Azure AD Multi-Factor Authentication
In thsi tutorial, we will learn and understand Azure AD Multi-Factor Authentication including its methods and working.
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. However, if you only use a password to authenticate a user, it leaves an insecure vector for attack. When you require a second form of authentication, security is increased as this additional factor isn’t something that’s easy for an attacker to obtain or duplicate.
Further, Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:
- Firstly, something you know, typically a password.
- Secondly, something you have, such as a trustable device that cannot have duplicate easily, like a phone or hardware key.
- Lastly, something you are – biometrics like a fingerprint or face scan.
Available verification methods
When a user signs in to an application or service and receives an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods. However, the following additional forms of verification can be used with Azure AD Multi-Factor Authentication:
- Firstly, the Microsoft Authenticator app
- Secondly, the OATH Hardware token
- Then, SMS
- Lastly, Voice call
Configuring Azure AD Multi-Factor Authentication settings
For customizing the end-user experience for Azure AD Multi-Factor Authentication, you can configure options for settings like the account lockout thresholds or fraud alerts and notifications. The settings include:
1. Account lockout
To prevent repeated MFA attempts as part of an attack, the account lockout settings let you specify how many failed attempts to allow before the account becomes locked out for a period of time. The account lockout settings are only applicable when a pin code is for the MFA prompt. However, the following settings are available:
- Firstly, the number of MFA denials to trigger an account lockout
- Secondly, minutes until the account lockout counter is reset
- Lastly, minutes until the account is automatically unblocked
Further, for configuring account lockout settings, complete the following settings:
- Firstly, sign in to the Azure portal as an administrator.
- Secondly, browse to Azure Active Directory > Security > MFA > Account lockout.
- Then, enter the required values for your environment, then select Save.
2. Block and unblock users
If a user’s device has been lost or stolen, you can block Azure AD Multi-Factor Authentication attempts for the associated account. Any Azure AD Multi-Factor Authentication attempts for blocked users are automatically denied.
Block a user
For blocking a user, complete the following steps:
- Firstly, browse to Azure Active Directory > Security > MFA > Block/unblock users.
- Secondly, select Add to block a user.
- Then, enter the username for the blocked user as [email protected], then provide a comment in the Reason field.
- Lastly, when ready, select OK to block the user.
Unblock a user
For unblocking a user, complete the following steps:
- Firstly, browse to Azure Active Directory > Security > MFA > Block/unblock users.
- Secondly, in the Action column next to the desired user, select Unblock.
- Then, enter a comment in the Reason for unblocking field.
- Lastly, when ready, select OK to unblock the user.
3. Fraud alert
The fraud alert feature lets users report fraudulent attempts to access their resources. When there is an unknown and suspicious MFA prompt. Then, users can report the fraud attempt using the Microsoft Authenticator app or through their phone.
The following fraud alert configuration options are available:
- Firstly, automatically block users who report fraud. If a user reports fraud, the Azure AD MFA authentication attempts for the user account are blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report and take appropriate action to prevent future fraud. An administrator can then unblock the user’s account.
- Secondly, code to report fraud during initial greeting. When users receive a phone call to perform multi-factor authentication, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.
To enable and configure fraud alerts, complete the following steps:
- Firstly, browse to Azure Active Directory > Security > MFA > Fraud alert.
- Secondly, set the Allow users to submit fraud alerts setting to On.
- Then, configure the Automatically block users who report fraud or Code to report fraud during initial greeting setting as desired.
- Lastly, select Save.
Reference: Microsoft Documentation, Doc 2