Getting started with Azure Multi-Factor Authentication in the cloud

This article walks through how to get started using Azure Multi-Factor Authentication in the cloud.

Note

The following documentation provides information on how to enable users using the Azure Classic Portal. If you are looking for information on how to set up Azure Multi-Factor Authentication for O365 users, see Set up multi-factor authentication for Office 365.

MFA in the Cloud

Prerequisite

Sign up for an Azure subscription - If you do not already have an Azure subscription, you need to sign-up for one. If you are just starting out and using Azure MFA you can use a trial subscription

Enable Azure Multi-Factor Authentication

As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:

  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security

If you don't have one of these three licenses, or you don't have enough licenses to cover all of your users, that's ok too. You just have to do an extra step and Create a Multi-Factor Auth Provider in your directory.

Turn on two-step verification for users

To start requiring two-start verification on for a user, change the user's state from disabled to enabled. For more information on user states, see User States in Azure Multi-Factor Authentication

Use the following procedure to enable MFA for your users.

To turn on multi-factor authentication

  1. Sign in to the Azure classic portal as an administrator.
  2. On the left, click Active Directory.
  3. Under Directory, select the directory for the user you wish to enable. Click Directory
  4. At the top, click Users.
  5. At the bottom of the page, click Manage Multi-Factor Auth. A new browser tab opens. Click Directory
  6. Find the user that you wish to enable for two-step verification. You may need to change the view at the top. Ensure that the status is disabled. Enable user
  7. Place a check in the box next to their name.
  8. On the right, click Enable. Enable user
  9. Click enable multi-factor auth. Enable user
  10. Notice that the user's state has changed from disabled to enabled. Enable Users

After you have enabled your users, you should notify them via email. The next time they try to sign in, they'll be asked to enroll their account for two-step verification. Once they start using two-step verification, they'll also need to set up app passwords to avoid being locked out of non-browser apps.

Use PowerShell to automate turning on two-step verification

To change the state using Azure AD PowerShell, you can use the following. You can change $st.State to equal one of the following states:

  • Enabled
  • Enforced
  • Disabled
Important

We discourage against moving users directly from the Disable state to the Enforced state. Non-browser-based apps will stop working because the user has not gone through MFA registration and obtained an app password. If you have non-browser-based apps and require app passwords, we recommend that you go from a Disabled state to Enabled. This allows users to register and obtain their app passwords. After that, you can move them to Enforced.

Using PowerShell would be an option for bulk enabling users. Currently there is no bulk enable feature in the Azure portal and you need to select each user individually. This can be quite a task if you have many users. By creating a PowerShell script using the following, you can loop through a list of users and enable them.

    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = “Enabled”
    $sta = @($st)
    Set-MsolUser -UserPrincipalName bsimon@contoso.com -StrongAuthenticationRequirements $sta

Here is an example:

$users = "bsimon@contoso.com","jsmith@contoso.com","ljacobson@contoso.com"
foreach ($user in $users)
{
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = “Enabled”
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
}

For more information, see User states in Azure Multi-Factor Authentication

Next Steps

Now that you have set up Azure Multi-Factor Authentication in the cloud, you can configure and set up your deployment. See Configuring Azure Multi-Factor Authentication for more details.