Part 35 – Enable Conditional Access MFA on Azure Active Directory

Loading

This blog covers the overview of Multi-Factor Authentication, Azure AD MFA setup that acts as an additional authentication method for successful authentication of your Azure Account.

Azure AD MFA is a cloud-based identity and access management (IAM) and part of the Azure AD premium offering that provides capabilities such as conditional access policies and integration with third-party authentication providers.

Before we start, check that you have Azure AD Premium plan 1 or 2. AD Premium is needed for conditional access but for per-user MFA the free AD version will work just fine.

Enable MFA for Admins Per User level

AD Premium is not needed needed for per-user MFA, the free AD version will work just fine. Under Azure Portal go to Active Directory > Users > Click on Per-user Multi-Factor Authentication 

When you click on MFA, it will show you the option to select the user and Enable MFA.

Click on Enable Multifactor Authentication.

Multi-Factor Auth has been successfully enabled.

There are multiple ways Azure MFA can verify a user’s identity which is set under Service Settings

  • Phone call
  • Text Message
  • Microsoft Azure Authenticator App

Log in to your Azure Account and click on next to Sign in.

Click on next to continue and a QR code will appear on the Microsoft Authenticator app

 Scan the QR shown via your phone

Approve the Sign in on your phone

Enter the MFA pin

Click on Next

You can log in to your account.

Login to your account.

A notification will be sent to the Authenticator App and you will be able to log in using Azure Multi-Factor Authentication.

Reset a Forgotten Password

Once MFA is enabled, to reset a forgotten password, click on the login screen click on Forgot password

Enter the code you got on the phone

Give a password

Our password has been reset

Test if we are able to login

Enable MFA for Admins using Azure AD Conditional Access

Enabling MFA Azure AD Conditional Access will need Azure AD Premium plan 1 or 2 licenses. When you have a lot of users in an organization enabling MFA at a user level is not practical so conditional access is set based on some conditions. Security defaults must be disabled to enable the Conditional Access policy.

I’ve created an AD Group and added a few users.

Browse to Active Directory > Security

Browse Conditional Access > Policies.

Click on New policy

Provide the following info

  • Name of the policy
  • Click Users and Groups> Include > Select Group we created

Click Conditions > Locations. Click on Yes and click Include and select Any location.

Under Cloud Apps, we will select Microsoft Azure Management

Under Access Control, we will choose to Grant Access and enable MFA and check the checkbox require multi-factor authentication

Click the On switch to enable the policy and click Create.

Our conditional access policy is thus created

Authenticate via the testuser01 and see if we are getting the MFA request.

That’s it to configure Conditional Azure AD Multi-Factor Authentication.

(Visited 32 times, 1 visits today)

By Ash Thomas

Ash Thomas is a seasoned IT professional with extensive experience as a technical expert, complemented by a keen interest in blockchain technology.