Quickstart: Require MFA for specific apps with Azure Active Directory conditional access
To simplify the sign-in experience of your users, you might want to allow them to sign in to your cloud apps using a user name and a password. However, many environments have at least a few apps for which it is advisable to require a stronger form of account verification, such as multi-factor authentication (MFA). This might be, for example true, for access to your organization's email system or your HR apps. In Azure Active Directory (Azure AD), you can accomplish this goal with a conditional access policy.
This quickstart shows how to configure an Azure AD conditional access policy that requires multi-factor authentication for a selected cloud app in your environment.
If you don't have an Azure subscription, create a free account before you begin.
To complete the scenario in this quickstart, you need:
Access to an Azure AD Premium edition - Azure AD conditional access is an Azure AD Premium capability.
A test account called Isabella Simonsen - If you don't know how to create a test account, see Add cloud-based users.
The scenario in this quickstart requires that per user MFA is not enabled for your test account. For more information, see How to require two-step verification for a user.
Test your sign-in
The goal of this step is to get an impression of the sign-in experience without a conditional access policy.
To initialize your environment:
Sign in to your Azure portal as Isabella Simonsen.
Create your conditional access policy
This section shows how to create the required conditional access policy. The scenario in this quickstart uses:
- The Azure portal as placeholder for a cloud app that requires MFA.
- Your sample user to test the conditional access policy.
In your policy, set:
|Users and groups||Isabella Simonsen|
|Cloud apps||Microsoft Azure Management|
|Grant access||Require multi-factor authentication|
To configure your conditional access policy:
Sign in to your Azure portal as global administrator, security administrator, or a conditional access administrator.
In the Azure portal, on the left navbar, click Azure Active Directory.
On the Azure Active Directory page, in the Security section, click Conditional Access.
On the Conditional Access page, in the toolbar on the top, click New policy.
On the New page, in the Name textbox, type Require MFA for Azure portal access.
In the Assignment section, click Users and groups.
On the Users and groups page, perform the following steps:
a. Click Select users and groups, and then select Users and groups.
b. Click Select.
c. On the Select page, select Isabella Simonsen, and then click Select.
d. On the Users and groups page, click Done.
Click Cloud apps.
On the Cloud apps page, perform the following steps:
a. Click Select apps.
b. Click Select.
c. On the Select page, select Microsoft Azure Management, and then click Select.
d. On the Cloud apps page, click Done.
In the Access controls section, click Grant.
On the Grant page, perform the following steps:
a. Select Grant access.
a. Select Require multi-factor authentication.
b. Click Select.
In the Enable policy section, click On.
Evaluate a simulated sign-in
Now that you have configured your conditional access policy, you probably want to know whether it works as expected. As a first step, use the conditional access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
To initialize the what if policy evaluation tool, set:
- Isabella Simonsen as user
Microsoft Azure Management as cloud app
Clicking What If creates a simulation report that shows:
Require MFA for Azure portal access under Policies that will apply
- Require multi-factor authentication as Grant Controls.
To evaluate your conditional access policy:
On the Conditional access - Policies page, in the menu on the top, click What If.
Click Users, select Isabella Simonsen, and then click Select.
To select a cloud app, perform the following steps:
a. Click Cloud apps.
b. On the Cloud apps page, click Select apps.
c. Click Select.
d. On the Select page, select Microsoft Azure Management, and then click Select.
e. On the cloud apps page, click Done.
Click What If.
Test your conditional access policy
In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your conditional access policy to ensure that it works as expected.
To test your policy, try to sign-in to your Azure portal using your Isabella Simonsen test account. You should see a dialog that requires you to set your account up for additional security verification.
Clean up resources
When no longer needed, delete the test user and the conditional access policy:
If you don't know how to delete an Azure AD user, see Delete users from Azure AD.
To delete your policy, select your policy, and then click Delete in the quick access toolbar.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.