This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
57 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,45 @@ | |||
--- | |||
type: post | |||
title: "Tip 190 - Multi-Factor Authentication on Azure in a Nutshell" | |||
excerpt: "Multi-Factor Authentication on Azure in a Nutshell" | |||
tags: [azure, windows, portal, cloud, developers, tipsandtricks] | |||
share: true | |||
date: 2019-03-25 17:00:00 | |||
--- | |||
|
|||
#### Multi-Factor Authentication on Azure in a Nutshell | |||
|
|||
In another Tips and Tricks post, we added Azure Active Directory authentication to an existing App Service Web App. Today, we’ll make sure Multi-Factor Authentication (MFA) is on for that user. There are various services in Azure when it comes to Multi-Factor Authentication](https://azure.microsoft.com/en-us/services/multi-factor-authentication), so let’s first see what’s available. Keep in mind, I want it to be FREE. | |||
|
|||
If you take a look at the documentation on how it works, the following MFA offerings are listed: | |||
* **Azure Active Directory Premium** – Licenses for full-featured, on-premises, or cloud-hosted MFA services. | |||
* **Multi-Factor Authentication for Office 365** – MFA features included with an Office 365 subscription. | |||
* **Azure Active Directory Global Administrators** – MFA capabilities made available for free by Microsoft for protecting global administrator accounts. | |||
|
|||
Note I am using a Microsoft account that is a global administrator on my | |||
pay-as-you-go Azure account. | |||
|
|||
#### There are several MFA offerings, but I didn’t use them | |||
|
|||
So why didn’t I use Azure Active Directory Premium, MFA for Office 365, or MFA for Azure Active Directory Global Administrators? | |||
|
|||
First, I didn’t want to pay for Azure Active Directory Premium. Also, I didn’t use MFA for Office 365 because it is for accounts connected to an Office 365 account, which I didn’t have. Finally, Azure Active Directory Global Administrators MFA is a [two-step verification for Azure Active Directory users](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates) and not a Microsoft account. There are ways to turn [two-step verification on for Microsoft accounts](https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification) that are done outside of Azure, which I didn’t want to do. | |||
|
|||
While researching why I couldn’t enable MFA for my Microsoft account user, I found a newer feature that also provides MFA called Baseline Protection. The nice thing about using [Baseline Protection](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/baseline-protection) is it works well for Microsoft accounts and Azure Active Directory accounts. | |||
|
|||
#### How I turned on Multi-Factor Authentication using Baseline Policy | |||
Go to the Azure portal and navigate to **Azure Active Directory**, and then click **Conditional access** under **Security**. Since I’m using my own pay-as-you-go subscription, this is the default directory. | |||
|
|||
<img :src="$withBase('/files/mfa1.png')"> | |||
|
|||
Click on **Baseline policy: Require MFA for admins (Preview)** in the list of policies. | |||
|
|||
<img :src="$withBase('/files/mfa2.png')"> | |||
|
|||
Select **Use policy immediately** and click the **Save** button. | |||
|
|||
<img :src="$withBase('/files/mfa3.png')"> | |||
|
|||
Once you have saved, you’ll now see a checkmark in the **Enabled** column of the policy listing. | |||
|
|||
<img :src="$withBase('/files/mfa4.png')"> |