to use and supports both codes (those 6-digit codes, that you have to type in during sign-in) or notifications, where a message appears on the trusted device, asking to either approve or deny a sign-in request.  

Is Azure MFA free and is it included with Office 365?

There are three different versions of MFA:  

  • Multi-Factor Authentication for Office 365 – This is included with Office 365 or Microsoft 365 subscriptions
  • Multi-Factor Authentication for Azure AD Administrators, Users with the Azure AD Global Administrator role at no additional cost can enable MFA
  • Azure Multi-Factor Authentication is the full version, which includes all the features and comes with Azure AD Premium or Microsoft 365 Business subscriptions

The reason there are these different editions is Microsoft want to make Multi-Factor Authentication available to as many customers as possible.  This is to combat identity-based attacks, which are increasingly common and have been on the rise over the last few years.

Any administrator with an Azure AD tenant can protect their account with MFA, this extends to all users in Office 365, which have MFA available at no additional cost.

How to enable Azure MFA

There are two main ways to enable Azure MFA, either simple turning it on at a user level or with Conditional Access.  Turning on MFA is simple, administrators can enable it on particular users, then users are prompted to register during their next sign-in and then these accounts are protected.   

Azure MFA user-based settings

Microsoft recommends enabling Azure MFA using Conditional Access policies rather than enabling it individually on users.  The only exception for this is if your licences don’t include Conditional Access.  Enabling MFA on a user will potentially mean they are prompted for MFA every time they sign in.

Tip: When using Conditional Access, individual users will always be disabled for Azure MFA in the admin portal.  This is because Conditional Access instead will trigger an MFA prompt when required based on policy controls.  

Azure MFA with Conditional Access

Conditional Access is more flexible, it allows administrators to choose when to use Azure MFA based on criteria that are dynamically evaluated.  This evaluation can consider the type of device being used, it’s location, whether it’s compliant or based on the sign-in risk, where there is an indication that the sign-in wasn’t made by the actual owner of a user account.

Microsoft provides built-in baseline Conditional Access policies available to all customers, currently in preview, no add-ons or other special licencing is required.  This is to ensure that all organisations have a baseline level of security at no additional cost.

Conditional Access policies

The End user protection baseline policy is particularly interesting, it’s risk-based policy, rather than prompting for MFA all the time, only when sign-ins are considered risky is MFA required.  Sign-ins from unfamiliar locations or impossible travel, where two sign-ins originating from geographical disperse locations are detected, are some of the criteria that may be considered potentially risky.   This policy enforces registration for all users as well including administrators during a 14-day window, at which point users will be blocked from signing in until they register for MFA.

Is it worth upgrading to Azure MFA and what extra features do you get?

Here is where the paid version of Azure MFA is more versatile, while these pre-defined baseline polices are useful, they can’t be customised at all.  With a baseline policy, all you can do is turn it on and nothing more.  Microsoft did have an option to scope a baseline policy and exclude users if required, which has since been removed.  

With the full version, you can target Azure MFA for the situations when it’s needed most, using custom Conditional Access policies.  Self-service Password Reset is another feature that’s available alongside the full Azure MFA version.

On-premise support is another big difference with the paid version.  Want to protect on-premise application, RDS servers or a VPN, that requires the paid version of Azure MFA.

On-premise support is delivered using the NPS Extension for Azure MFA, which integrates with RADIUS infrastructure.  Prior to this, there was an MFA Server option, which has since been deprecated and is no longer available to new customers. 

We recently delivered an Azure MFA and Conditional Access solution including integration with Cisco AnyConnect VPN and RDS Gateway for a client.  This combination proved particularly flexible and much more streamlined than their previous third-party platform.  

Features available with the full version of Azure MFA:

  • Trusted IPs and named locations
  • Custom Conditional Access policies 
  • Require MFA for specific apps
  • Require MFA for access from untrusted networks
  • Require registration from a trusted location
  • Microsoft Intune compliance integration
  • MFA support for on-premise applications
  • Fraud alert and custom voice messages
  • Self-service password reset with on-premises write-back option

How much does Azure MFA cost?

The full version, Azure MFA can be bought with Azure AD Premium, it’s also included with Enterprise Mobility + Security and with the Microsoft 365 Business or Enterprise plans.  Azure Active Directory Premium P1 starts at approximately £4.50 user/month.

Azure Active Directory Premium gives you a lot more than just the full version of Azure MFA, it’s a collection of advanced features all for one price.  This includes

  • Advanced security and usage reports
  • Azure AD Join MDM auto-enrolment
  • Application Proxy
  • Advanced Office 365 groups management (dynamic groups, naming policy, expiration, usage guidelines and more)
  • Conditional Access

We recommend Azure Active Directory Premium for most customers, the support for Azure MFA and Conditional Access alone adds tremendous value and helps businesses improve their security posture.

Modern authentication and app passwords

Microsoft uses the term Modern Authentication to describe a combination of authentication and authorisation methods which together offer better security.  It includes:

  • MFA
  • Open Authorization (OAuth)
  • Mobile Application Management (MAM) and Azure Active Directory Conditional Access.

There is wide support across Microsoft platforms, services and applications for Modern Authentication including Windows 10, web browsers, Android, iOS and macOS.   

Microsoft applications that support Modern Authentication

Modern Authentication provides native support for MFA, meaning when signing in to an application or device, it provides an option to verify your credentials using the additional authentication methods like a Microsoft Authenticator code or notification.

Previously, when an app didn’t support Modern Authentication, it meant using an app password. App passwords provide an alternative when MFA isn’t understood by an application like Outlook 2010 or older, it gives an app permission to access your account.

Tip: Don’t use app passwords, they are a holdover from before Modern Authentication was widely supported, they are an unnecessary complication in most cases.  Modern Authentication is enabled in Office 365 by default, in some older tenants this may be a manual step.

Combined security information registration

Microsoft has improved the end-user experience with the combined security information registration preview.  Previously users had to register for MFA, and self-service password reset separately, which added confusion for what was a similar registration experience, that had to be done twice.

Combined security information registration preview for Azure MFA and self-service password reset

Now with the combined security information registration experience, users can register for MFA and self-service password in one modern, streamlined experience

Tip: Use the new combined security information registration, it’s easier to use, looks more professional and combines registration with self-service password reset.  We used it with a client recently, and it was very well received, improving the whole experience.

My Profile portal

As well the new registration experience, Microsoft has a new end-user portal to manage registration details that is currently in preview.  This self-service portal allows users to change their registration details at any time.

My Profile to manage registration details

Users can go to the My Profile portal – and click Security info to amend these details.  It’s possible to add, remove or change the default authentication methods.

Microsoft have announced starting later in the year, My Profile is being renamed to ‘My Account’, which will be also be integrated with the Office account page, as well as other improvements.  All references to ‘My Profile’ will be changed to ‘My Account’.  From My Account there will be options to manage Office installations and subscriptions from the Overview Account page, as well as Office-related contact preferences from the Privacy page.

Azure MFA registration insights and Azure AD auditing

It’s good to be able to track if and how users are registering, we found this particularly helpful when rolling out Azure MFA for a client.  With the Usage & Insights reports, we were able to drill down into

  • Percentage of both users who have registered for Azure MFA and those that haven’t
  • Registrations by authentication methods in the last 24 hours, 7 or 30 days
  • Filter users by registered or not registered
  • Search users and list methods registered
Usage and Insights reports

From Azure Active Directory admin center, expand Azure Active Directory and then Usage & insights, opening the Authentication methods activity report to access this information.  As well as this, the Azure AD Audit logs are a useful source for tracing and troubleshooting registration details.  These two activities are a good indication of success during Azure MFA registration

  • User started security info registration
  • User registered all required security info

Benefits of Azure MFA

The benefits of Azure MFA include:

  • Available at no additional cost in some instances with basic functionality
  • The paid version of Azure MFA has advanced features
  • Registration is straightforward and now combined with a self-service password reset
  • A range of different authentication methods including SMS text, app codes and notifications with Microsoft Authenticator app
  • Conditional Access extends control of Azure MFA dynamically based on a user device, location or compliance
  • Reporting and auditing available to track and troubleshoot
  • Optionally includes self-service password reset in the full version of Azure MFA, with on-premise support