In this video, Pete Zerger explains Multi-Factor Authentication (MFA) versions and capabilities in Azure Active Directory, as well as the authentication process flow behind a user request in an MFA-enabled scenario.
- [Instructor] We can enable multi-factor authentication in any of the identity models we can implement with Azure. For this discussion, we'll focus on the synchronized identity model since it's the most common. There are multiple versions of multi-factor authentication in Azure AD, and the capabilities and the scope depends on the version we have access to. If our Azure AD instance is the one that comes free with Office 365, our MFA will only work with Office 365 applications and will lack some of the advanced capabilities of Azure MFA, which comes in Azure AD Premium.
We get MFA for our Azure admin account in the free tier, but only for our admin accounts. It's only in the Azure AD Premium tier that we have access to the advanced MFA features, such as conditional access and the identity protection feature, which can further evaluate context and risk associated with log-on requests. How we enable MFA depends on the version of Azure AD we're working with. In the free tier of Azure AD, we have an extra step, in that we have to enable and add an MFA provider, which is only possible in the classic portal today and unnecessary in any other scenario.
How we enable MFA for a user in Azure AD Premium depends on where we try to do this. In the classic portal, you'll find a section titled Multi-factor Authentication under the domain section, and in the new portal you may not see an obvious per user option, but you can enable MFA for a user by enabling a conditional access policy and scoping it to an individual user. We can also enable MFA for a user via Azure PowerShell. I say Azure PowerShell because I can use the built-in commandlets in the Azure PowerShell module.
I don't have to write PowerShell for the Graph API for that REST API which can be a little more challenging for the average IT pro. If we're using the free tier with an Office 365 subscription, we can enable MFA on a per user basis in the Office 365 admin center. Since we're focused on the synchronized identity model where Active Directory user and password hash are synced to Azure AD, Azure AD Connect is a required prerequisite.
We need to assign an Azure AD Premium license to the user or users for whom we want to enable Azure MFA. Remember, it only comes in the Premium tier. And we can sign users in either of the Azure portals. I suspect work account is a phrase you've seen a few times, but maybe you're not quite sure what it means. In the context of Azure AD in the synchronized identity model, I expect a work account is a phrase you've seen a few times, but maybe you're not quite sure what it means. In the context of Azure AD in the synchronized identity model, a work account is an Active Directory user account that has been synchronized to Azure AD with Azure AD Connect.
Let's look at MFA flow from a process perspective. It begins when the user attempts to access a resource, such as Office 365, where they're prompted to sign in and provide a username and a domain in the User Principal Name format and click log in. The Office 365 service in this case which uses Azure AD as its directory service will query Azure AD to authenticate that user, check their password, group memberships, et cetera. In this case, we've also enabled multi-factor authentication for the user, so depending on the conditions surrounding the log-in, they may be prompted for a second factor, like answering a phone call or responding to a text message.
If we've configured conditional access in Azure, Azure AD may verify other things in the background like whether the user's device has been marked as compliant, patched, domain joined, et cetera. If the user meets the criteria, enters their password correctly, and responds to that second factor, at that point they have application access. Based on the user's assigned rights and licenses, Azure AD will authenticate the user and grant them an authentication token, enabling resource access.
Then Azure AD evaluates application and user settings to determine what rights the user has in the application. In the Office 365 context, it would be checking settings like which Office 365 apps and settings are enabled for the user: email, SharePoint, OneDrive, storage limits, et cetera, and at this points grants an access token to the user for the application. This enables the user to access the app. And that's multi-factor authentication in Azure AD in the synchronized identity model.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups