X
GO
en-USfr-FR
05mars

MFA for Azure admins will be soon enforced

Jean-Yves Moschetto (ANVOLE) | MFA, Azure, Office 365 | Azure, Office 365, Active Directory | | View Counts (1382) |Return|
0 ( 3 reviews)
|

Context

Identity attacks have increased by 300% in the last year.
Many IT guys use their standard AD account also as Azure AD administrator.
If your company is a MS Cloud Service Provider (CSP), by default it can delegate "general Admin" role on Customer tenant.

 

That means that:

1/ You will harden IT admins workstations with BitLocker and other policies and tools

2/ Your tenant will have to be MFA compliant, for your company and customers security

3/ If your daily account is also admin, think about creating a dedicated admin account with MFA, and remove all privileges from your daily account

Good news: MFA for admins do not require additional E3 or E5 license.

 

Activation

MFA for admins can simply be enforced now.

Go to Azure Portal / Azure Active Directory / Enterprise applications / Conditional Access

MFA01
When you detail policy "Baseline policy: Require MFA for admins", you see what we are talking about MFA02

Of course you can also set MFA for admins one by one here:
https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
but that is not a global enforcement policy (hackers are always looking for weak points).

 

MFA user side

Once MFA for admins is enforced, it can be used with mobile confirmation, SMS confirmation.

For this example, we will use mobile application (it's easier using Internet for confirmation, rather than SMS or phone calls when you are in a datacenter)

For each admin user, from a PC, goto : https://aka.ms/mfasetup , or directly here: https://account.activedirectory.windowsazure.com/proofup.aspx?proofup=1 , authenticate
  • Select “ what's your preferred option? ” : Use verification code from app or token
  • Check box “Authenticator app or Token”
  • Press button “Set up Authenticator app”

MFA03

You will see the beyond screen:
MFA04

Switch to your mobile phone, and then, install the Microsoft Authenticator for Windows Phone, Android or iOS , or through your mobile store
On android, launch app "Play Store"
Type "Microsoft Authenticator"
Select app, then

 
MFA05
Click on "..." button then "Add account" or "+" button MFA06
Select "Professional account" MFA07
Then, scan the previous QR code displayed on your PC
The account will automatically be added on your phone
MFA08
Switch back to your PC, click from the widows with QR Code MFA09
You should receive now a notification on your mobile MFA10

You will see your mobile displayed; In our case “S41”

Click
MFA11
"Et voilà" MFA12

 

MFA authentication

Enter your account and password MFA13
You will see MFA screen coming on your PC MFA14
Switch to your mobile Authenticator
Click on button
 
"Et voilà", you used MFA for privileged Azure AD accounts !!!
MFA15

 

Related

Hard to replicate Exchange Connectors

When you have multiple Microsoft Exchange Servers receiving emails, you have to create exactly the s...

Performance tuning Windows Server 2016 containers

Windows Server 2016 is the first version of Windows to ship support for container technology built i...

Authenticating users with smartcard and login/password

When a user opens an Active Directory session with his smartcard, it happens that some applications ...

Risques liés à Office 365 et Azure

La méconnaissance Office 365 et Azure de certains DSI me fait très peur. Cela s'adresse égaleme...

La sécurisation des environnements Cloud Microsoft

L'objectif de cette présentation est de parcourir rapidement certains points clés de sécurité lo...

ANVOLE participe aux ateliers de la Cybersécurité

ANVOLE participe aux ateliers de la Cybersécurité et présentera "La sécurisation des environnem...