Microsoft Ignites a new Focus on Security (Part 9)

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this article series, I discussed the announcement at Ignite 2015 regarding more flexible patching cycles and the introduction of Windows 10 Device Guard. In Part 2, we started to look at more of the new security features, products and services, beginning with Microsoft Advanced Threat Analytics. In Part 3, we looked more closely at the Ignite presentations regarding what Microsoft is doing about security in the cloud and specifically in Office 365. In Part 4, we began talking about identity management in the cloud and particularly how identity management works in Office 365.

In Part 5, we showed you how to implement each of the identity models and provided some tips for best practices with whichever identity model you ultimately choose. In Part 6, we talked about general concepts regarding multi-factor authentication (MFA) across the industry and in Microsoft’s cloud services and in Part 7, we got into the nitty gritty of enabling and configuring Microsoft’s MFA options. Last time, in Part 8, we looked at security enhancements to Azure Active Directory and more specifically, how to implement and use the more fully featured version of MFA that comes with Azure AD Premium or can be purchased as a standalone service.

Configuring Azure MFA features

Fraudulent access is a big problem these days, and more and more cloud services are implementing ways to detect, report and prevent attempts by unauthorized users to access their resources. You probably run across a variety of these mechanisms on a regular basis. For example, you can set up many web services so that if you (or someone else) logs in from an unrecognized device, you’ll get an email notification. If it was you, you can ignore it (or add the device to your list of authorized devices). If not, you know that someone else is accessing your account and can investigate.

Multi-factor authentication greatly reduces the ability of unauthorized persons to log onto an account, but someone may still attempt it. With MFA, after you log in with your user name and password, your phone is used to verify your identity before the login process is completed. What if someone discovers your user credentials and logs in, but doesn’t have your phone? That’s where fraud alerting comes in.

Azure MFA supports fraud alerting so that users can report any unauthorized attempts to get to their cloud resources. There are a couple of different methods by which the users can do so. They can use the mobile app, or they can respond to a verification call on their phones.

Before users can report fraudulent activities, though, you have to set up and configure the fraud alert feature. You do this (as with other MFA configuration tasks) through the Azure portal. After logging in with an admin account, perform the following steps:

  1. Select Active Directory in the left pane.
  2. Select Multi-Factor Auth Providers at the top of the page.
  3. From the list of your MFA providers, select the one on which you want to enable the fraud alerting feature.
  4. At the bottom of the page, select Manage.
  5. In the Azure MFA Management portal, select Settings in the left section.
  6. In the Fraud Alert section, check the box for Allow users to submit Fraud Alerts.
  7. You can optionally select to block the user account when a fraud alert is reported.
  8. Enter a numerical code to be entered instead of the # sign in response to a verification call when the user wants to report a fraudulent access attempt, in the field labeled Code to Report Fraud During Initial Greeting.
  9. Click the Save button at the bottom of the page.

Tips:
Ensure that the numerical code is something that users can easily remember.

Note that on this same page, you can also set up account lockout so that the user account will be locked automatically after a specified number of consecutive MFA denials.

Now, once fraud reporting is set up, it’s easy for the users to send those reports. If they have the MFA mobile app installed on their phones, it will open automatically when you click on a verification request that’s sent to your phone. Click Cancel and Report Fraud. It’s that easy. Without the mobile app, answer the verification call and enter the code (specified during the setup of Fraud Alerting in step 8 above), then enter the # sign. You’ll get a notification, in both cases, that a fraud alert was submitted.

Viewing the reports

If you want to see the fraud reports that have been submitted, follow steps 1 through 4 above in the section on how to set up fraud alerting, then in the MFA Management portal, select View a Report on the left, and select Fraud Alert. You can set a range of dates or you can enter particular user names, phone numbers or user status to filter the reports returned.

Setting up your own custom greetings

If you would like to record a custom greeting to be used with MFA instead of (or in addition to) the Microsoft defaults, you can do this with .wav or .mp3 files of your choosing as long as they are 5MB or smaller in size. Also pay attention to the time duration of the message. If it’s more than 20 seconds long, the verification may time out and fail, so keep it short and simple.

Setting up custom greetings is done through the MFA Management portal, which you can get to as described in steps 1-4 in the section on how to set up fraud alerting above. Once you’re there, select Voice Messages in the left pane. In the main pane underneath the navigation bar, you’ll see a link that says New Voice Message. Select this and then select Manage Sound Files at the bottom and you’ll get to a dialog box where you can select to Upload Sound File. Browse for or type in the path to the sound file that you want to use and click the Upload button. You can also add a description. Go back to the Voice Messages section where you were before. Select the language and message type from the drop-down boxes. If you want to use the new voice message with a specific application, you will need to enter it in the Application field. In the Sound File drop-down box, the file that you uploaded should now appear. Select it. Click the Create button. You have your new custom message for MFA verifications.

Common MFA troubleshooting scenarios

Some common problems that arise when using Azure MFA include the following:

  • User account is locked out. To reset a user’s account, you (the admin) can force the user to go through the registration process again. You do this through the management portal as described on this web site.
  • User’s device is lost or stolen. If user was using app passwords with that device, delete all of the app passwords for the user as described in the link above.
  • User can’t sign in with non-browser apps. Users must delete the sign-in information in the application, and sign in with the app password that was set up for MFA.
  • User forgets his/her phone. It’s recommended that users configure a backup phone, such as a home or office phone, in which case the user can go back to the sign in screen and select the alternate phone. If not, the user will need to contact the admin and the admin can change the phone number assigned to the user.
  • For other problems, you can get community help from the Microsoft Azure Active Directory Forums or search the Knowledge Base, or contact Azure technical and billing support if you’ve purchased a support plan:
    https://azure.microsoft.com/en-us/support/plans/

Summary

This concludes our discussion of Microsoft Azure multi-factor authentication and our broader topic of new security features in Microsoft products, a subject that was “ignited” at Microsoft’s Ignite 2015 conference in Chicago. If you want to keep up with the latest in Microsoft products, services and security, make plans now to attend Ignite 2016 next September in Atlanta, GA, and/or watch the on-demand presentations that will be published on the web. Hope to see you there.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top