How it works: Azure Multi-Factor Authentication
The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods.
How to get Multi-Factor Authentication?
Multi-Factor Authentication comes as part of the following offerings:
- Azure Active Directory Premium licenses - Full featured use of Azure Multi-Factor Authentication Service (Cloud) or Azure Multi-Factor Authentication Server (On-premises).
- Azure MFA Service (Cloud) - This option is the recommended path for new deployments. Azure MFA in the cloud requires no on-premises infrastructure and can be used with your federated or cloud-only users.
- Azure MFA Server - If your organization wants to manage the associated infrastructure elements and has deployed AD FS in your on-premises environment this way may be an option.
- Multi-Factor Authentication for Office 365 - A subset of Azure Multi-Factor Authentication capabilities are available as a part of your subscription. For more information about MFA for Office 365, see the article Plan for multi-factor authentication for Office 365 Deployments.
- Azure Active Directory Global Administrators - A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.
Auth Provider or MFA license
If you have Azure AD Premium or another license bundle that includes Azure AD Premium, you already have Azure MFA. Your organization doesn't need anything additional to extend the two-step verification capability to all users. You only need to assign a license to a user, and then you can turn on MFA.
If you don't have licenses that include Azure MFA or don't have enough licenses to cover all of your users, then you can create an MFA Auth Provider to extend the full capabilities of MFA to the users who need them.
If you don't have enough licenses for all your users, you can create a per-user Multi-Factor Auth Provider to cover the rest of your organization. Do not create a per-authentication Multi-Factor Auth Provider. If you do, you could end up paying for verification requests from users that already have licenses.
Since most users are accustomed to using only passwords to authenticate, it is important that your organization communicates to all users regarding this process. Awareness can reduce the likelihood that users call your help desk for minor issues related to MFA. However, there are some scenarios where temporarily disabling MFA is necessary. Use the following guidelines to understand how to handle those scenarios:
- Train your support staff to handle scenarios where the user can't sign in because they do not have access to their authentication methods or they are not working correctly.
- Using conditional access policies for Azure MFA Service, your support staff can add a user to a group that is excluded from a policy requiring MFA.
- Support staff can enable a temporary one-time bypass for Azure MFA Server users to allow a user to authenticate without two-step verification. The bypass is temporary and expires after a specified number of seconds.
- Using conditional access policies for Azure MFA Service your support staff can add a user to a group that is excluded from a policy requiring MFA.
- Consider using Trusted IPs or named locations as a way to minimize two-step verification prompts. With this feature, administrators of a managed or federated tenant can bypass two-step verification for users that are signing in from a trusted network location such as their organization's intranet.
- Deploy Azure AD Identity Protection and trigger two-step verification based on risk events.