First we will cover the solutions in hand.
What is Conditional access?
Conditional Access is based on conditions for a location, devices used, risks discovered.
Here is an excellent picture from Microsoft which explain the flow.
You need at least Azure AD Premium P1 to enable Conditional Access.
What could be enabled?
Microsoft currently has a Preview feature for CA templates. These will show many examples on what You can enable.
Remember that the Preview features aren’t coming to certification Exams. Once this feature is Generally Available it will be a beautiful addition.
What is Multi-factor Authentication?
Azure AD Multi-Factor Authentication (MFA) supplies added security for your identities by requiring two or more elements for full authentication.
These elements fall into three categories:
- Something you know – which might be a password or the answer to a security question.
- Something you possess – which might be a mobile app that receives a notification or a token-generating device.
- Something you are – which typically is a biometric property, such as a fingerprint or face scan used on many mobile devices.
- Azure Active Directory Premium or Microsoft 365 Business – Both of these offerings support Azure AD Multi-Factor Authentication using security defaults to require multi-factor authentication.
- Azure AD Free or standalone Microsoft 365 licenses – Use security defaults that require multi-factor authentication for your users and administrators.
- Azure Active Directory Global Administrators – A subset of Azure AD Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.
|Feature||Azure AD Free – Security defaults (enabled for all users)||Azure AD Free – Global Administrators only||Office 365||Azure AD Premium P1||Azure AD Premium P2|
|Protect Azure AD tenant admin accounts with MFA||●||● (Azure AD Global Administrator accounts only)||●||●||●|
|Mobile app as a second factor||●||●||●||●||●|
|Phone call as a second factor||●||●||●||●|
|SMS as a second factor||●||●||●||●|
|Admin control over verification methods||●||●||●||●|
|Custom greetings for phone calls||●||●|
|Custom caller ID for phone calls||●||●|
|Remember MFA for trusted devices||●||●||●||●|
|MFA for on-premises applications||●||●|
|Risk-based conditional access||●|
|Identity Protection (Risky sign-ins, risky users)||●|
|Privileged Identity Management (PIM), just-in-time access||●|
|Policy||Security defaults||Conditional Access||Per-user MFA|
|Standard set of security rules to keep your company safe||●|
|Included in Office 365 licensing (See license considerations)||●||●|
|Pre-configured templates in Microsoft 365 Admin Center wizard||●||●|
|Exempt users from the policy||●||●|
|Authenticate by phone call or SMS||●||●|
|Authenticate by Microsoft Authenticator and Software tokens||●||●||●|
|Authenticate by FIDO2, Windows Hello for Business, and Hardware tokens||●||●|
|Blocks legacy authentication protocols||●||●||●|
|New employees are automatically protected||●||●|
|Dynamic MFA triggers based on risk events||●|
|Authentication and authorization policies||●|
|Configurable based on location and device state||●|
|Support for “report only” mode||●|
|Ability to completely block users/services||●|
MFA – How to enable MFA per user?
MFA can be enabled per user. Just search MFA from Azure portal.
And then configure.
In here You can enable MFA based settings like allow App passwords (mostly You shouldn’t), trusted ips and verification options the MFA user can select. Also allow the MFA approval to be remembered for a period of time.
When You browse to Users section You will find the users.
You can see that all the users are currently in a Disabled state.
If You choose a user You can select Enable or Manage user settings.
If You choose Enable, You will be welcomed with the following.
And when You enable the MFA for a user.
And if You choose Manage user settings, you will be welcomed with the following.
When You Enable a user, You will see Enforce in the menu.
You will be shown the following warning.
So the users have to have an App password if they want to use a non-browser application. This isn’t really accurate as Outlook and Teams support MFA now but before it’s was a problem.
Microsoft has a nice article on App passwords.
You can also do a bulk update of users but You cannot select Enforced in here, only Enabled or Disabled.
How to Enable MFA with Conditional Access?
Conditional Access and MFA is much more convenient than MFA by itself. There is policies the user will get if they fall to the scope.
Search for Conditional Access inside Azure portal.
Once there, create a new policy
You will se the policy editor, give a name and choose Users or workloads.
In here You can choose to include on exclude users, roles or groups. A nice option is also to Enable something with Conditional Access only to Guest and External users that reside or will be invited to Your tenant.
I will keep it simple in my example and choose only one user. But You really could fiddle around with these an make Your own kind of policy.
Next You can choose Cloud Apps or actions. In my example I will choose Office 365 which includes all Office 365 Services.
For the user actions You could choose the following.
Microsoft has an excellent article on User actions.
Then choose Conditions, in here You will define the conditions that will trigger the policy.
In example if the user has risk of Medium they would be Enforced for the policy.
In the Grant section You will define to block the user matching the policy or Grant with controls.
To keep it simple I will choose only require MFA
In Sessions You will have the following. In here You can control App restrictions, disable persistent sessions and Continuous Access Evaluation (CAE) but You really shouldn’t. These are excellent and relatively new features inside Conditional Access policies.
If you want to learn more about both, here’s my previous posts.
And finally there is option to Enable or Report. With reporting You will get information about how it would be affecting users.
But remember this, depending on Your setup Your user could get prompts even in Report-Only mode.
If You want to access the logs for reporting, they can be found under sign-in logs.
You also have a What If so see what will happen if You enable the policy.
But now when we have the MFA policy enabled, let’s see the user experience.
End-user goes to https://portal.office.com and they will be greeted with MFA request.
If You chose available authentication methods in the beginning for MFA, example Notification through mobile app
They will be displayed this page instead of SMS verification.
Thing to remember
MFA is available in the following licensing options:
- Azure AD Free – Security defaults (enabled for all users)
- Azure AD Free – Global Administrators only
- Any Office 365 license
- Azure AD Premium P1
- Azure AD Premium P2
Conditional Access is available in the following licensing options:
- Azure AD Premium P1
- Azure AD Premium P2
Security Defaults are enabled by default and has to be disable before enabling Conditional Access.
Conditional Access has User and Sign-in risk policies.
And done. Then to the next one.