Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Plan an Azure Active Directory Multi-Factor Authentication deployment
In this articleAzure Active Directory (Azure AD) Multi-Factor Authentication helps safeguard access to data and applications, providing another layer of security by using a second form of authentication. Organizations can enable multifactor authentication (MFA) with Conditional Access to make the solution fit their specific needs. This deployment guide shows you how to plan and implement an Azure AD Multi-Factor Authentication roll-out. Before you begin your deployment, ensure you meet the following prerequisites for your relevant scenarios.
Choose authentication methods for MFAThere are many methods that can be used for a second-factor authentication. You can choose from the list of available authentication methods, evaluating each in terms of security, usability, and availability. Important Enable more than one MFA method so that users have a backup method available in case their primary method is unavailable. Methods include:
When choosing authenticating methods that will be used in your tenant consider the security and usability of these methods: To learn more about the strength and security of these methods and how they work, see the following resources:
You can use this PowerShell script to analyze users' MFA configurations and suggest the appropriate MFA authentication method. For the best flexibility and usability, use the Microsoft Authenticator app. This authentication method provides the best user experience and multiple modes, such as passwordless, MFA push notifications, and OATH codes. The Microsoft Authenticator app also meets the National Institute of Standards and Technology (NIST) Authenticator Assurance Level 2 requirements. You can control the authentication methods available in your tenant. For example, you may want to block some of the least secure methods, such as SMS.
Plan Conditional Access policiesAzure AD Multi-Factor Authentication is enforced with Conditional Access policies. These policies allow you to prompt users for MFA when needed for security and stay out of users' way when not needed. In the Azure portal, you configure Conditional Access policies under Azure Active Directory > Security > Conditional Access. To learn more about creating Conditional Access policies, see Conditional Access policy to prompt for Azure AD Multi-Factor Authentication when a user signs in to the Azure portal. This helps you to:
For end-to-end guidance on Azure AD Conditional Access deployment, see the Conditional Access deployment plan. Common policies for Azure AD Multi-Factor AuthenticationCommon use cases to require Azure AD Multi-Factor Authentication include:
Named locationsTo manage your Conditional Access policies, the location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users. We recommend using Named Locations so that you can create logical groupings of IP address ranges or countries and regions. This creates a policy for all apps that blocks sign-in from that named location. Be sure to exempt your administrators from this policy. Risk-based policiesIf your organization uses Azure AD Identity Protection to detect risk signals, consider using risk-based policies instead of named locations. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed at risk such as leaked credentials, sign-ins from anonymous IP addresses, and more. Risk policies include:
Convert users from per-user MFA to Conditional Access based MFAIf your users were enabled using per-user enabled and enforced MFA, the following PowerShell can assist you in making the conversion to Conditional Access based MFA. Run this PowerShell in an ISE window or save as a .PS1 file to run locally. The operation can only be done by using the MSOnline module. # Sets the MFA requirement state function Set-MfaState { [CmdletBinding()] param( [Parameter(ValueFromPipelineByPropertyName=$True)] $ObjectId, [Parameter(ValueFromPipelineByPropertyName=$True)] $UserPrincipalName, [ValidateSet("Disabled","Enabled","Enforced")] $State ) Process { Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State) $Requirements = @() if ($State -ne "Disabled") { $Requirement = [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new() $Requirement.RelyingParty = "*" $Requirement.State = $State $Requirements += $Requirement } Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName ` -StrongAuthenticationRequirements $Requirements } } # Disable MFA for all users Get-MsolUser -All | Set-MfaState -State DisabledPlan user session lifetimeWhen planning your multifactor authentication deployment, it's important to think about how frequently you would like to prompt your users. Asking users for credentials often seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt. Azure AD has multiple settings that determine how often you need to reauthenticate. Understand the needs of your business and users and configure settings that provide the best balance for your environment. We recommend using devices with Primary Refresh Tokens (PRT) for improved end user experience and reduce the session lifetime with sign-in frequency policy only on specific business use cases. For more information, see Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Authentication. Plan user registrationA major step in every multifactor authentication deployment is getting users registered to use Azure AD Multi-Factor Authentication. Authentication methods such as Voice and SMS allow pre-registration, while others like the Authenticator App require user interaction. Administrators must determine how users will register their methods. Combined registration for SSPR and Azure AD MFANote Starting on August 15th 2020, all new Azure AD tenants will be automatically enabled for combined registration. Tenants created after this date will be unable to utilize the legacy registration workflows. After Sept. 30th, 2022, all existing Azure AD tenants will be automatically enabled for combined registration. We recommend that organizations use the combined registration experience for Azure AD Multi-Factor Authentication and self-service password reset (SSPR). SSPR allows users to reset their password in a secure way using the same methods they use for Azure AD Multi-Factor Authentication. Combined registration is a single step for end users. To make sure you understand the functionality and end-user experience, see the Combined security information registration concepts. It's critical to inform users about upcoming changes, registration requirements, and any necessary user actions. We provide communication templates and user documentation to prepare your users for the new experience and help to ensure a successful rollout. Send users to https://myprofile.microsoft.com to register by selecting the Security Info link on that page. Registration with Identity ProtectionAzure AD Identity Protection contributes both a registration policy for and automated risk detection and remediation policies to the Azure AD Multi-Factor Authentication story. Policies can be created to force password changes when there is a threat of compromised identity or require MFA when a sign-in is deemed risky. If you use Azure AD Identity Protection, configure the Azure AD MFA registration policy to prompt your users to register the next time they sign in interactively. Registration without Identity ProtectionIf you don't have licenses that enable Azure AD Identity Protection, users are prompted to register the next time that MFA is required at sign-in. To require users to use MFA, you can use Conditional Access policies and target frequently used applications like HR systems. If a user's password is compromised, it could be used to register for MFA, taking control of their account. We therefore recommend securing the security registration process with conditional access policies requiring trusted devices and locations. You can further secure the process by also requiring a Temporary Access Pass. A time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones. Increase the security of registered usersIf you have users registered for MFA using SMS or voice calls, you may want to move them to more secure methods such as the Microsoft Authenticator app. Microsoft now offers a public preview of functionality that allows you to prompt users to set up the Microsoft Authenticator app during sign-in. You can set these prompts by group, controlling who is prompted, enabling targeted campaigns to move users to the more secure method. Plan recovery scenariosAs mentioned before, ensure users are registered for more than one MFA method, so that if one is unavailable, they have a backup. If the user does not have a backup method available, you can:
Plan integration with on-premises systemsApplications that authenticate directly with Azure AD and have modern authentication (WS-Fed, SAML, OAuth, OpenID Connect) can make use of Conditional Access policies. Some legacy and on-premises applications do not authenticate directly against Azure AD and require additional steps to use Azure AD Multi-Factor Authentication. You can integrate them by using Azure AD Application proxy or Network policy services. Integrate with AD FS resourcesWe recommend migrating applications secured with Active Directory Federation Services (AD FS) to Azure AD. However, if you are not ready to migrate these to Azure AD, you can use the Azure Multi-Factor Authentication adapter with AD FS 2016 or newer. If your organization is federated with Azure AD, you can configure Azure AD Multi-Factor Authentication as an authentication provider with AD FS resources both on-premises and in the cloud. RADIUS clients and Azure AD Multi-Factor AuthenticationFor applications that are using RADIUS authentication, we recommend moving client applications to modern protocols such as SAML, Open ID Connect, or OAuth on Azure AD. If the application cannot be updated, then you can deploy Network Policy Server (NPS) with the Azure MFA extension. The network policy server (NPS) extension acts as an adapter between RADIUS-based applications and Azure AD MFA to provide a second factor of authentication. Common integrationsMany vendors now support SAML authentication for their applications. When possible, we recommend federating these applications with Azure AD and enforcing MFA through Conditional Access. If your vendor doesn't support modern authentication – you can use the NPS extension. Common RADIUS client integrations include applications such as Remote Desktop Gateways and VPN servers. Others might include:
Your Azure AD Multi-Factor Authentication rollout plan should include a pilot deployment followed by deployment waves that are within your support capacity. Begin your rollout by applying your Conditional Access policies to a small group of pilot users. After evaluating the effect on the pilot users, process used, and registration behaviors, you can either add more groups to the policy or add more users to the existing groups. Follow the steps below:
This section provides reporting and troubleshooting information for Azure AD Multi-Factor Authentication. Reporting and MonitoringAzure AD has reports that provide technical and business insights, follow the progress of your deployment and check if your users are successful at sign-in with MFA. Have your business and technical application owners assume ownership of and consume these reports based on your organization's requirements. You can monitor authentication method registration and usage across your organization using the Authentication Methods Activity dashboard. This helps you understand what methods are being registered and how they're being used. Sign in report to review MFA eventsThe Azure AD sign-in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication. NPS extension and AD FS logs can be viewed from Security > MFA > Activity report. Inclusion of this activity in the Sign-in logs is currently in Preview. For more information, and additional Azure AD Multi-Factor Authentication reports, see Review Azure AD Multi-Factor Authentication events. Troubleshoot Azure AD Multi-Factor AuthenticationSee Troubleshooting Azure AD Multi-Factor Authentication for common issues. Next stepsDeploy other identity features FeedbackSubmit and view feedback for Which of the following is a concern when using your GovernmentWhen using your government-issued laptop in public environments, with which of the following should you be concerned? The potential for unauthorized viewing of work-related information displayed on your screen.
What is the danger of using public Wi Fi connections cyber awareness challenge?The Risks of a Public Wi-fi
This creates an amazing opportunity for the hacker to get unfettered access to unsecured devices on the same network. The biggest threat to free Wi-Fi security is the ability for the hacker to position himself between you and the connection point.
How can you protect your information when using wireless technology?Internet Security tips — to help you protect your wireless network. Avoid using the default password. ... . Don't let your wireless device announce its presence. ... . Change your device's SSID name. ... . Encrypt your data. ... . Protect against malware and Internet attacks.. Under what circumstances is it acceptable to use your GovernmentUnder what circumstances is it acceptable to use your Government-furnished computer to check person e-mail and do other non-work-related activities? If allowed by organization policy.
|