Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication

Multi-factor authentication (MFA) is a process in which a user is prompted for additional forms of identification during a sign-in event. For example, the prompt could be to enter a code on their cellphone or to provide a fingerprint scan. When you require a second form of identification, security is increased because this additional factor isn't easy for an attacker to obtain or duplicate.

Azure AD Multi-Factor Authentication and Conditional Access policies give you the flexibility to require MFA from users for specific sign-in events. For an overview of MFA, we recommend watching this video: How to configure and enforce multi-factor authentication in your tenant.

Important

This tutorial shows an administrator how to enable Azure AD Multi-Factor Authentication.

If your IT team hasn't enabled the ability to use Azure AD Multi-Factor Authentication, or if you have problems during sign-in, reach out to your Help desk for additional assistance.

In this tutorial you learn how to:

  • Create a Conditional Access policy to enable Azure AD Multi-Factor Authentication for a group of users.
  • Configure the policy conditions that prompt for MFA.
  • Test configuring and using multi-factor authentication as a user.

Prerequisites

To complete this tutorial, you need the following resources and privileges:

  • A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  • An account with global administrator privileges. Some MFA settings can also be managed by an Authentication Policy Administrator. For more information, see Authentication Policy Administrator.

  • A non-administrator account with a password that you know. For this tutorial, we created such an account, named testuser. In this tutorial, you test the end-user experience of configuring and using Azure AD Multi-Factor Authentication.

  • A group that the non-administrator user is a member of. For this tutorial, we created such a group, named MFA-Test-Group. In this tutorial, you enable Azure AD Multi-Factor Authentication for this group.

Create a Conditional Access policy

The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.

Overview diagram of how Conditional Access works to secure the sign-in process

Conditional Access policies can be applied to specific users, groups, and apps. The goal is to protect your organization while also providing the right levels of access to the users who need it.

In this tutorial, we create a basic Conditional Access policy to prompt for MFA when a user signs in to the Azure portal. In a later tutorial in this series, we configure Azure AD Multi-Factor Authentication by using a risk-based Conditional Access policy.

First, create a Conditional Access policy and assign your test group of users as follows:

  1. Sign in to the Azure portal by using an account with global administrator permissions.

  2. Search for and select Azure Active Directory. Then select Security from the menu on the left-hand side.

  3. Select Conditional Access, select + New policy, and then select Create new policy.

    A screenshot of the Conditional Access page, where you select 'New policy' and then select 'Create new policy'.

  4. Enter a name for the policy, such as MFA Pilot.

  5. Under Assignments, select the current value under Users or workload identities.

    A screenshot of the Conditional Access page, where you select the current value under 'Users or workload identities'.

  6. Under What does this policy apply to?, verify that Users and groups is selected.

  7. Under Include, choose Select users and groups, and then select Users and groups.

    A screenshot of the page for creating a new policy, where you select options to specify users and groups.

    Since none are assigned yet, the list of users and groups (shown in the next step) opens automatically.

  8. Browse for and select your Azure AD group, such as MFA-Test-Group, then choose Select.

    A screenshot of the list of users and groups, with results filtered by the letters M F A, and 'MFA-Test-Group' selected.

We've selected the group to apply the policy to. In the next section, we configure the conditions under which to apply the policy.

Configure the conditions for multi-factor authentication

Now that the Conditional Access policy is created and a test group of users is assigned, define the cloud apps or actions that trigger the policy. These cloud apps or actions are the scenarios that you decide require additional processing, such as prompting for multi-factor authentication. For example, you could decide that access to a financial application or use of management tools require an additional prompt for authentication.

Configure which apps require multi-factor authentication

For this tutorial, configure the Conditional Access policy to require multi-factor authentication when a user signs in to the Azure portal.

  1. Select the current value under Cloud apps or actions, and then under Select what this policy applies to, verify that Cloud apps is selected.

  2. Under Include, choose Select apps.

    Since no apps are yet selected, the list of apps (shown in the next step) opens automatically.

    Tip

    You can choose to apply the Conditional Access policy to All cloud apps or Select apps. To provide flexibility, you can also exclude certain apps from the policy.

  3. Browse the list of available sign-in events that can be used. For this tutorial, select Microsoft Azure Management so that the policy applies to sign-in events to the Azure portal. Then choose Select.

    A screenshot of the Conditional Access page, where you select the app, Microsoft Azure Management, to which the new policy will apply.

Configure multi-factor authentication for access

Next, we configure access controls. Access controls let you define the requirements for a user to be granted access. They might be required to use an approved client app or a device that's hybrid-joined to Azure AD.

In this tutorial, configure the access controls to require multi-factor authentication during a sign-in event to the Azure portal.

  1. Under Access controls, select the current value under Grant, and then select Grant access.

    A screenshot of the Conditional Access page, where you select 'Grant' and then select 'Grant access'.

  2. Select Require multi-factor authentication, and then choose Select.

    A screenshot of the options for granting access, where you select 'Require multi-factor authentication'.

Activate the policy

Conditional Access policies can be set to Report-only if you want to see how the configuration would affect users, or Off if you don't want to the use policy right now. Because a test group of users is targeted for this tutorial, let's enable the policy, and then test Azure AD Multi-Factor Authentication.

  1. Under Enable policy, select On.

    A screenshot of the control that's near the bottom of the web page where you specify whether the policy is enabled.

  2. To apply the Conditional Access policy, select Create.

Test Azure AD Multi-Factor Authentication

Let's see your Conditional Access policy and Azure AD Multi-Factor Authentication in action.

First, sign in to a resource that doesn't require MFA:

  1. Open a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com.

    Using a private mode for your browser prevents any existing credentials from affecting this sign-in event.

  2. Sign in with your non-administrator test user, such as testuser. Be sure to include @ and the domain name for the user account.

    If this is the first instance of signing in with this account, you're prompted to change the password. However, there's no prompt for you to configure or use multi-factor authentication.

  3. Close the browser window.

You configured the Conditional Access policy to require additional authentication for the Azure portal. Because of that configuration, you're prompted to use Azure AD Multi-Factor Authentication or to configure a method if you haven't yet done so. Test this new requirement by signing in to the Azure portal:

  1. Open a new browser window in InPrivate or incognito mode and browse to https://portal.azure.com.

  2. Sign in with your non-administrator test user, such as testuser. Be sure to include @ and the domain name for the user account.

    You're required to register for and use Azure AD Multi-Factor Authentication.

    A prompt that says 'More information required.' This is a prompt to configure a method of multi-factor authentication for this user.

  3. Select Next to begin the process.

    You can choose to configure an authentication phone, an office phone, or a mobile app for authentication. Authentication phone supports text messages and phone calls, office phone supports calls to numbers that have an extension, and mobile app supports using a mobile app to receive notifications for authentication or to generate authentication codes.

    A prompt that says, 'Additional security verification.' This is a prompt to configure a method of multi-factor authentication for this user. You can choose as the method an authentication phone, an office phone, or a mobile app.

  4. Complete the instructions on the screen to configure the method of multi-factor authentication that you've selected.

  5. Close the browser window, and log in again at https://portal.azure.com to test the authentication method that you configured. For example, if you configured a mobile app for authentication, you should see a prompt like the following.

    To sign in, follow the prompts in your browser and then the prompt on the device that you registered for multi-factor authentication.

  6. Close the browser window.

Clean up resources

If you no longer want to use the Conditional Access policy that you configured as part of this tutorial, delete the policy by using the following steps:

  1. Sign in to the Azure portal.

  2. Search for and select Azure Active Directory, and then select Security from the menu on the left-hand side.

  3. Select Conditional access, and then select the policy that you created, such as MFA Pilot.

  4. select Delete, and then confirm that you want to delete the policy.

    To delete the Conditional Access policy that you've opened, select Delete which is located under the name of the policy.

Next steps

In this tutorial, you enabled Azure AD Multi-Factor Authentication by using Conditional Access policies for a selected group of users. You learned how to:

  • Create a Conditional Access policy to enable Azure AD Multi-Factor Authentication for a group of Azure AD users.
  • Configure the policy conditions that prompt for multi-factor authentication.
  • Test configuring and using multi-factor authentication as a user.