Multi Factor Authentication Explained (MFA) Azure Active Directory | Multi-Factor Authentication

Опубликовано: 07 Октябрь 2024
на канале: Paddy Maddy

866

multi factor authentication explained
Multi-Factor Authentication
Azure AD Multi-Factor Authentication
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:

Something you know, typically a password.
Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
Something you are - biometrics like a fingerprint or face scan.
Users can register themselves for both self-service password reset and Azure AD Multi-Factor Authentication in one step to simplify the on-boarding experience. Administrators can define what forms of secondary authentication can be used. Azure AD Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.

Azure AD Multi-Factor Authentication helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods. Users may or may not be challenged for MFA based on configuration decisions that an administrator makes.

Your applications or services don't need to make any changes to use Azure AD Multi-Factor Authentication. The verification prompts are part of the Azure AD sign-in event, which automatically requests and processes the MFA challenge when required.

Available verification methods
When a user signs in to an application or service and receive an MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these Azure AD Multi-Factor Authentication verification methods, or the user can access their own My Profile to edit or add verification methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

Microsoft Authenticator app
OATH Hardware token
SMS
Voice call
How to enable and use Azure AD Multi-Factor Authentication
Users and groups can be enabled for Azure AD Multi-Factor Authentication to prompt for additional verification during the sign-in event. Security defaults are available for all Azure AD tenants to quickly enable the use of the Microsoft Authenticator app for all users.

For more granular controls, Conditional Access policies can be used to define events or applications that require MFA. These policies can allow regular sign-in events when the user is on the corporate network or a registered device, but prompt for additional verification factors when remote or on a personal device.

When authentication requests are sent to the cloud service, data is collected for authentication and usage reports. The following data fields are included in two-step verification logs:

Unique ID (either user name or on-premises Multi-Factor Authentication Server ID)
First and Last Name (optional)
Email Address (optional)
Phone Number (when using a voice call or SMS authentication)
Device Token (when using mobile app authentication)
Authentication Mode
Authentication Result
Multi-Factor Authentication Server Name
Multi-Factor Authentication Server IP
Client IP (if available)

Is there a free version of Azure AD Multi-Factor Authentication?
Security defaults can be enabled in the Azure AD Free tier. With security defaults, all users are enabled for multi-factor authentication using the Microsoft Authenticator app. There's no ability to use text message or phone verification with security defaults, just the Microsoft Authenticator app.