Monday 22 March 2021

Best Practices for Azure Multifactor Authentication (MFA)

When configuring Azure MFA and Conditional Access there is the potential to lock out all users from the system including the Azure Portal. As with any security control/mechanism, the costs of implementation and maintenance always need to be commensurate with the risks and costs of not implementing the control (e.g. assets at risk, reputational risk).

With this in mind, here are some key best practices you should follow when enabling MFA:

  1. Ensure that end users are informed adequately that MFA is coming as it can negatively affect the user experience and cause confusion. Microsoft provides communication templates and end user documentation for this purpose - Microsoft provides communication templates and user documentation - per (per https://www.microsoft.com/security/blog/2020/01/15/how-to-implement-multi-factor-authentication/)  
  2. Always grant exclusions for every MFA policy - this will ensure there is always an MFA backdoor so you don't completely lock yourself out (especially if conditional access rules apply to all apps or the Azure portal). When enabling conditional access, make sure exclusions are made for 
    1. Administrators 
    2. Support staff.
    3. Any trusted IPs and known IP addresses/named locations.

  3. Testing - Use what-if policies to test effective permissions when making changes.
  4. Pilot changes using select groups to apply and test MFA policies.
  5. Don't block users who report fraud as users can lock themselves out (though this is less secure there is a danger of false positives). 
  6. Don't use MFA portal and Conditional access at same time - It's not a good idea to use MFA through the MFA control panel as well as conditional access. Disable user accounts for MFA management in the MFA portal prior to if you are using conditional access - otherwise you'll have 2 competing rulesets.
  7. Use Azure Identity Protection (IdP) - as good way to ensure users are forced to register MFA (MFA needs to be configured first) and to ensure MFA coverage. Also allows notifications, blocks or requires MFA when administrative accounts are logged into during high sign-in risk activities such as when seeing anomalous travel of sign-ins. 

7 comments:

Salvador said...

CBD is such an addictive product. Anyone can choose their own cbd water near me favorite application shapes. You can get CBD Capsules, CB-E-Liquid, CBD Hemp Tea, or CBD Ointment.

Emblixacademy said...

Thanks for sharing such an interesting article. People should know this type of information to run in the flow and be present about what's going on in the market Digital Marketing Institute in KPHB

tripti said...

Wonderful! Nice post with informative and good quality content. Thank you for sharing this. Also check JEE Main 2022 Registration.

The prayas India said...

Thanks for this post. It proves very informative for me. Great post to read. Visit my website to get best Information About Best MPSC Coaching Institute in Maharashtra.
Best MPSC Coaching Institute in Maharashtra
Top MPSC Coaching Institute in Maharashtra

Cyfuture Cloud said...


Cloud Migration Service

cloud hosting india

Dev Umar said...

Nice Post.
Azure Training
Azure DevOps Training
DevOps Training
AWS Training
AWS DevOps Training

Hnd Assignment Help said...

Get Help with MIS605 Systems Analysis and Design Assessment

MIS605 Systems Analysis and Design

Get Help with MIS605 Systems Analysis and Design Assessment with Punjab Assignment Help at an affordable price and timely delivery. We have Experts on the team.

MIS605 Systems Analysis and Design Assessment

MIS605 Systems Analysis and Design Assessment

MIS605 Systems Analysis and Design Assessment