X
GO
en-USfr-FR
Blog
05Mar

MFA for Azure admins will be soon enforced

Jean-Yves Moschetto (ANVOLE) | MFA, Azure, Office 365 | Active Directory, Office 365, Azure | | View Counts (542) |Return|
0 ( 3 reviews)
|

Context

Identity attacks have increased by 300% in the last year.
Many IT guys use their standard AD account also as Azure AD administrator.
If your company is a MS Cloud Service Provider (CSP), by default it can delegate "general Admin" role on Customer tenant.

 

That means that:

1/ You will harden IT admins workstations with BitLocker and other policies and tools

2/ Your tenant will have to be MFA compliant, for your company and customers security

3/ If your daily account is also admin, think about creating a dedicated admin account with MFA, and remove all privileges from your daily account

Good news: MFA for admins do not require additional E3 or E5 license.

 

Activation

MFA for admins can simply be enforced now.

Go to Azure Portal / Azure Active Directory / Enterprise applications / Conditional Access

MFA01
When you detail policy "Baseline policy: Require MFA for admins", you see what we are talking about MFA02

Of course you can also set MFA for admins one by one here:
https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
but that is not a global enforcement policy (hackers are always looking for weak points).

 

MFA user side

Once MFA for admins is enforced, it can be used with mobile confirmation, SMS confirmation.

For this example, we will use mobile application (it's easier using Internet for confirmation, rather than SMS or phone calls when you are in a datacenter)

For each admin user, from a PC, goto : https://aka.ms/mfasetup , or directly here: https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 , authenticate
  • Select “ what's your preferred option? ” : Use verification code from app or token
  • Check box “Authenticator app or Token”
  • Press button “Set up Authenticator app”

MFA03

You will see the beyond screen:
MFA04

Switch to your mobile phone, and then, install the Microsoft Authenticator for Windows Phone, Android or iOS , or through your mobile store
On android, launch app "Play Store"
Type "Microsoft Authenticator"
Select app, then

 
MFA05
Click on "..." button then "Add account" or "+" button MFA06
Select "Professional account" MFA07
Then, scan the previous QR code displayed on your PC
The account will automatically be added on your phone
MFA08
Switch back to your PC, click from the widows with QR Code MFA09
You should receive now a notification on your mobile MFA10

You will see your mobile displayed; In our case “S41”

Click
MFA11
"Et voilà" MFA12

 

MFA authentication

Enter your account and password MFA13
You will see MFA screen coming on your PC MFA14
Switch to your mobile Authenticator
Click on button
 
"Et voilà", you used MFA for privileged Azure AD accounts !!!
MFA15

 

Related

Protect Email Phishing with MX, SPF, DKIM and DMARC

Basic phishing emails are so effective that most hackers don't use exploit kits anymore. It bec...

WUAUCLT no more working on Windows 10? Please replace with USOCLIENT.EXE

WUAUCLT no more working on Windows 10 and Server 2016? Please replace with USOCLIENT.EXE

Bulk Deploy Microsoft Windows Nano Server 2016 and join domain

As I searched the web how to automatically deploy NANO server and join it to Active Directory, I cou...

Want to be rid of Skype for Business and Teams cohabitation

Want to be rid of Skype for Business and Teams cohabitation? You want to receive directly Skype cal...

DSC myAdExchPrepareSchema.psm1

During some automatized deployments, as often, we have to deploy Microsoft Exchange 2016 automatical...

ADDS Forest and Domain Functional Levels

Regularly customers ask "why should I raise ADDS functional level"? Here are the anwsers

Categories
Tags
Popular
  • Recent
  • Popular
  • Tag