In this video, Pete Zerger demonstrates how to configure some general Azure Multi-Factor Authentication settings to customize and enhance the user experience in MFA scenarios.
- For the best user experience, we need to configure Azure multifactor authentication features to suit our environment. Here I am in the Azure portal. I'll click the classic portal which will authenticate me to my default directory right away, and I'll go to the configure tab. On the configure tab, I'll find the multifactor authentication section and the managed service settings option. Now straightaway I'll see a couple of settings here app passwords which enable the use of legacy apps in MFA scenarios and trusted IPs which allow us to control MFA behavior based on the user's location.
These are actually larger topics worthy of a dedicated discussion. We're going to leave these for now and touch on a number of general MFA settings you can use to optimize your user experience. And if I scroll down the list here, we'll see I can enable, number one, verification options. So what are the options available to my users for that second factor of authentication? In my environment here I have enabled call the phone, text message, notification through the mobile app, the authenticator app, and verification code via the mobile app.
And just below this, we see the remember multifactor authentication option. Remember multifactor authentication for devices and browsers that users trust is a free feature for all MFA users. It basically allows us to give users the option to bypass MFA for a set number of days after performing a successful sign in using MFA. This can enhance usability by minimizing the number of times a user may perform that two step verification on the same device.
For browsers remembering MFA works by setting a persistent cookie in the browser and check the don't ask again for x days box. This check box isn't shown on non-browser apps whether they support modern authentication or not. These apps use refresh tokens that provide new access tokens every hour which Azure AD checks to confirm two-step verification was performed within the configured number of days. When we have a known compromise, this setting can put our environment at risk and we may want to reverse the setting.
The good news is, we can do this by checking the restore multifactor authentication on all remembered devices setting, which means the user will be challenged to perform two step verification the next time they sign in regardless of whether they choose to mark their devices as trusted. Strangely, while remembering MFA on trusted devices reduces the number of authentication on web apps which normally prompt every time, it actually increases the number of authentications for modern auth clients which normally prompt every ninety days.
When I scroll to the bottom of my page here we'll notice an option to configure advanced settings which will take me to another Azure Multi Factor Authentication page where I can configure some additional settings that influence the user experience in a couple of targeted areas. So one of those is fraud alert. I can enable fraud alert so users can submit a fraud alert and I can control the action that's performed when the user submits that alert. For example, like in, by default block a user when fraud is reported.
I can also configure one-time bypass. The one-time bypass allows a user to authenticate a single time without performing two step verification. This is temporary, it expires after a number of seconds but it's useful when a user's phone or mobile app isn't receiving that call as it is normally. You see the default here is 300 seconds. Voice message is another area of customization that can customize MFAs specific to your organization.
This allows you to use your own recordings or greeting for two step verification. These can be used in addition to or to replace the Microsoft recordings to tailor the experience to your organization. Make sure to check the current message length, file size, and format restrictions on the Microsoft site to ensure you're within those limits as there's certainly not an unlimited time or size to that voice message. Caching is a setting that allows us to establish a specific time period so that subsequent authentication attempts within that period succeed automatically.
This is typically used on premises with systems such as VPNs that send multiple verification requests while the first request is still in progress. This allows subsequent requests to succeed automatically after the user succeeds in the first verification process. Caching is not used for sign ins to Azure AD. And these are the general settings for Azure Multi Factor Authentication. Caching allows us to set a specific time period so subsequent authentication attempts within that time period succeed automatically.
This is used typically when on premises systems such as VPNs send multiple verification requests while the first request is still in progress. And this allows subsequent requests to succeed automatically after the user succeeds in the first verification in progress. Caching is not used for sign ins related to Azure AD. So I can establish the caching, the cache type, if it's user authentication and/or application specific and the number of seconds I allow that caching feature to take hold.
So again, you're going to use this in very targeted scenarios, not Azure Active Directory. And these are a few of the general settings for Azure Multi Factor Authentication that you can configure to optimize your user experience.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups