Enabling MFA to Azure Administrators & Users

Multi-factor authentication is no longer a privilege. MFA is providing an additional layer of security for identities. MFA solutions are getting cheaper and cheaper. You even can enable MFA for free on certain online services. Microsoft outlook email is a good example of that. When it comes to cloud services this is more and more important.

MFA will be a default feature for organizations that have the proper user rights. According to Microsoft’s Azure AD pricing page, MFA is only offered with Office 365 or Premium P1 and P2 Azure AD plans. Based on Test Microsoft doesn’t charge for global administrators to use MFA.

Enable MFA for all users –Can Enable the MFA for Users from Office365 Portal and Azure Portal Under Azure AD Users – Multifactor Authentication.

Select the user you need to enable MFA

These common attacks can include password spray, replay, and phishing. Baseline policies are available in all editions of Azure AD. Microsoft is making these baseline protection policies available to everyone because identity-based attacks have been on the rise over the last few years. The goal of these four policies is to ensure that all organizations have a baseline level of security-enabled at no extra cost.

Managing customized Conditional Access policies requires an Azure AD Premium license.

Enable MFA based on conditional access policies

There are four baseline policies:

  • Require MFA for admins (preview)
  • End-user protection (preview)
  • Block legacy authentication (preview)
  • Require MFA for service management (preview)

All four of these policies will impact legacy authentication flows like POP, IMAP, and older Office desktop clients.

Require MFA for admins (preview)

Due to the power and access that administrator accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign in. In Azure Active Directory, you can get a stronger account verification by requiring administrators to register for and use Azure Multi-Factor Authentication.

Require MFA for admins (preview) is a baseline policy that requires multi-factor authentication (MFA) for the following directory roles, considered to be the most privileged Azure AD roles:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional Access administrator
  • Security administrator
  • Helpdesk administrator / Password administrator
  • Billing administrator
  • User administrator

Sign in to Azure Portal as Global Administrator > Conditional Access

Click New > and Create Custome Conditional Access Policy based on your Requirement.

Buy Me A Coffee
Thank you for visiting. You can now buy me a coffee!