Having some of your infrastructure in Microsoft Azure creates security challenges for network administrators. Even in environments that use ExpressRoute/VPN and do not allow RDP from the Internet to servers located in the Infrastructure as a Service (IaaS) cloud, an attacker having access to the Azure Global Admin can cause a lot of damage.
One way to increase security on your network is by enabling multi-factor authentication (MFA). In the past, it typically required additional hardware and a lot of design and architecture time to build an MFA solution. But with Microsoft Azure, the implementation is simple and easy, and just a few clicks away.
The beauty of using multi-factor authentication is that attackers cannot gain access to your network without knowledge of a password and access to a device. Without both, access will not be granted.
The MFA solution is offered in three models: Office 365, Azure administrators at no additional cost, and Azure in general. We will take advantage of the offer for Azure administrators and show you how to enable MFA by using the Azure console.
Log on to the Microsoft Azure portal, click/search Azure Active Directory, and then click on Overview. A summary of all users and some options to perform basic management will be displayed. We need to use the Classic Portal to configure MFA. To do that, click on Classic Portal.
In the Classic Portal, click on the Active Directory item located on the left side, click on Multi-Factor Auth Providers, and then click on Create a new multi-factor authentication provider.
The MFA can be configured using two methods: per user or per authentication. We can associate the MFA provider with a specific Active Directory. For this article, we will assign the name AZNA-MFAprovider and associate it to one of the existing directories.
Configuring MFA for users
The next step is to configure MFA for selected users. An easy way to do that is to open the desired directory, and on the Users tab, a new button, Manage Multi-Factor Auth, will be displayed. Click on it.
In the new page, the administrator can search for specific users and select more than one user. After selecting the desired user or users, an option to Enable will be displayed. Click on it and a confirmation pop-up will be displayed. Now, click on Enable multi-factor auth, and that pop-up will be followed by another one saying that the settings were updated successfully.
Note: After enabling the MFA to an end-user, the administrator can enforce it. To do that, just select an existing enabled user and click on Enforce. Confirm the selection on the two pop-ups that will be displayed during the process.
Managing the MFA service
After enabling users and enforcing them to use MFA, the administrator should take a look at the MFA service. The configuration is simple. Click on the Active Directory entry listed on the classic portal (same place that we were on during the previous step), and click on configure. Next, click on manage service settings, which is located in the multi-factor authentication section.
Here you will see a single page that allows the administrator to define key components of the service, such as app password, trusted IPs, and the most important verification options -- call, text, and mobile app. You can also set the number of days to remember the MFA authentication in the trusted devices. Perform the changes and click on Save.
After configuring the basics for the service to work properly, the administrator has a portal to manage more settings from the service, specifically managing users and reporting capabilities. To get to that portal, just click on Go to the portal on the previous page.
In the portal, there are several areas where the administrator can define various settings:
- User Administration: The administrator can block and also unblock users, and also configure one-time bypass
- View a Report: A list of utilization, server status, and blocked and bypassed users is available here. The administrator can request reports and check if they are ready in the queue area.
- Configure: Here, a more extensive control of the service is available, such as timeout values for bypass and the configuration of fraud alerts. The administrator can also customize and define various notifications
- Downloads: The administrator can download the SDK and MFA Server to be used for on-premises solutions, such as VPN and IIS.
After configuring the MFA service and enabling the users, our next step is to log off from any existing session and to try to log back on using the test account. After typing the credentials, a new page will be displayed after the username and password are validated. To continue, just click set it up now.
In the next screen, the user is able to configure phone verification. The user can decide to be contacted by a text message or a phone call. In this example, we decided to use a phone call.
The telephone number you specified in the previous screen will ring. To continue the authentication, answer the call and press the “#” key on your phone.
After these simple steps -- which you should be able to perform in a matter of minutes -- multi-factor authentication is available to users. You can continue to roll out MFA to more users at any time. In a future article, we are going to look at the different options to configure the client and give you some tips on several additional settings on the server side.
Photo credit: Pixabay, Anderson Patricio