Configuring MFA on O365 and Azure

Step 1: Understand MFA

Multifactor authentication (MFA) is a process in which a user is prompted for additional forms of identification during a sign-in event. Microsoft Entra multifactor authentication and Conditional Access policies give you the flexibility to require MFA from users for specific sign-in events.

Step 2: Check Your Role

You must be a Global admin or at least a Conditional Access Administrator to manage MFA.

Step 3: Turn Off Legacy Per-User MFA

If you have legacy per-user MFA turned on, you need to turn it off before enabling Security defaults. To do this, navigate to the Microsoft 365 admin center, choose Users > Active users, then choose multifactor authentication.

Step 4: Enable Security Defaults

Browse to Identity > Overview > Properties. Select Manage security defaults. Set Security defaults to Enabled. Select Save..

Step 5: Set Up Admin Accounts for MFA

As an admin, once you’ve enabled MFA for your organization, you need to set up your admin accounts to use it. Log in to the Office 365 admin portal and navigate to Users and then Active users. From the More menu, choose Setup Azure multi-factor auth. Change the view to Global administrators to list the global admin accounts for your tenant. Check the box for the admin account that you are enabling MFA for, then click the Enable link.

Step 6: Create a Conditional Access Policy

Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator. Browse to Protection > Conditional Access, select + New policy, and then select Create new policy. Enter a name for the policy, such as MFA Pilot. Under Assignments, select the users and groups you want the policy to apply to.

Step 7: Configure the Conditions for Multifactor Authentication

Configure the policy conditions that prompt for MFA. This could include conditions such as sign-in risk, device platform, location, client apps, and device state.

Policy Condition Considerations:

In Entra, Multi-Factor Authentication (MFA) can be prompted by various policy conditions. Here are some key points:

1. Azure Management: MFA is recommended for all users in the tenant with few exceptions.
2. User Exclusions: Certain accounts are recommended to be excluded from Conditional Access policies. These include:

• Emergency access or break-glass accounts: These accounts can be used to log into the tenant to recover access in the unlikely scenario all administrators are locked out.
• Service accounts and service principals: These are non-interactive accounts that aren’t tied to any particular user. They’re normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Since MFA can’t be completed programmatically, these accounts should be excluded.

1. Application Exclusions: Administrators can choose to exclude specific applications from their policy. For example, the payroll and attendance applications may require MFA but the cafeteria probably doesn’t.
2. Creating a Conditional Access Policy: A Conditional Access policy can be created to require users who access the Windows Azure Service Management API suite to do multifactor authentication. It’s important to understand how Conditional Access works before setting up a policy to manage access to Windows Azure Service Management API.

Remember, it’s crucial to ensure that the conditions you create don’t block your own access to the portal. Always sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

Step 8: Test Microsoft Entra Multifactor Authentication

Test configuring and using multifactor authentication as a user. This will help you understand the end-user experience of configuring and using Microsoft Entra multifactor authentication.

That’s it! You’ve now set up MFA for your Microsoft Azure/Entra admin accounts. Remember, setting up MFA adds an extra layer of security to your Microsoft Azure/Entra account sign-in.

References:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-azure-management

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa

https://infrasos.com/setup-azure-conditional-access-multi-factor-authentication-mfa/

https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa

https://support.microsoft.com/en-us/account-billing/set-up-the-microsoft-authenticator-app-as-your-verification-method-33452159-6af9-438f-8f82-63ce94cf3d29

https://learn.microsoft.com/en-us/partner-center/mfa-for-users

-----------------------------------------



Set up MFA in O365

Step 1: Understand MFA

Multifactor authentication (MFA) is a crucial step in securing your organization. It requires users to provide more than one way to sign in, adding an extra layer of security. Microsoft 365 for Business allows you to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts.

Step 2: Check Your Role

You must be a Global admin to manage MFA. Sign in to the Microsoft 365 admin center as at least a Security Administrator.

Step 3: Turn Off Legacy Per-User MFA

If you have legacy per-user MFA turned on, you need to turn it off before enabling Security defaults. To do this, navigate to the Microsoft 365 admin center, choose Users > Active users, then choose multifactor authentication. On the multifactor authentication page, select each user and set their multifactor authentication status to Disabled.

Step 4: Enable Security Defaults

Browse to Identity > Overview > Properties. Select Manage security defaults. Set Security defaults to Enabled. Select Save.

Step 5: Set up admin mfa

As an admin, once you’ve enabled MFA for your organization, you need to set up your admin accounts to use it. Log in to the Office 365 admin portal and navigate to Users and then Active users. From the More menu, choose Setup Azure multi-factor auth. Change the view to Global administrators to list the global admin accounts for your tenant. Check the box for the admin account that you are enabling MFA for, then click the Enable link.

Step 6: Set Up User Accounts mfa

Once your admin enables your organization, and your account, for MFA, you have to set up your user account to use it. Sign in to Microsoft 365 with your work or school account with your password like you normally do. After you choose Sign in, you’ll be prompted for more information. Choose Next.

Step 7: Choose Authentication Method

The default authentication method is to use the free Microsoft Authenticator app. If you have it installed on your mobile device, select Next and follow the prompts to add this account. If you’d rather use SMS messages sent to your phone instead, select "I want to set up a different method". Microsoft 365 will ask for your mobile number, then send you an SMS message containing a 6-digit code to verify your device.

Step 8: Complete the Setup

Once you complete the instructions to specify your additional verification method, the next time you sign in to Microsoft 365, you’ll be prompted to provide the additional verification information or action, such as typing the verification code provided by your authenticator app or sent to you by text message.

That’s it! You’ve now set up MFA for your Microsoft 365 account. Remember, setting up MFA adds an extra layer of security to your Microsoft 365 account sign-in.

References:

https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

https://practical365.com/securing-office-365-administrator-accounts-multi-factor-authentication/

https://support.microsoft.com/en-us/office/set-up-your-microsoft-365-sign-in-for-multi-factor-authentication-ace1d096-61e5-449b-a875-58eb3d74de14