microsoft
/
AzureTipsAndTricks
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
AzureTipsAndTricks/blog/tip190.md

3.7 KiB
Исходник Постоянная ссылка Ответственный История

type title excerpt tags share date
post Tip 190 - Multi-Factor Authentication on Azure in a Nutshell Multi-Factor Authentication on Azure in a Nutshell
Identity
true 2019-03-25 17:00:00

::: tip 💡 Learn more : Azure Multi-Factor Authentication. :::

Multi-Factor Authentication on Azure in a Nutshell

In another Tips and Tricks post, we added Azure Active Directory authentication to an existing App Service Web App. Today, well make sure Multi-Factor Authentication (MFA) is on for that user. There are various services in Azure when it comes to Multi-Factor Authentication, so lets first see whats available. Keep in mind, I want it to be FREE.

If you take a look at the documentation on how it works, the following MFA offerings are listed:

  • Azure Active Directory Premium – Licenses for full-featured, on-premises, or cloud-hosted MFA services.
  • Multi-Factor Authentication for Office 365 – MFA features included with an Office 365 subscription.
  • Azure Active Directory Global Administrators – MFA capabilities made available for free by Microsoft for protecting global administrator accounts.

Note I am using a Microsoft account that is a global administrator on my pay-as-you-go Azure account.

There are several MFA offerings, but I didnt use them

So why didnt I use Azure Active Directory Premium, MFA for Office 365, or MFA for Azure Active Directory Global Administrators?

First, I didnt want to pay for Azure Active Directory Premium. Also, I didnt use MFA for Office 365 because it is for accounts connected to an Office 365 account, which I didnt have. Finally, Azure Active Directory Global Administrators MFA is a two-step verification for Azure Active Directory users and not a Microsoft account. There are ways to turn two-step verification on for Microsoft accounts that are done outside of Azure, which I didnt want to do.

While researching why I couldnt enable MFA for my Microsoft account user, I found a newer feature that also provides MFA called Baseline Protection. The nice thing about using Baseline Protection is it works well for Microsoft accounts and Azure Active Directory accounts.

How I turned on Multi-Factor Authentication using Baseline Policy

Go to the Azure portal and navigate to Azure Active Directory, and then click Conditional access under Security. Since Im using my own pay-as-you-go subscription, this is the default directory.

Click on Baseline policy: Require MFA for admins (Preview) in the list of policies.

Select Use policy immediately and click the Save button.

Once you have saved, youll now see a checkmark in the Enabled column of the policy listing.

Excellent! Now all global administrators of my Azure account will have Multi-Factor Authentication turned on.