Section 7 - Implement an Authentication and Access Management Solution - Plan and implement Azure MFA

Time for section 7 in my SC-300 study guide. The topics for today are:
- plan Azure MFA deployment (excluding MFA Server)
- implement and manage Azure MFA settings
- manage MFA settings for users
What is Multi-factor Authentication?
Azure AD Multi-Factor Authentication (MFA) supplies added security for your identities by requiring two or more elements for full authentication.
These elements fall into three categories:
- Something you know – which might be a password or the answer to a security question.
- Something you possess – which might be a mobile app that receives a notification or a token-generating device.
- Something you are – which typically is a biometric property, such as a fingerprint or face scan used on many mobile devices.

Licensing
- Azure Active Directory Premium or Microsoft 365 Business – Both of these offerings support Azure AD Multi-Factor Authentication using security defaults to require multi-factor authentication.
- Azure AD Free or standalone Microsoft 365 licenses – Use security defaults that require multi-factor authentication for your users and administrators.
- Azure Active Directory Global Administrators – A subset of Azure AD Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
| Feature | Azure AD Free – Security defaults (enabled for all users) | Azure AD Free – Global Administrators only | Office 365 | Azure AD Premium P1 | Azure AD Premium P2 | 
|---|---|---|---|---|---|
| Protect Azure AD tenant admin accounts with MFA | ● | ● (Azure AD Global Administrator accounts only) | ● | ● | ● | 
| Mobile app as a second factor | ● | ● | ● | ● | ● | 
| Phone call as a second factor | ● | ● | ● | ● | |
| SMS as a second factor | ● | ● | ● | ● | |
| Admin control over verification methods | ● | ● | ● | ● | |
| Fraud alert | ● | ● | |||
| MFA Reports | ● | ● | |||
| Custom greetings for phone calls | ● | ● | |||
| Custom caller ID for phone calls | ● | ● | |||
| Trusted IPs | ● | ● | |||
| Remember MFA for trusted devices | ● | ● | ● | ● | |
| MFA for on-premises applications | ● | ● | |||
| Conditional access | ● | ● | |||
| Risk-based conditional access | ● | ||||
| Identity Protection (Risky sign-ins, risky users) | ● | ||||
| Access Reviews | ● | ||||
| Entitlements Management | ● | ||||
| Privileged Identity Management (PIM), just-in-time access | ● | 
| Policy | Security defaults | Conditional Access | Per-user MFA | 
|---|---|---|---|
| Management | |||
| Standard set of security rules to keep your company safe | ● | ||
| One-click on/off | ● | ||
| Included in Office 365 licensing (See license considerations) | ● | ● | |
| Pre-configured templates in Microsoft 365 Admin Center wizard | ● | ● | |
| Configuration flexibility | ● | ||
| Functionality | |||
| Exempt users from the policy | ● | ● | |
| Authenticate by phone call or SMS | ● | ● | |
| Authenticate by Microsoft Authenticator and Software tokens | ● | ● | ● | 
| Authenticate by FIDO2, Windows Hello for Business, and Hardware tokens | ● | ● | |
| Blocks legacy authentication protocols | ● | ● | ● | 
| New employees are automatically protected | ● | ● | |
| Dynamic MFA triggers based on risk events | ● | ||
| Authentication and authorization policies | ● | ||
| Configurable based on location and device state | ● | ||
| Support for “report only” mode | ● | ||
| Ability to completely block users/services | ● | 
Plan MFA Deployment
There are many methods that can be used for a second-factor authentication. You can choose from the list of available authentication methods, evaluating each in terms of security, usability, and availability.
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security key (preview)
- OATH hardware tokens (preview)
- OATH software tokens
- SMS verification
- Voice call verification
Plan user registration
A major step in every multifactor authentication deployment is getting users registered to use Azure AD Multi-Factor Authentication. Authentication methods such as Voice and SMS allow pre-registration, while others like the Authenticator App require user interaction. Administrators must determine how users will register their methods.
MFA – How to enable MFA per user?
MFA can be enabled per user. Just search MFA from Azure portal.

And then configure.

In here You can enable MFA based settings like allow App passwords (mostly You shouldn’t), trusted ips and verification options the MFA user can select. Also allow the MFA approval to be remembered for a period of time.

When You browse to Users section You will find the users.

You can see that all the users are currently in a Disabled state.
If You choose a user You can select Enable or Manage user settings.

If You choose Enable, You will be welcomed with the following.

And when You enable the MFA for a user.

And if You choose Manage user settings, you will be welcomed with the following.

When You Enable a user, You will see Enforce in the menu.

You will be shown the following warning.

So the users have to have an App password if they want to use a non-browser application. This isn’t really accurate as Outlook and Teams support MFA now but before it’s was a problem.
Microsoft has a nice article on App passwords.

Configure app passwords for Azure AD Multi-Factor Authentication – Azure Active DirectoryLearn how to configure and use app passwords for legacy applications in Azure AD Multi-Factor Authentication
You can also do a bulk update of users but You cannot select Enforced in here, only Enabled or Disabled.


End-user experience
End-user goes to https://portal.office.com and they will be greeted with MFA request.


If You chose available authentication methods in the beginning for MFA, example Notification through mobile app

They will be displayed this page instead of SMS verification.

Thing to remember
MFA is available in the following licensing options:
- Azure AD Free – Security defaults (enabled for all users)
- Azure AD Free – Global Administrators only
- Any Office 365 license
- Azure AD Premium P1
- Azure AD Premium P2