I have been working on several articles on Active Directory security here at TechGenix. My last two articles in this area were about security delegation and how to control the local administrator. In this article, we are going to go one step further and increase the authentication method to access Microsoft Azure by using multi-factor authentication (MFA), which basically increases the security of the environment by adding an extra layer of security during the authentication process, meaning that just a username and password will not be enough to access your applications and systems.
The Azure MFA takes advantage of the Azure Cloud and makes it easier and scalable to implement, and provides 99.99 percent reliability to the service. There are three types of MFA nowadays: MFA for Office 365, MFA for Azure administrators, and Azure MFA.
In this article, we are going to use the MFA for Azure administrators, which is a free service for all global administrators using the Azure portal.
How important is MFA in today’s security landscape? Let’s assume that an attacker is able to find out the username and password of a network administrator. In theory, this attacker would be able to log on to Microsoft Azure and make a lot of changes and do a lot of damage to all servers and services hosted there. When using MFA, the attacker wouldn’t be able to log in using just the username and password. A second form of authentication would be required, thus increasing the security.
Managing multi-factor authentication using Azure portal
If you want to check the individual directory role associated to any given user, we can always follow these easy steps: logged on the Azure portal click on Azure Active Directory, click on Users and Groups, and on the new blade click on All Users. Search or select the user from the list. In the new blade for that specific user, click on Directory role, and the Global administrator must be selected.
A simple way to list all global administrators and enable them to use MFA is using the Multi-Factor Authentication website. To get there, we can use the Azure Active Directory item on the Azure portal, click on Users and Groups on the initial blade, and then click on All Users located on the left side. In the upper bar before the listing of the usernames, click on Multi-Factor Authentication. This is the place to manage MFA from the Azure portal.
To see a list of all global administrators, select Global Administrators on the View, and a list with all accounts with such role will be displayed.
Now that we identified the global administrators, click on the desired user (or you can select more than one) and click on the Enable link on the right side under quick steps. In the new About enabling multi-factor auth dialog box, click on Enable multi-factor auth. If the update was successful, a dialog box informing you will be displayed. Just click on Close when this message is displayed. MFA has now been enabled on the selected accounts.
Back to the main page: A list of all users will be displayed. The third column helps the administrator find out which account has MFA enabled. For those that have the account already MFA enabled, we can enforce MFA use — and that is highly recommended for all global administrators accounts. We can also manage specific user settings, such as force the end user to provide contact methods again, delete all existing app passwords generated by the user, and restore MFA on all remembered devices of that end user.
Managing MFA service settings
The administrator can control which methods will be allowed to the users to authenticate, including call, text message, notification through the mobile app, or verification code from mobile app. Click on save and those settings will be applied globally to all users.
MFA user experience
After having his or her account MFA enabled, when the user tries to log on the set it up now message will pop up. A wizard to help the user configure MFA will give mobile and phone options.
For the purposes of this article, we will use the mobile app. On the first page select Receive notification and click set up. A new page will be displayed as depicted in the image below.
On the phone side, make sure that the Microsoft Authenticator is installed from the Apple Store (there is support for Android and Windows phones as well), and after opening the app, create a new account. The app will need to scan the QR code that is being displayed on the screen of your computer. Once done, a new account will be added to the Microsoft Authentication. From that point on, that information can be used as second-factor authentication.
After the initial setup, users can always go here authenticate and change their MFA preferences.
Photo credit: Shutterstock