We have Azure AD Connect V1 running in the organization. We like to upgrade from…
You want to enable Azure AD Multi-Factor Authentication. There is a per-user MFA and Conditional Access based MFA. Before you can deploy Azure AD Conditional Access based Multi-Factor Authentication, you need Azure AD Premium plan 1 or 2. In this article, you will learn how to configure Azure AD Multi-Factor Authentication step by step.
Table of contents
- Before you start
- Configure Azure AD Conditional Access MFA
- Verify your work
Before you start
Do not enable MFA for all users at once. The IT support team will get phones and emails about the MFA enrollment or that applications are not functioning.
- Configure Conditional Access MFA with a couple of test users or with a Pilot group first before applying the MFA policy for all users.
- Create an instruction on how to set up MFA. Send the instruction to the users by email, print them out, place them on their desks, or place them on the intranet.
Microsoft did create excellent Multi-Factor Authentication rollout materials that you can download, edit and send to the users. The instruction that we always use is the Setup Microsoft Authenticator app authentication.
Do you already have per-user MFA configured in Microsoft 365 tenant, and you want to move to Conditional Access based MFA? Find out how to move from per-user MFA to Conditional Access MFA.
Check Azure AD Premium license
Check that you have Azure AD Premium plan 1 or 2. Sign in to Microsoft Azure. In the portal, navigate to Azure Active Directory > Overview. In the example below, there is an Azure AD Premium P2 license.
In the next step, you will choose the verification methods to the users.
Choose verification methods
Browse to Azure Active Directory > Security > MFA > Getting started. Click on Additional cloud-based MFA settings.
Under the tab service settings, you can choose the verification methods available to the users. Microsoft recommends enabling only the secure methods:
- Call to phone (not secure)
- Text message to phone (not secure)
- Notification through mobile app (secure)
- Verification code from mobile app or hardware token (secure)
In the next step, you will add locations to exclude from MFA.
Configure named locations
You don’t want to let users use MFA in the organization because they are in a trusted network. To whitelist the IP address locations, we will use the Named locations feature in Azure Active Directory.
Browse to Azure Active Directory > Security > Named locations. Click on IP ranges location.
In this example, we will add two locations. That’s the Head Office and Branch Office that we like to exclude from MFA. Add the name and external IP of the Head Office location.
Please do it again with the Branch Office location.
The external IP addresses show up in the Conditional Access named location list.
In the next step, you will create a Non-MFA security group for the accounts you will exclude from MFA.
Create Non-MFA security group
It’s good to know that you need to exclude Service Accounts from MFA. Service accounts are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.
If you don’t have an on-premises Active Directory synced with Azure AD Connect (Hybrid Cloud), create a security group in Azure AD.
Go to Active Directory Users and Computers. Create a security group with the name Non-MFA.
Double-click the Non-MFA security group.
Add the Service Accounts to the group.
Force sync Azure AD Connect or wait for 30 minutes before the changes are in sync with the cloud.
In the next step, you will enable MFA for all users with Azure AD Conditional Access.
Configure Azure AD Conditional Access MFA
Create a Conditional Access Policy to force MFA for all the users. You can select only a selected group of users. But, we recommend enabling MFA for all users.
Step 1: New Policy
Browse to Active Directory > Security > Conditional Access. Click New policy.
Step 2: Name
Give it the name MFA all users.
Step 3: Assignments
Click Users and groups and follow with Include. Select All users.
Click Exclude. Select Users and groups. Select the Non-MFA security group which you created in the previous steps.
Do you have Azure AD Connect? Don’t forget to exclude MFA for Azure AD Connect Sync Account. Read more about that in Conditional Access MFA breaks Azure AD Connect synchronization.
Do you have more Service Accounts in Azure AD? Create a Non-MFA-Azure security group in Azure AD and add these accounts to the group. After that, add the Non-MFA-Azure security group to the excluded policy setting.
Step 4: Cloud apps or actions
Click Cloud apps and follow with Include. Select All cloud apps.
Step 5: Conditions
Click Conditions and follow with Locations. Click on Yes. Click Include and select Any location.
Click Exclude and select Selected locations. Select the named locations that you created in the previous steps.
Step 6: Grant
Click Grant. Select Grant access. Check the checkbox Require multi-factor authentication. Click on Select.
Step 7: Enable policy
Click the On switch to enable the policy. Select I understand that my account will be impacted by this policy. Proceed anyway. Click Create.
Remember to test the Conditional Access MFA policy before you apply it to all the users.
The policy shows up in the Conditional Access policies list.
Verify your work
After you configure the policy, the users will get a message that they need to set up MFA when they use services that require MFA. For example, when they sign in to Office 365 portal.
Users will not get a notification to set up MFA or MFA authorization if they are at the locations which are excluded from MFA. In this example, the Head Office and the Branch Office.
Below is an example of how it looks when a user signs in to Office 365 portal after configuring Azure AD Conditional Access based MFA.
The user will now use the instruction that you provided to set up MFA.
In this article, you learned how to configure Azure AD Multi-Factor Authentication. Create a Non-MFA security group and add the Service Accounts to that group. Otherwise, the accounts will have problems after you enable MFA. Before you roll out MFA for all users, test the policy first on a couple of test users or a Pilot group. Don’t forget to create an instruction on how to set up MFA and send it to the users.
Did you enjoy this article? You may also like Install and configure Azure AD Connect. Don’t forget to follow us and share this article.