In this video, Pete Zerger explains Multi-Factor Authentication (MFA) registration requirements and options in Azure Active Directory Premium, as well as how to configure unique MFA settings for different groups in your organization.
- [Instructor] User registration is an important part of multi-factor authentication with Azure AD Premium. This information is applicable to all three identity models, cloud identity, synchronized identity, federated identity. Cloud identity use standalone. Synchronized identity is where we synchronize on-premises identities to Azure AD. And federated is where we implement ADFS to enable validation of credentials against our on-premises active directory. You can require users to register, which means they'll be redirected to the My Apps page on their next log in.
In the Azure Classic Portal, the only option is to enable this for all users, and it also states this is not currently supported for Office 365 sign ins, but there's no option to enable for groups. If your org purchases Azure AD Premium Plan Two, you'll actually gain more control. When you go into the Azure AD Identity Protection Portal, then click on Settings, you'll find a multi-factor authentication section with the registration menu. And here, you'll see registration status, and you're able to set a policy that requires users to register their credentials online.
The nice part about using this policy, instead of the old setting in the classic portal, is that you can now define a group of users, including dynamic groups, it's not necessary to enable all users at once. Depending on how you set up MFA, there are a few places where users can change their settings, like their phone number. If your IT admin sent out a specific URL or steps to manage two-step verification, users will go to that My App Portal where they can change their authentication option, assuming you're requiring multi-factor.
They can set their authentication phone and alternate phone, as well as the authentication app, which is available on all the common platforms. Note that your users can also change their Azure AD password from here, as well as register for self-service password reset. One-time bypass allows a user to authenticate a single time by bypassing multi-factor authentication. This bypass is temporary and expires after specified number of seconds.
In situations where the mobile app or phone is not receiving notification or that phone call, you can enable a one-time bypass so the user can access the desired resource. Fraud alert can be configured and set up so that your users can report fraudulent attempts to access their resources. Users can report fraud either with the mobile app or through their phone. You have a couple of configurable options here. You can block the user when fraud is reported. So, if the user reports fraud, their account is simply blocked.
Or you can send a code to report fraud during initial greeting. So, users normally press pound to confirm two-step verifications. If they want to report fraud, they enter a code before pressing pound. This code is zero by default, but you can customize it. The Microsoft Authenticator App on your mobile device provides an additional level of security for your Azure AD accounts. Your synchronized on-premises work account for example, or your Microsoft account. The Microsoft Authenticator app works in one of two ways.
Notification, so the app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or your tablet. You simply view the notification, and if it's legitimate, select verify, otherwise you can select deny. And also a password with a verification code. so, the app can be used as a software token to generate an no-auth verification code as a second factor of authentication. After you enter your username and password, you enter the code provided by the app into the sign in screen.
Once you steer your users through the registration process, you've enabled an important additional layer of protection for user identities, regardless of which identity model you've implemented. User registration status on the whole is only easily viewable in Azure AD Identity Protection under current registration status, which requires Azure AD Premium P2. However, since we're forcing registration on the next sign typically, this is generally not a big concern.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups