Tutorial: Complete an Azure Multi-Factor Authentication pilot roll out

In this tutorial, you walk you through configuring a Conditional Access policy enabling Azure Multi-Factor Authentication (Azure MFA) when logging in to the Azure portal. The policy is deployed to and tested on a specific group of pilot users. Deployment of Azure MFA using Conditional Access provides significant flexibility for organizations and administrators compared to the traditional enforced method.

  • Enable Azure Multi-Factor Authentication
  • Test Azure Multi-Factor Authentication

Prerequisites

Enable Azure Multi-Factor Authentication

  1. Sign in to the Azure portal using a Global Administrator account.
  2. Browse to Azure Active Directory, Conditional Access
  3. Select New policy
  4. Name your policy MFA Pilot
  5. Under users and groups, select the Select users and groups radio button
    • Select your pilot group created as part of the prerequisites section of this article
    • Click Done
  6. Under Cloud apps, select the Select apps radio button
    • The cloud app for the Azure portal is Microsoft Azure Management
    • Click Select
    • Click Done
  7. Skip the Conditions section
  8. Under Grant, make sure the Grant access radio button is selected
    • Check the box for Require multi-factor authentication
    • Click Select
  9. Skip the Session section
  10. Set the Enable policy toggle to On
  11. Click Create

Test Azure Multi-Factor Authentication

To prove that your Conditional Access policy works, you test logging in to a resource that should not require MFA and then to the Azure portal that requires MFA.

  1. Open a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com.
    • Log in with the test user created as part of the prerequisites section of this article and note that it should not ask you to complete MFA.
    • Close the browser window.
  2. Open a new browser window in InPrivate or incognito mode and browse to https://portal.azure.com.
    • Log in with the test user created as part of the prerequisites section of this article and note that you should now be required to register for and use Azure Multi-Factor Authentication.
    • Close the browser window.

Clean up resources

If you decide you no longer want to use the functionality you have configured as part of this tutorial, make the following change.

  1. Sign in to the Azure portal.
  2. Browse to Azure Active Directory, Conditional Access.
  3. Select the Conditional Access policy you created.
  4. Click Delete.

Next steps

In this tutorial, you have enabled Azure Multi-Factor Authentication. Continue on to the next tutorial to see how Azure Identity Protection can be integrated into the self-service password reset and Multi-Factor Authentication experiences.