Microsoft Docs

Azure AD Multi-Factor Authentication (MFA)

Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) is a service that requires users to perform multiple verification steps to access applications or services. It adds a crucial layer of security to your user sign-ins, protecting your data and applications from unauthorized access.

How it Works

When a user attempts to sign in, Azure AD checks the sign-in request against configured policies. If MFA is required for that user and scenario, the user will be prompted to complete an additional verification step beyond their password. Common verification methods include:

• Microsoft Authenticator App: Approve a notification or enter a code.
• Phone Call: Answer a phone call to a registered number.
• SMS: Receive a text message with a verification code.
• Hardware Token: Use a physical security key or token.

Enabling MFA

Azure AD offers flexible ways to enable MFA for your organization:

Conditional Access Policies (Recommended)

Conditional Access is the most robust and flexible method. It allows you to define granular policies based on conditions such as user, location, device, application, and risk. This ensures MFA is applied only when and where it's most needed, optimizing user experience.

To configure Conditional Access policies:

1. Navigate to the Azure portal.
2. Go to Azure Active Directory > Security > Conditional Access.
3. Create a new policy, define the users/groups, cloud apps, and conditions, and then select Grant access with Require multi-factor authentication.

Security Defaults

For organizations that don't have Azure AD Premium licenses or don't need granular control, Security Defaults provide a baseline level of security. When enabled, they automatically enforce MFA for all users, including administrators, when they sign in from untrusted locations. It also requires registration for MFA.

To enable Security Defaults:

1. In the Azure portal, go to Azure Active Directory > Properties.
2. Under Manage Security Defaults, select Yes.
3. Click Save.

Note: Security Defaults can conflict with Conditional Access policies. If Conditional Access is enabled, Security Defaults are automatically turned off.

User Experience

The first time a user is prompted for MFA, they will be guided through a registration process. They will choose their preferred verification methods and set them up.

Subsequent sign-ins may require MFA based on the configured policies. For example, if a policy requires MFA for all cloud app access, the user will be prompted after entering their password. If the policy is based on risk or location, MFA might only be requested under specific circumstances.

Management and Monitoring

Azure AD provides tools to manage and monitor MFA usage:

• User Management: You can manage user MFA settings, including requiring re-registration or enforcing MFA.
• Sign-in Logs: Monitor sign-in activity, including MFA status, to detect suspicious activity.
• Reporting: Access reports on MFA registration and usage.

Best Practices

• Use Conditional Access: Implement fine-grained control over MFA enforcement.
• Require Registration: Ensure all users register for MFA.
• Leverage Microsoft Authenticator: Encourage users to use the mobile app for a streamlined experience.
• Monitor Sign-ins: Regularly review sign-in logs for anomalies.
• Educate Users: Provide clear guidance and training on MFA and its importance.