Setup Azure Conditional Access + Multi Factor Authentication MFA. Today’s cyberthreat environment is ever evolving. A while back, it was safe to assume that your account was safe with a password. Not anymore. Cybercrime has evolved and cybercriminals have devised new, sophisticated methods to steal passwords, render their use insufficient, and companies have taken notice.
Therefore, the Conditional Access policy in Azure AD was designed as a countermeasure to let you protect Microsoft 365 apps based on different conditions and criteria. The policy allows you to prompt users with multi factor authentication when they sign in under certain circumstances.
This article is a comprehensive analysis of the conditional access and multi factor authentication policies in Microsoft Azure and how to set these policies for your account.
What are Conditional Access Policies in Azure?
The perimeter of modern secure system now encompasses not only the network but also the identities of users and their devices. As a safety measure, many organizations today base their access control determinations on identity driven signals. That is why, Azure is an excellent example of this. Azure AD Conditional Access integrates signals for decision making and policy enforcement.
I’d phrase Conditional Access policies as a statement: if a certain user wants to access a certain resource, then they need to pass a security measure. For example, if a user wants to access their account in Azure, then they need to do multi factor authentication to access it.
It is important to note that conditional access policies are enforced after first factor authentication is completed. Based on whether the user has passed the preceding condition or not, the conditional access policies are either granted or have blocked access.
The most common conditional access policies include:
- Requiring multi factor authentication for administrative users.
- Blocking sign in from devices that display suspicious behaviour.
- Requiring multi factor authentication for Azure management tasks.
- Restricting or allowing access from specified locations.
- Requiring trusted locations for Azure AD Multi Factor Authentication registration.
What is Multi Factor Authentication?
Here is an interesting statistic: cybercriminals have stolen almost 15 billion confidential credentials from unsecure systems. If they obtain yours, it may result in the loss of confidential data as well as significant financial and reputational harm to your company. This is why multi factor authentication comes into place.
Incorporating multi-factor authentication doesn’t eliminate usernames and passwords. Instead, it adds a layer onto another verification method to ensure that only authorized people are granted access and fraudsters are kept out.
Besides, multi factor authentication has proven to be very effective in preventing hacks. According to Microsoft, MFA is so effective that it blocks nearly 100 percent of account hacks. It’s simple but very effective.
More than 55% of organizations use multi-factor authentication to protect their systems, and this figure is increasing year after year. More and more organizations are recognizing the importance of implementing it and it should come as no surprise that Microsoft Azure is at the forefront of this.
How does it work?
Multifactor authentication strengthens a system’s defences by blending at least two separate factors. One is something you are familiar with, such as your email address or username and password. And then the other factor is either:
Something you are (iris scans, fingerprints, or any other biometric data) or something you have (your phone, keycard, or even your USB)
A typical MFA process in Azure has the following sequence of events:
- Registration: A person links something to the system, for example, their phone number.
- Login: The user then types in their username and password to get into the system.
- Verification: The system then connects with the item that has been registered. A verification code is then sent to the user’s phone. If the user is using an authenticator app, then the system displays a QR code that, when scanned, it gives the user a verification code.
- Gaining Access: The user then keys in the verification code sent to them, and they are granted access.
Improve your Active Directory Security & Azure AD by adding Access Policies +MFA
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Creating a Conditional Access Policy and Multi Factor Authentication
The following steps are necessary to create a new conditional access policy that is applicable to members of a security group in Azure.
- The first step is to access the Azure Active Directory blade, by logging in to the Azure portal using a Global administrator account.
- Then to access the Azure Active Directory security settings, go to Manage > Security on the left side of the window.
- Choose Conditional Access under the Protect tab on the Security page’s left sidebar.
- Select Add New policy and then Create new policy on the Conditional Access policies page.
- Once that is done enter a name for the new policy (for example: MFA Test Policy).
- The next step is to choose Users or workload identities. To do so, go to Assignments and then select users and groups radio button.
- Then Click the Users and groups checkbox and select users or groups that you want your policy to apply to.
- Search for your security group and then click the select button (for example, MFA-Security-Group).
- Select All cloud apps from Cloud apps or actions. Here, you can pick individual apps or exclude specific apps from the policy if necessary.
- Under Conditions, please give your preferred configuration. I have selected Any device under Device platforms and selected Any location to apply for this policy. You can tweak the setting here according to your preferences.
- Under Access controls, select Grant access, check the option Require multi-factor authentication, and then click the Select button.
- Click on the Enable policy toggle and set it to on.
- Finally, click the Create button.
Once this is done, your conditional access policy should be active. To test and verify your policy you can create a test user account and check for the multi factor authentication prompt.
Verify your Multi factor Authentication
The next step after setting up your multi factor authentication sign in is to verify it with a test user account. To do so please follow the following steps:
- Create a new profile in your browser or open a new window in InPrivate or Incognito mode and create it there.
- Open the Multi-factor Verification page or log in to any of your Microsoft 365 online apps.
- Log in with the test user account that you created and assigned to the test security group.
- In the next window, you’ll be prompted to enable Multi-Factor Authentication through various options.
- Select whichever methods suit you. For example, either via phone code or an authenticator app. Then finally proceed with the follow up steps that apply to your selected method of authentication to complete your verification.
Once this is done you can now be sure that multi factor authentication is successfully verified for your system.
Now that you have successfully verified your multi factor authentication, let’s expound on this by looking at the various multi-factor authentication settings available in Azure AD.
Azure AD Multi Factor Authentication settings
Significantly, Azure AD Multi Factor Authentication lets you customize the end user experience by letting you set options for things like account lockout thresholds and fraud alerts and notifications. Some settings for Azure Active Directory (Azure AD) are in the Azure portal, and some are in a separate portal for Azure AD Multi Factor Authentication.
In the Azure portal, you set up the following Multi Factor Authentication settings for Azure AD:
- Account lockout
- Block/unblock users
- Fraud alert
- OATH tokens
- Phone call settings
1. Account lockout
Setting a maximum number of failed MFA tries before locking out an account for a certain amount of time will help deter attacks that rely on repeatedly trying to access a user’s account. These account lockout settings only take effect after entering a PIN code for the MFA prompt.
You can set the following configurations to enable this:
- The maximum allowed number of failed MFA attempts before account lockout.
- Number of minutes until the timer for the account lockout is reset.
- The number of minutes until the account is automatically unblocked.
2. Block/unblock users
This setting is used to block Azure AD multi-factor authentication attempts for an account after the user’s device is lost or stolen. When this setting is used, any attempts at multifactor authentication for the prohibited user is automatically denied.
After a user is blocked, multi-factor authentication is prohibited for their account for a period of 90 days.
3. Fraud alert
This feature comes in handy for users when reporting potential fraud that involves their accounts. This option allows the user to report an unknown and suspicious MFA attempt by using the Microsoft Authenticator app or their phone.
You can have the following configuration options for this setting:
Create a setting to automatically block users who report fraud
If a user reports fraud on their account, the account will be locked out of Azure AD Multi-Factor Authentication for 90 days, or until the account is unlocked by an administrator.
This feature also offers a sign in report, which allows an administrator to review login activity and take corrective action as necessary to avoid any further fraudulent activity. The administrator then decides whether or not to unblock the user’s account.
Configure a phone call code to report fraud
Users typically confirm their sign in by pressing # when prompted to do so during a multi-factor authentication phone call. Usually, in order to report fraud, the user must first enter a code before pressing #.
The default value of this code is 0, although you can customize it. You can configure the setting to enable automatic blocking. Users can be given a prompt to press 1 if they’d like to block their accounts after pressing 0 to report fraud on their accounts.
5. OATH tokens
With this setting, you can manage OATH tokens for users in Azure AD Multi Factor Authentication environments that are based in the cloud.
Applications like Microsoft’s Authenticator app and others serve as examples of software OATH tokens. The secret key, or seed, that is used to produce each OTP is generated by Azure AD and then entered into the app.
When configured for push notifications, the Authenticator app will create codes on the user’s behalf, giving them a secondary method of authentication even if their smartphone is offline. Codes can also be generated with the use of a third-party program, provided it uses OATH TOTP to do so.
6. Phone call settings
You can use this setting to configure users’ experiences whenever they receive phone calls for MFA prompts. For example, you can configure the caller ID or set the voice of the greeting that they hear.
Thank you for reading Setup Azure Conditional Access + Multi Factor Authentication MFA. We shall conclude this article blog.
Setup Azure Conditional Access + Multi Factor Authentication Conclusion
Azure Conditional Access paired with Multi Factor Authentication is another tool devised in the ever evolving battle between cybercriminals and cybersecurity experts. Microsoft Azure AD conditional access policies with multi-factor authentication have proven to be sufficient tools for organizations whose main concern is to protect their users from fraudulent sign-ins.
Cyber security experts agree that a username and password are often insufficient defence against the most sophisticated cyber-attacks. In Microsoft Azure, you need to set conditional access policies and add multi factor authentication as another layer to fool proof your system and make it secure.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free