Azure MFA (Multi Factor Authentication)

Introduction

Azure MFA is a security feature that comes in handy because when we’re accessing services such as Office 365, passwords alone don’t provide enough security. Passwords are easy to intercept, over public Wi-Fi for example. And although security professionals always advise us to use unique passwords, many of us don’t. And we use the same password on different sites, apps or services. This weak security is a boon for hackers and other people with bad intentions.

That’s not to mention, the regular occurrence of data breaches that often expose millions of account details. In the past, big companies like Adobe, Dropbox, Experian, Sony and Tesco, have all been attacked. If hackers obtain your password, they have a springboard to any other accounts where you’ve used the same password.     

How can Azure Multi-Factor Authentication (MFA) Help?

With Azure MFA, even if someone knows your password, they can’t get in. And they won’t be able to log in or access Office 365, Outlook, Microsoft Teams or anything else. This is because Azure MFA uses both something you know, usually your password. And something you have, such as a trusted device like your phone to gain access.

Azure Multi Factor Authentication makes it difficult for attackers, even if they have your password. Without access to your trusted device, they can go any further.

What is Azure MFA?

Azure MFA is Microsoft’s version of Two-Factor Authentication (2FA). Banks or apps and services like Twitter and Facebook often use this method. Azure MFA can help safeguard access to applications and data. As a result, this enhances security without impacting productivity. With Azure MFA, users register additional authentication methods. You can use these during login to validate the user’s identity.

Azure MFA authentication methods include:

  • App for iOS and Android
  • SMS
  • Voice calls

Microsoft Authenticator is a popular option, it’s easy to use and supports codes like the 6-digit codes you have to type in during sign-in. Or notifications, where a message appears on the trusted device, asking the user to approve or deny a sign-in request. 

Is Azure MFA free and is it included with Office 365?

There are three different versions of MFA: 

  1. Multi-Factor Authentication for Office 365 – This is included with Office 365 or Microsoft 365 subscriptions.
  2. Multi-Factor Authentication for Azure AD Administrators – Users with the Azure AD Global Administrator role, at no additional cost, can enable MFA.
  3. Azure Multi-Factor Authentication – is the full version, which includes all the features. And comes with Azure AD Premium or Microsoft 365 Business subscriptions.

Microsoft wants to make Multi-Factor Authentication available to as many customers as possible. And this is why there are three different versions. This is to combat identity-based attacks. Which are becoming more common over the last few years.

Any administrator with an Azure AD tenant can protect their account with MFA. This extends to all users in Office 365 who have MFA. And it’s available at no additional cost.

How to Enable Azure MFA?

There are two main ways to enable Azure MFA. You can simply turn it on at a user level or with Conditional Access. Turning on MFA is simple. Administrators can enable it for particular users. The user will receive a prompt to register during their next sign-in. And this will protect the account.

Azure MFA user-based settings

Microsoft recommends that you enable Azure MFA using Conditional Access policies. As opposed to enabling it on individual users. The only exception is if your licenses don’t include Conditional Access. If you enable MFA on an individual user it will potentially mean they’re prompted for MFA at every sign in.

Tip: When you use Conditional Access, you can disable individual users for Azure MFA in the admin portal. This is because Conditional Access will trigger an MFA prompt when required, based on policy controls. 

Azure MFA with Conditional Access

Overall, Conditional Access is more flexible. It will allow administrators to choose when to use Azure MFA based on criteria that are dynamically evaluated. This evaluation can consider the type of device being used and its location. In addition to whether it’s compliant, or based on the sign-in risk. If there’s an indication that the owner of a user account didn’t make the sign-in.

Microsoft provides built-in baseline Conditional Access policies available to all customers, currently in preview. There are no add-ons or other special licensing required. This is to ensure that all organisations have a baseline level of security at no additional cost.

Conditional Access policies

The end user protection baseline policy is particularly interesting. It’s a risk-based policy. This means that rather than prompting for MFA all the time, it only prompts when it considers sign-ins as risky and is MFA required. For example, sign-ins from unfamiliar locations or impossible travel distances. Or where it detects that two sign-ins originating from geographically dispersed locations. These are some of the criteria that may be considered potentially risky. This policy will enforce registration for all users. As well as including administrators during a 14-day window. At which point users will be blocked from signing in until they register for MFA.

Is it worth upgrading to Azure MFA and what extra features do you get?

The paid version of Azure MFA is more versatile. While the pre-defined baseline policies are useful, you can’t customize them at all. With a baseline policy, you can only turn it on and nothing more. Microsoft did have an option to scope a baseline policy and exclude users if required, which has since been removed. 

With the full version, you can target Azure MFA for the situations when it’s needed most. And you can do this using custom Conditional Access policies. Self-service Password Reset is another feature that’s available alongside the full Azure MFA version.

On-premise support is another big benefit of the paid version. If you want to protect on-premise applications, RDS servers or a VPN, then you’ll need the paid version of Azure MFA.

We’ll deliver on-premise support using the NPS Extension for Azure MFA. And this integrates with RADIUS infrastructure. Before this, there was an MFA Server option, which has since been disapproved. And is no longer available to new customers.

Recently, we delivered an Azure MFA and Conditional Access solution to a client. This included integration with Cisco AnyConnect VPN and RDS Gateway. The combination of these proved to be particularly flexible. And much more streamlined than their previous third-party platform. 

Features available with the full version of Azure MFA include:

  • Trusted IPs and Named Locations
  • Custom Conditional Access Policies
  • MFA Requirement for specific apps
  • Require MFA for access from untrusted networks
  • Registration required from a trusted location
  • Microsoft Intune compliance integration
  • MFA support for on-premise applications
  • Fraud alert and custom voice messages
  • Self-service password reset with on-premises write-back option

How Much Does Azure MFA Cost?

You can buy the full version of Azure MFA with Azure AD Premium. It’s also included with Enterprise Mobility + Security. And with the Microsoft 365 Business or Enterprise plans. Azure Active Directory Premium P1 starts at approximately £4.50 per user, per month.

Azure Active Directory Premium gives you a lot more than just the full version of Azure MFA. Additionally, it’s a collection of advanced features all for one price. And this includes:

  • Advanced security and usage reports
  • Azure AD Join MDM auto-enrolment
  • Application Proxy
  • Conditional Access
  • Advanced Office 365 groups management including dynamic groups, naming policy, expiration, usage guidelines and more.

We recommend Azure Active Directory Premium for most of our customers. The support for Azure MFA and Conditional Access alone adds tremendous value. Additionally, it will help your business improve its security posture.

Modern Authentication and App Passwords

Microsoft uses the term Modern Authentication to describe a combination of authentication and authorisation methods. Which together offer better security. It includes:

  • MFA
  • Open Authorization (OAuth)
  • Mobile Application Management (MAM) and Azure Active Directory Conditional Access.

There’s wide support across Microsoft platforms, services and applications for Modern Authentication. This includes Windows 10, web browsers, Android, iOS and macOS.  

Microsoft applications that support Modern Authentication

Modern Authentication provides native support for MFA. Meaning when you sign in to an application or device, it provides an option to verify your credentials. And you’ll do this with additional authentication methods. Such as a Microsoft Authenticator code or notification.

Previously, when an app didn’t support Modern Authentication, it meant using an app password. App passwords provide an alternative when MFA isn’t understood by an application like Outlook 2010 or older. Hence, it gives an app permission to access your account.

Tip: Don’t use app passwords. They’re a holdover from times before when Modern Authentication was widely supported. Therefore they’re an unnecessary complication in most cases. Office 365 will enable Modern Authentication by default. In some older tenants, this may be a manual step.

Combined Security Information Registration

Microsoft has improved the end-user experience with the combined security information registration preview. Previously, users had to register for MFA, and self-service password reset separately. And this added confusion for what was a similar registration experience, that you had to do twice.

Combined security information registration preview for Azure MFA and self-service password reset

Now with the combined security information registration experience, users can register for MFA and self-service password in one modern, streamlined experience

Tip: Use the new combined security information registration. It’s easier to use, looks more professional and combines registration with self-service password reset. We used it with a client recently. And it was very well received and it improved the whole experience.

My Profile Portal

As well as the new registration experience, Microsoft has a new end-user portal to manage registration details in preview. This self-service portal allows users to change their registration details at any time.

My Profile to manage registration details

Users can go to the My Profile portal – https://myprofile.microsoft.com and click Security info to amend these details. Here you can add, remove or change the default authentication methods.

Microsoft has announced that starting later in the year, the new name for My Profile will be ‘My Account’. This will also integrate with the Office account page in addition to other improvements. All references to ‘My Profile’ will change to ‘My Account’.  From My Account there will be options to manage Office installations and subscriptions from the Overview Account page. As well as Office-related contact preferences from the Privacy page.

Azure MFA Registration Insights and Azure AD Auditing

It’s good to be able to track if and how users are registering. We found this particularly helpful when we were rolling out Azure MFA for a client. With the Usage & Insights reports, we were able to drill down into the following:

  • Percentage of both users who have registered for Azure MFA and those that haven’t.
  • Registrations by authentication methods in the last 24 hours, 7 or 30 days.
  • Filter users by registered or not registered.
  • Search users and list registered methods.
Usage and Insights reports

From Azure Active Directory admin centre, expand Azure Active Directory and then Usage & insights. This will open the Authentication methods activity and report to access this information.

As well as this, the Azure AD Audit logs are a useful source for tracing and troubleshooting registration details. These two activities are good indicators of success during Azure MFA registration:

  • User started security info registration
  • User registered all required security info

Summary – Benefits of Azure MFA

To conclude, we’ll look at the benefits of Azure MFA. And the main one is that it’s available at no additional cost and in some instances, with basic functionality. As well as this, the paid version of Azure MFA has advanced features. And registration is straightforward and now combined with a self-service password reset.

With Azure MFA, you have a range of different authentication methods. These include SMS text, app codes and notifications with Microsoft Authenticator app. And on top of this, Conditional Access extends control of Azure MFA dynamically. Based on a user device, location or compliance.

And finally, reporting and auditing are available to track and troubleshoot. And it optionally includes self-service password reset. In the full version of Azure MFA, with on-premise support.