Enforce (Azure) MFA with Conditional Access policies

Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication

MFA can prevent unauthorized access in case of the following events:

  • Leaked credentials
  • Sign-ins from anonymous IP addresses
  • Impossible travel to atypical locations
  • Sign-ins from unfamiliar locations
  • Sign-ins from infected devices
  • Sign-ins from IP addresses with suspicious activities

Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.

Named location

If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.

STEP 1: From the Azure portal go to Azure Active Directory, and click on Conditional Access, Named locations, and finally click on New location

STEP 2: Fill in the name of the office, select it as an trusted location and fill in the IP range. You can also use the named location to assign countries and/or locations where you can always enforce MFA if you want to.

Configure MFA

STEP 3: Now its time to go ahead with the settings for MFA. From Azure Active Directory click on MFA, and choose Additional cloud-based MFA settings.

From the multi-factor authentication “service settings” we can change a few options. Import part of this web-page is the authentication methods available to users. Select the options that you would like to allow. You can also enable remember MFA on trusted devices.

Configure Conditional Access policies

STEP 4: Go back to the Azure Active Directory, Conditional Access, and the policies. Click on New policy

STEP 5: First we will assign the users that the policy applies to. You can either choose a group, or even better, select All users. (For this manual I’ve just added a group)

STEP 6: Now we can select cloud apps to enforce this policy on. I am recommending to apply this policy to all cloud apps

STEP 7 (Optional): If you want to exclude trusted locations from steps 1 and 2 you can do this on the Conditions tab. Go to locations and configure the Excluded trusted location like below in the screenshot

STEP 8: On the Grant tab make sure that you Grant access, and mark the checkbox for Require multi-factor authentication.

STEP 9: Fill in the name of your Policy and make sure that it is enabled and click create. After this the policy should be effective within just a few minutes.

More information on this topic can be found on the Microsoft website with more complex situations. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted

Leave a Reply

Your email address will not be published. Required fields are marked *