Multifactor authentication (MFA) requires users to submit two or more forms of identification when signing into a service, for example, requiring a user to enter a password and then confirm their identity by entering a unique code sent to them via text or email.
Password-based access control carries elevated risk if it’s your only security measure protecting critical services, like an organization’s Azure tenant and their data. All it takes is time and easily available software for an attacker to compromise a weak password and gain access to anything managed by those Azure Active Directory credentials. Adding even just one additional layer of authentication reduces risk significantly.
That said, it’s a good idea for managed service providers (MSPs) to have a solid understanding of how to deploy multifactor authentication in Azure Active Directory. Here’s how it works, why it matters and what best practices you should follow to get deployment right the first time.
Core concepts of multifactor authentication in Azure AD
When enabled, multifactor authentication in Azure AD requires users to authenticate themselves using two or more methods in three broad categories:
Something a user knows
Most commonly passwords, but often also biographical information, like a mother’s family name, a pet’s name or a former address.
Something they are
In other words, biometrics. Azure AD can accept many biometric credentials, including fingerprints and facial recognition scans.
Something they have
Lastly, credentials can be external assets, like an authentication app on a smartphone or a hardware key.
Users can also perform self-service password resets without contacting their MSP for support when enrolled in multifactor authentication in Azure AD. Since they registered multiple ways to identify themselves, you can safely allow them to modify one set of credentials if they can authenticate using other methods.
Multifactor authentication in Azure AD protects users, businesses and MSPs
Passwords are notoriously weak, and businesses that rely solely on passwords for security are putting themselves at unnecessary risk. A study from Microsoft found that applying a second layer of authentication—any layer—reduced the risk that user credentials would be compromised to 0.1 percent.
Attackers use various mechanisms to compromise credentials, from brute force password crackers to social engineering and more sophisticated man-in-the-middle network attacks. Each access control method is vulnerable to different attacks. When you combine two or more, the risk compromise plummets. The costs in time and money of breaking multifactor authentication are so high that most attackers simply choose to look for an easier target.
Types of authentication available for MFA in Azure AD
Azure AD supports a variety of different authentication methods:
- Voice call
- Microsoft Authenticator
- Authenticator Lite (in Outlook)
- Windows Hello for Business
- FIDO2 security keys
- OATH hardware or software tokens
Users must first register each method but once registered, all will be available to select from authentication prompts.
How to enable Azure AD MFA for clients
If you can make global changes without impact, you can set a security default in Azure AD to require multifactor authentication and the Microsoft Authenticator app for all users. In other situations, conditional access policies allow you to set more granular controls over which applications or events require MFA. For example, you may not need multifactor authentication if someone tries to access SharePoint from within your local network. But you may require two or more modes if the same user tries accessing that resource externally.
Best practices for deploying MFA for Azure AD
You should follow some best practices when setting up multifactor authentication in Azure on a new or existing Azure tenant.
Choose authentication methods for MFA
As an MSP, you have control over which MFA methods are and are not available in each client tenant. Therefore, take the time to evaluate the different options identified above so you know which will work best for each client’s security and operational needs.
When in doubt, the Microsoft Authenticator is a reliable default choice. It is easy to use, available on all major mobile device platforms and functions in several versatile modes, including passwordless authentication, OATH codes, and MFA push notifications. It also meets the rigorous Authenticator Assurance Level 2 requirements from the National Institute of Standards and Technology (NIST).
Identify the best session lifetime
After selecting appropriate MFA methods, consider how long you want sessions to last. Again, this will be driven by client security and operational needs. Each organization will be different.
Set sessions too long, and you open security risks by leaving unattended sessions open. But making them too short also introduces risk as you can desensitize users to authentication prompts, inadvertently increasing the risk a social engineering attack will fool them.
Plan how you will register users
All your security service design will go to waste if you don’t efficiently enroll new users. With some methods, like voice or SMS authentication, you can auto-enroll users as you’ll typically have phone numbers and email addresses already captured. Other methods, like the Authenticator app, require active user involvement.
Plan your recovery processes
Live by Murphy’s Law: anything that can go wrong will go wrong. So, despite the effort you put into system design and user training, you need to plan for recovering lost or forgotten credentials.
When in doubt, Azure offers Temporary Access Passes to allow users to reset their credentials. Just be aware of social engineering attacks.
Azure allows you to monitor rollout progress and authentication usage across your client’s entire organization. You’ll be able to identify important trends, easily pick out anomalies and generate meaningful business insights.
Easily deliver Microsoft Azure with an expert partner
Sherweb helps MSPs of all stripes navigate the Microsoft ecosystem and deliver maximum value for their clients. Can Sherweb help you deploy multifactor authentication in Azure?