Microsoft Ignites a new Focus on Security (Part 8)

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this article series, I discussed the announcement at Ignite 2015 regarding more flexible patching cycles and the introduction of Windows 10 Device Guard. In Part 2, we started to look at more of the new security features, products and services, beginning with Microsoft Advanced Threat Analytics. In Part 3, we looked more closely at the Ignite presentations regarding what Microsoft is doing about security in the cloud and specifically in Office 365. In Part 4, we began talking about identity management in the cloud and particularly how identity management works in Office 365. In Part 5, we showed you how to implement each of the identity models and provided some tips for best practices with whichever identity model you ultimately choose. In Part 6, we talked about general concepts regarding multi-factor authentication (MFA) across the industry and in Microsoft’s cloud services and in Part 7, we got into the nitty gritty of enabling and configuring Microsoft’s MFA options.

Azure Active Directory and Azure Active Directory Premium

As you probably know, Azure Active Directory is Microsoft’s solution for managing identity and access in the cloud. It has some similarities to the Windows Server Active Directory Domain Services with which most IT professionals are familiar but it also has many differences (for example, there is no Group Policy, which is an important part of WS AD DS).

Azure AD performs the same function as AD DS – authentication of users and computers/devices and authorization to applications, management of users and groups, directory queries – but it uses different sets of protocols, such as SAML and OAuth instead of Kerberos and LDAP. Azure AD is a very capable service that can provide single sign-on for SaaS applications using federation, forms-based authentication and password vaulting.

Azure Active Directory is available in three different editions, from which you choose when you subscribe to Azure cloud services. The free edition comes with your Azure subscription and doesn’t cost extra. You get the standard identity and access management functionalities such as user account management, single sign-on for Azure, Office 365 and a myriad of other supported SaaS applications, and synchronization with your on-premises Active Directory.

The Basic edition is a paid service that includes the features of the free Azure AD service that we described above and adds to that group-based access management and self-service password reset so that users can more easily reset passwords for their cloud applications. You also are able to publish on-premises web apps with Azure AD via the Azure AD application proxy, and perhaps most important, you get the assurance of a Service Level Agreeement (SLA) that promises 99.9 percent uptime (three nines).

Azure AD Premium edition is, of course, the most costly but it’s a full-featured enterprise service that includes all of the features in the free and basic editions and adds self-service group management, advanced security reports and alerts, password reset with write-back to on-premises directories, Azure AD Connect health monitoring, Microsoft Identity Manager (MIM) rights, and most relevant to this discussion, Multi-factor Authentication (MFA).

Now we will delve a little more deeply into this feature, and how to enable MFA for users both with and without the Premium edition of Azure AD.

Enabling MFA in Azure AD Premium by assigning licenses to users

In Azure AD Premium, you can enable MFA for users by assigning user licenses to each of them. You don’t have to create a multi-factor auth provider (as we’ll describe later in this article) if you have Azure AD Premium, or if you have the Enterprise Mobility Suite (EMS).

If you want to sync your on-premises Active Directory with the Azure AD directory, then you can do that with Azure Active Directory Connect, which combines the functionality of AAD Sync and DirSync. If you don’t want to sync with on-premises AD, you don’t need to worry about Azure AD Connect.

Note:
Azure Active Directory Sync (AAD Sync) was designed to be a replacement for DirSync, which was the tool originally released for keeping on-premises Active Directory continuously synchronized with the Azure Active Directory. AAD Sync was introduced in 2014. Then in 2015, Microsoft replaced both of these with Azure AD Connect and recommends it as the “one stop shop” for Active Directory integration. For more information, see this link.

Because Azure MFA is already built into Azure AD Premium and EMS, the process is simple: you assign licenses, turn on MFA for your users and then notify them about what they need to do in order to use it.

Assigning the licenses to users is a pretty straight forward process. Just follow these steps after signing into the Azure portal with admin credentials:

  1. In the left pane, select Active Directory.
  2. Select the directory where the user is for whom you want to enable multi-factor authentication.
  3. At the top of the page, select Licenses.
  4. Select Active Directory Premium or Enterprise Mobility Suite, depending on which you have.
  5. Select Assign.
  6. Select those users to whom you want to assign licenses.
  7. Click the check mark to save changes.

Creating a multi-factor auth provider

If you don’t have Azure AD Premium or EMS as described above, you will need to create a multi-factor auth provider in order to enable MFA for all users. As we noted in the previous article, using MFA for global admins in Azure is easy because it is already available by default. However, the admins don’t have access to some of the more advanced features such as custom greetings and the management portal unless you configure a multi-factor auth provider. As an admin, you can set this up through the Azure portal as part of the Active Directory configuration.

Let’s quickly walk through the steps for creating your MFA provider:

  1. After logging into the Azure portal with an admin account, select Active Directory in the left pane.
  2. At the top of page, select Multi-factor Authentication Providers.
  3. At the bottom, click the New link.
  4. Now you’ll see the App Services choices; select Active Auth Providers.
  5. Click Quick Create.
  6. Type in the name of the Active Auth Provider in the Name field.
  7. Select the usage model: either per authorization or per enabled user in the Usage Model section.
  8. Enter the Azure Active Directory tenant with which the MFA Provider is associated in the Tenant field.
  9. Click Create.
  10. When you see the message that notifies you that you have successfully created the MFA provider, click OK.

There are a few things that you need to be aware of when completing the steps above. First of all, you can leave the Tenant field empty but you must associate the MFA provider with an Azure AD if you want all of your users to be able to use MFA. The same applies if you want global admins to be able to use the advanced features that we talked about earlier. The scenario in which you would leave the field blank and not associate an Azure AD tenant would be if you’re only going to use the SDK or Azure MFA server.

Important:
You cannot change the usage model (per authorization or per enabled user) after you select it so be careful to select the right one for your situation.

Enabling Azure AD MFA for users

Remember that one of the big differences between MFA in the basic edition of Azure AD and in the premium edition is that with the latter, you can enable MFA for all of your users, not just the global admins. In fact, that alone is reason for many organizations to consider upgrading to the premium edition of Azure AD. In order to enable your users to benefit from the enhanced security of Azure AD MFA, they will need to be enrolled in multi-factor authentication.

If MFA is disabled for a user, that user has not been enrolled in MFA and can’t use it. If the MFA status for a user shows to be enabled, that means the user has been enrolled; however, the user still needs to go through the process of registering before he/she can use MFA. The user will be prompted to do this at the next sign-in. A user for whom MFA is “enforced” is enrolled and will have completed the registration but must create app passwords. Then the user will be using MFA to sign in.

Turning MFA on for your users is done by an admin, using the Azure management portal and following these steps:

  1. After you’ve logged in with admin credentials, click Active Directory in the left pane as you did when you created your Multi-factor Auth provider in the section above.
  2. In the Directory section, select the directory where the user account is that you want to enable for MFA.
  3. At the top of the page, select Users.
  4. At the bottom of the page, select Manage Multi-factor Auth.
  5. Go through the list of users and find the user whose account you want to enable for MFA (status should be showing as “disabled” at this point), then check the box next to the user’s name.
  6. In the options list that is displayed, select Enable.
  7. In the pop-up list that is displayed next, select Enable multi-factor auth.

Microsoft recommends sending users email to advise them of how to use non-browser apps and that they will need to complete the enrollment steps to create app passwords so they can use Office 365 applications, mobile mail client apps and so forth, and then sign in with the app password.

Once you have MFA configured and set up, you can then set up and configure fraud alerts, one-time bypass, custom greetings and messages, and authentication caching. These topics are covered in the article titled Configuring Azure Multi-Factor Authentication on the Microsoft Azure web site.

Summary

In this, Part 8, we touched on the differences between the Azure AD editions and took a look at security enhancements to Azure Active Directory and how to implement and use the more fully featured version of MFA that comes with Azure AD Premium. In Part 9, we will finish up our discussion of Azure AD Premium MFA with some information on how to configure its features, manage user settings, and use the reports that are accessed through the MFA management portal. We’ll also address some troubleshooting issues.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top