Azure AD Multi-Factor Authentication

  1. Home
  2. Azure AD Multi-Factor Authentication

Go back to Tutorial

In thsi tutorial, we will learn and understand Azure AD Multi-Factor Authentication including its methods and working.

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. However, if you only use a password to authenticate a user, it leaves an insecure vector for attack. When you require a second form of authentication, security is increased as this additional factor isn’t something that’s easy for an attacker to obtain or duplicate.

Conceptual image of the different forms of multi-factor authentication
Image Source: Microsoft

Further, Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:

  • Firstly, something you know, typically a password.
  • Secondly, something you have, such as a trustable device that cannot have duplicate easily, like a phone or hardware key.
  • Lastly, something you are – biometrics like a fingerprint or face scan.
Practice tests Azure AD Multi-Factor Authentication
Available verification methods

When a user signs in to an application or service and receives an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods. However, the following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

  • Firstly, the Microsoft Authenticator app
  • Secondly, the OATH Hardware token
  • Then, SMS
  • Lastly, Voice call

Configuring Azure AD Multi-Factor Authentication settings

For customizing the end-user experience for Azure AD Multi-Factor Authentication, you can configure options for settings like the account lockout thresholds or fraud alerts and notifications. The settings include:

1. Account lockout

To prevent repeated MFA attempts as part of an attack, the account lockout settings let you specify how many failed attempts to allow before the account becomes locked out for a period of time. The account lockout settings are only applicable when a pin code is for the MFA prompt. However, the following settings are available:

  • Firstly, the number of MFA denials to trigger an account lockout
  • Secondly, minutes until the account lockout counter is reset
  • Lastly, minutes until the account is automatically unblocked

Further, for configuring account lockout settings, complete the following settings:

  • Firstly, sign in to the Azure portal as an administrator.
  • Secondly, browse to Azure Active Directory > Security > MFA > Account lockout.
  • Then, enter the required values for your environment, then select Save.
2. Block and unblock users

If a user’s device has been lost or stolen, you can block Azure AD Multi-Factor Authentication attempts for the associated account. Any Azure AD Multi-Factor Authentication attempts for blocked users are automatically denied.

Block a user

For blocking a user, complete the following steps:

  • Firstly, browse to Azure Active Directory > Security > MFA > Block/unblock users.
  • Secondly, select Add to block a user.
  • Then, enter the username for the blocked user as [email protected], then provide a comment in the Reason field.
  • Lastly, when ready, select OK to block the user.

Unblock a user

For unblocking a user, complete the following steps:

  • Firstly, browse to Azure Active Directory > Security > MFA > Block/unblock users.
  • Secondly, in the Action column next to the desired user, select Unblock.
  • Then, enter a comment in the Reason for unblocking field.
  • Lastly, when ready, select OK to unblock the user.
3. Fraud alert

The fraud alert feature lets users report fraudulent attempts to access their resources. When there is an unknown and suspicious MFA prompt. Then, users can report the fraud attempt using the Microsoft Authenticator app or through their phone.

The following fraud alert configuration options are available:

  • Firstly, automatically block users who report fraud. If a user reports fraud, the Azure AD MFA authentication attempts for the user account are blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report and take appropriate action to prevent future fraud. An administrator can then unblock the user’s account.
  • Secondly, code to report fraud during initial greeting. When users receive a phone call to perform multi-factor authentication, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.

To enable and configure fraud alerts, complete the following steps:

  • Firstly, browse to Azure Active Directory > Security > MFA > Fraud alert.
  • Secondly, set the Allow users to submit fraud alerts setting to On.
  • Then, configure the Automatically block users who report fraud or Code to report fraud during initial greeting setting as desired.
  • Lastly, select Save.
sc-900 online course

Reference: Microsoft Documentation, Doc 2

Go back to Tutorial

Menu