AZ-104 Microsoft Azure Administrator Associate – Implement multi-factor

1. Azure Active Directory Multifactor Authentication

So in this section, we’re going to talk about some identity security services, particularly multifactor authentication. Now, what is multifactor authentication? Now, one of the big challenges with security these days is that people have used these and passwords. And no matter how complicated your password is, if it’s 16 digits, it contains letters, numbers, symbols, capitals and funny foreign letter characters in the same password. If that password gets lost, someone breaks into your computer and steals it or something becomes easy to guess, et cetera, that allows somebody to log in as you and basically take over what it is that you have control over. So a user ID and password is not entirely secure simply because it can be lost.

Now, when you add another factor to it, then that becomes even more secure. In this case, when they’re talking about multi factor authentication, it’s either having a device, whether it could be your phone or in the old days they used to have key fobs with randomized numbers on them, or it can be a fingerprint or an eye scan, et cetera, right in a scan. So the multi factor authentication refers to having more than just your password as a way of authenticate. And that’s why it’s more and more common for you to require your phone. And either you get an SMS message, you get an email, or you get a randomized number in an application that you have to be in in order to log in just beyond your password.

Now, Microsoft Azure Active Directory does support this. Either you have to pay for it so it is available as an add on. It costs a dollar 40 per month per user. So there is a model associated with that. Unless you’re a premium Active Directory user, you are running on a premium plan, then it is included in that plan. How do you turn on active directory? So in this particular case, I go into users. Now, I have a mixture of native users, azure Active Directory and invited users. Invited users in this case are B to B. These are Gmail accounts. In this particular email went out to them. They accepted and they are part of my To Directory, but they are not Active Directory members because their email address is in the control domain. We have this new user and guest user concept.

So when someone enters a section of my Active Directory, you’ll see it says Multi Factor Authentication at the top. When I click this, it’s actually going to take me out of the portal into a separate website. So I’m going to zoom in a little bit and we can see it is a Microsoft website, but it’s basically different than the portal. And it’s opened in a new tab on my browser, actually. Now, out of my five users, remember, two of them are actually Active Directory users and two of them are Gmail users, which are b to B. So I cannot only enable multi factor authentication for two of those users. You can’t enable it for users that are not part of your Active Directory as native users. So I’ve chosen the two and I can click enable.

Now it says about enabling multifactor, basically they’re going to have to sign in through the web browser in order to get sign up for a multifactor authentication. If they access your services through their app through some other method, might not actually work. So here’s a link to how these individual users, Green and John Doe, can sign up for MFA, but I control them and so I can actually enable multi factor. So now I’ve enabled multi factor authentication to users in my account and that’s basically how easy it is. Now, if I remember this is a separate tab. I can close the tab, go back to the portal. Now keep in mind that there is an impact on the support basically for your Active Directory.

So now that you’ve got users that are forced to use multifactor authentication, what you’re going to end up with is people have their ID, they have their password, but they don’t have their phone. Their brain has died, they lose their phone or they changed their phone number but didn’t migrate their multi factor authentication. So there is another point of support once you make it more complicated for people to log in. But remember, security is not about convenience. Security in some ways is the opposite of convenience because the more convenient you think, the less secure it generally is. You’re going to have to introduce things like this having to phone to answer an SMS text or an app in order to log into your system as a way to increase security.

2. AAD Conditional Access

So turning on multifactor authentication is one way to do it through the users, right? So we can either go to an individual user or select all users and say we want to enable multi factor authentication for those people. Another way is to have what’s called conditional access. If we scroll down to the security settings of our Active Directory, there is a conditional access setting. Additional access is basically a policy that you can set that will turn on multifacetication only under specific circumstances. So instead of it being dependent on the user, yes or no, true or false, it’s dependent on a combination of circumstances. Now there’s a baseline policy here that we can see that basically says require multi factor authentication for high level roles. And so that will see if you turned on conditional access.

Basically requires multi factoration for global administrators, SharePoint administrators, exchange administrators, conditional administrators and security administrators. These are powerful roles within your Active Directory and within your options. And so automatically enabling this policy for those individuals makes a certain amount of sense and we can see that we can actually use this policy. Which means that these people would have to set up multi factor authentication or enable in the future as we add administrators into our account that’s going to get enabled. Or we can just say we do not want to use this policy. But there’s a big orange exclamation park saying this means are vulnerable. So I’m going to leave the setting that it was automatically can go and create another policy.

So this is called using access outside the office, okay. As an example, so we can see that we want to affect all users, all apps, and the condition being that the location is not one of your trusted locations.So we want to turn on MFA for any location but we will exclude what’s called a trusted location and that means we can configure a trusted location in another area within MFA here. Okay?So any access to Office, if I was to enable this policy, would this is the condition. But we can say grant access and require multi factor authentication. So we can basically allow people to log in from outside the office but require multi faction. Of course you can just deny access.

So people must be in a trusted location within that’s basically their IP address and what network they’re connected to. You could block that or you could say, well you know what, that’s a little bit of a more suspicious and we have to be a bit more careful with people logging outside the office. So Microsoft Azure allows you to enable conditional access that turns on multi factor authentication in certain circumstances. Now if we go back to the conditions we can see that it’s not just locations, it’s the devices that they use. It’s the apps, the state of the device, whether this is more of a the sign in is a machine learning type algorithm that will basically classify somebody’s login as being high, medium, low or no risk. And so let’s say we want people who are outside the office and high risk to have to use multi factor authentication.

And so the machine learning component that Microsoft will assign a risk factor that could be the person logging in from areas that have never seen anyone log in before, far distant locations away from your office, et cetera. So if we turn this policy on, this will basically enable multi factor authentication in certain circumstances. Remember we said about trusted locations. Certainly we can add a location. For instance, this is home office and Mark is a trusted location. And we can say that this IP address, we can use a ranger. So slash 24 is a trusted location and I’m going to call that Home. Now I’ve got a trusted location. So when my conditional access policy says multi factor authentication is required, except if it’s in a trusted location, now I have a trusted location. So this definitely is a lot of flexibility in setting up multifactor authentication only in specific cases.

3. Configuring Fraud Alerts

So let’s talk about some of the settings that you can get for multi factor authentication. We’re back at the active directory overview screen, and if I scroll down under security, I can see there’s an MFA settings tab under security. When I go in there, it’s a whole new section of the site. Let’s talk about fraud alerts. First, I’m going to click click fraud alert. Now by default, fraud alerts are turned off. I have it turned on here because I was testing. But basically if you enable alerts, this allows your users to report it if they do receive a two step variation request. So if they get that SMS message or that email asking them to enter the number and they didn’t initiate that request, then they can click a link or they can call and basically say they’re not getting this for not a reason that they initiate. If you do enable fraud alerts, then you can actually automatically block those use.

So somebody’s user ID and password has been compromised and now they’re getting the third authentication alert. They say, it wasn’t me. And so you can basically block their account. Okay, now the blocked accounts go under this block unblocked users list. So a blocked user will no longer receive multi fantastic requests. So once they’ve reported the fraud and you have that turned on, they’re going to go end up into this block list and it’s going to take 90 days, three holds for them to go unblocked. So again, it’s a support issue where you’re going to have to go in here and unblock people and maybe force them to change their passwords, et cetera. So fraud alerts basically lead to people getting their account shut down. But that’s obviously a more secure thing in terms of detecting when people are trying hacking to your accounts.

4. MFA One Time Bypass

So let’s say that you have a user who phone is dead or they lost their phone and they need to be able to log in to do their work, but they don’t have a third factor, the multifactor authentication. Is there anything that you can do for them? Well, there is a setting called one time bypass. So if we go down to here, we can basically basically say one of these users will get 300 seconds, which is five minute period of time where they can log in using their user ID and password without perfume the multi factor authentication. So if I go in here it says 300 seconds, I can look for John Doe 300 seconds, give it a reason he lost his phone and now user John Doe is being allowed to log in for the next 300 seconds. It goes into effect immediately, expires in that five minutes or he can log in. And even though multi factor authentication has turned them, it allowed him to get past that step just for a limited period of time. So this is another another way that your support staff can help users struggling with their multi factor authentication.

5. AAD MFA Verification Methods / Trusted IPs

All right. So we’re back to looking at multifactor authentication. In this video we’re going to talk about the methods that users can use to authenticate themselves. So on our active directory we’re going to go into MFA. Now I should have said earlier there are two types of MFA servers. There is one type of server where you can download the server software and have that running within your own environment. And another type of MFA which is cloud based MFA. So when we were configuring those users for MFA it took to a separate website and that was the cloud based MFA. So let’s talk about the verification methods for those users. I say configure cloud based MFA takes me back to the second website. Now we have our users that we already saw enable MFA. And there’s another tab called Service Settings.

Now there are a number of settings up here but we’re going to scroll down to the verification options. See that by default we have four verification options. One is a phone call. So they actually receive a phone call that says enter the following number. Another is a text message. Third is a mobile app. So they would have a verification app that would basically set a notification to them. And the fourth one is they’re going to use that app that has a code in it that they have to then enter to the login. So there are four methods available for use to authenticate. Now it’s possible that you don’t want the apps to be involved at all that the only method you accept for multi factor authentication is a text message. That’s entirely up to you.

But as long as you accept the security of phone calls, text messages and mobile apps running on their trusted base then all four methods are equally secure. But of course if you’ve got concerns that the SIM card is going to be spoofed then they’re going to have to own it through their mobile app and not through a traditional phone method. That would be up to you. So that would be settings here within configure cloud based a server. Now I will talk about we were looking at conditional access earlier and there’s another way other than configuring conditional access. We could enable trusted IPS with multifactor authentication gift for requests from users on your own intranet. So if you have an office let’s go back to my IP here. If you have an office and you can set a set of ranges, IP ranges in CIDR format then that will MFA for users that are connected to your application through that network. Save for that.