In another Tips and Tricks post, we added Azure Active Directory authentication to an existing App Service Web App. Today, we’ll make sure Multi-Factor Authentication (MFA) is on for that user. There are various services in Azure when it comes to [Multi-Factor Authentication](https://azure.microsoft.com/services/multi-factor-authentication?WT.mc_id=azure-azuredevtips-azureappsdev), so let’s first see what’s available. Keep in mind, I want it to be FREE.
If you take a look at the documentation on how it works, the following MFA offerings are listed:
* **Azure Active Directory Premium** – Licenses for full-featured, on-premises, or cloud-hosted MFA services.
* **Azure Active Directory Global Administrators** – MFA capabilities made available for free by Microsoft for protecting global administrator accounts.
#### There are several MFA offerings, but I didn’t use them
So why didn’t I use Azure Active Directory Premium, MFA for Office 365, or MFA for Azure Active Directory Global Administrators?
First, I didn’t want to pay for Azure Active Directory Premium. Also, I didn’t use MFA for Office 365 because it is for accounts connected to an Office 365 account, which I didn’t have. Finally, Azure Active Directory Global Administrators MFA is a [two-step verification for Azure Active Directory users](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-userstates?WT.mc_id=docs-azuredevtips-azureappsdev) and not a Microsoft account. There are ways to turn [two-step verification on for Microsoft accounts](https://support.microsoft.com/help/12408/microsoft-account-about-two-step-verification?WT.mc_id=support-azuredevtips-azureappsdev) that are done outside of Azure, which I didn’t want to do.
While researching why I couldn’t enable MFA for my Microsoft account user, I found a newer feature that also provides MFA called Baseline Protection. The nice thing about using [Baseline Protection](https://docs.microsoft.com/azure/active-directory/conditional-access/baseline-protection?WT.mc_id=docs-azuredevtips-azureappsdev) is it works well for Microsoft accounts and Azure Active Directory accounts.
#### How I turned on Multi-Factor Authentication using Baseline Policy
Go to the Azure portal and navigate to **Azure Active Directory**, and then click **Conditional access** under **Security**. Since I’m using my own pay-as-you-go subscription, this is the default directory.
<img:src="$withBase('/files/mfa1.png')">
Click on **Baseline policy: Require MFA for admins (Preview)** in the list of policies.
<img:src="$withBase('/files/mfa2.png')">
Select **Use policy immediately** and click the **Save** button.
<img:src="$withBase('/files/mfa3.png')">
Once you have saved, you’ll now see a checkmark in the **Enabled** column of the policy listing.
<img:src="$withBase('/files/mfa4.png')">
Excellent! Now all global administrators of my Azure account will have Multi-Factor Authentication turned on.
