Multi-factor authentication (MFA) has emerged as one way to protect against the threat of password compromise. It can be implemented in a variety of ways – smart cards, tokens, fingerprints, retinal scans, voice or facial recognition, etc. – but an increasingly popular means of providing MFA to avoid both the problem of lost/forgotten cards and the intrusiveness of biometrics is to tie the second authentication factor to something most people carry with them on a daily basis: their smart phones.
Microsoft Azure, like Amazon’s AWS and other cloud services, offers the option to enable and require multi-factor authentication for an added level of security when users sign into and perform transactions on the services.
Azure MFA can utilize smart phones in one of three ways to verify a user’s identity: via a mobile app, a phone call or a text message. For example, after a user logs on with the standard user name and password, his/her phone will ring and the user will be prompted to press a key to sign into the cloud application he/she is attempting to access. ADFS or another identity provider can be used to access cloud apps, as well.
Be aware that Azure MFA isn’t free. The pricing varies depending on the usage model you select. This can be:
- Per enabled user, per month: This choice is best if users will be doing a lot of multi-factor authentication. You pay a flat fee ($1.40 at the time of this writing) per month for each MFA-enabled user. You pay for all MFA-enabled user accounts whether or not they all use it, but each user gets an unlimited number of authentications.
- Per authentication: If you’ll only be having a small number of multi-factor authentications, but by several different users, it might turn out to be more cost effective to pay this way. You get ten MFA authentications for a flat fee ($1.40 at the time of this writing). You pay only for the number of authentications that are performed.
You can’t change the usage model (although you can start all over and create a brand new MFA resource, but you’ll have to configure the user settings and options all over again if you do that.
You might want to note that Azure Global Administrators can get a more limited set of MFA capabilities for their own accounts at no cost if the Azure AD doesn’t have Azure MFA enabled for users.
The first thing that you need in order to use MFA in Azure is a Multi-factor Authentication Provider. If you have Azure Active Directory Premium, or if you have Office 365, then you don’t have to worry about this as you have an MFA provider included in your subscription. If you have no MFA provider, you’ll be prompted to add one when you open Multi-Factor Auth Providers in the Azure portal under Active Directory.
You’ll need to enter the name of the MFA provider as well as the usage model (per user or per authentication as described above).
The way that you enable MFA for users depends on whether it’s a new user or an existing user. It’s easy when you’re creating a new user in your Azure Active Directory. On the “User Profile” page of the “add user” wizard, there is a check box at the very bottom that you can check to enable multi-factor authentication.
If you want to go back and enable MFA for your existing users, here’s the process:
- In the Azure Management Portal, navigate to your Azure Active Directory. At the bottom of the page in the black action bar, you’ll see an icon that looks like a padlock and says Manage Multi-factor Auth. Click this.
- This will display a page that lists your users. Simply put a check mark in the boxes beside the names of the users for whom you want to enable MFA and then click Enable over in the right pane under “Quick Steps.”
- Click the button labeled bulk update.
- You’ll be prompted to read the deployment guide if you haven’t already, and given a link where users can go to register for MFA is they don’t regularly sign in through the browser. Click enable multi-factor auth on this page.
- You should then get a message that the updates were successful and MFA is now enabled for the selected user accounts. Click close.
The next step is to configure the MFA provider general settings, such as how many attempts to allow during an MFA call, whether to say extension digits when prompting for an extension, a caller ID phone number, timeout in seconds for two-way text messages and one-time bypass, whether to allow users to submit fraud alerts or block users when fraud is reported and whether to lock out user accounts for a specified number of failed MFA attempts.
Each newly enabled user will need to configure some user settings the next time they log on. The system will prompt the user to enter the required information, including a phone number for the system to call for validation of the user. The user can choose to receive a phone call or a text message. Note that users may be charged for receiving the calls or texts, depending on their cell phone plans. User may also need to generate app passwords for non-browser apps (such as Outlook, Lync and mobile mail apps) to work with MFA.
Once MFA has been set up, whenever the enabled users log onto the account, they will get a phone call or text to verify their identity after they sign on with their usernames and passwords.