skip to Main Content

Configure Azure AD Multi-Factor Authentication

You want to enable Azure AD Multi-Factor Authentication. There is a per-user MFA and Conditional Access based MFA. Before you can deploy Azure AD Conditional Access based Multi-Factor Authentication, you need Azure AD Premium plan 1 or 2. In this article, you will learn how to configure Azure AD Multi-Factor Authentication step by step.

Before you start

Do not enable MFA for all users at once. The IT support team will get phones and emails about the MFA enrollment or that applications are not functioning.

  • Configure Conditional Access MFA with a couple of test users or with a Pilot group first before applying the MFA policy for all users.
  • Create an instruction on how to set up MFA. Send the instruction to the users by email, print them out, place them on their desks, or place them on the intranet.

Do you already have per-user MFA configured in Microsoft 365 tenant, and you want to move to Conditional Access based MFA? Find out how to move from per-user MFA to Conditional Access MFA.

Check Azure AD Premium license

Check that you have Azure AD Premium plan 1 or 2. Sign in to Microsoft Azure. In the portal, navigate to Azure Active Directory > Overview. In the example below, there is an Azure AD Premium P2 license.

Configure Azure AD Multi-Factor Authentication check Azure AD license

In the next step, you will add locations to exclude from MFA.

Configure named locations

You don’t want to let users use MFA in the organization because they are in a trusted network. To whitelist the IP address locations, we will use the Named locations feature in Azure Active Directory.

Browse to Azure Active Directory > Security > Named locations. Click on IP ranges location.

Configure Azure AD Multi-Factor Authentication Azure AD named locations

In this example, we will add two locations. That’s the Head Office and Branch Office that we like to exclude from MFA. Add the name and external IP of the Head Office location.

Configure Azure AD Multi-Factor Authentication Azure AD named locations add new location

Please do it again with the Branch Office location.

Configure Azure AD Multi-Factor Authentication Azure AD named locations add new location

The external IP addresses show up in the Conditional Access named location list.

Azure AD Conditional Access named locations list

In the next step, you will create a Non-MFA security group for the accounts you will exclude from MFA.

Create Non-MFA security group

It’s good to know that you need to exclude Service Accounts from MFA. Service accounts are non-interactive accounts that are not tied to any particular user. They are usually used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can’t be completed programmatically.

If you don’t have an on-premises Active Directory synced with Azure AD Connect (Hybrid Cloud), create a security group in Azure AD.

Go to Active Directory Users and Computers. Create a security group with the name Non-MFA.

Configure Azure AD Multi-Factor Authentication create Non-MFA security group

Double-click the Non-MFA security group.

Configure Azure AD Multi-Factor Authentication 01 check Non-MFA security group

Add the Service Accounts to the group.

Configure Azure AD Multi-Factor Authentication add service accounts to Non-MFA security group

Force sync Azure AD Connect or wait for 30 minutes before the changes are in sync with the cloud.

In the next step, you will enable MFA for all users with Azure AD Conditional Access.

Configure Azure AD Conditional Access MFA

Create a Conditional Access Policy to force MFA for all the users. You can select only a selected group of users. But, we recommend enabling MFA for all users.

Step 1: New Policy

Browse to Active Directory > Security > Conditional Access. Click New policy.

Configure Azure AD Multi-Factor Authentication Azure AD Conditional Access new policy

Step 2: Name

Give it the name MFA all users.

Configure Azure AD Multi-Factor Authentication Conditional access policy name

Step 3: Assignments

Click Users and groups and follow with Include. Select All users.

Configure Azure AD Multi-Factor Authentication Conditional access policy users and groups include settings

Click Exclude. Select Users and groups. Select the Non-MFA security group which you created in the previous steps.

Do you have Azure AD Connect? Don’t forget to exclude MFA for Azure AD Connect Sync Account. Read more about that in Conditional Access MFA breaks Azure AD Connect synchronization.

Do you have more Service Accounts in Azure AD? Create a Non-MFA-Azure security group in Azure AD and add these accounts to the group. After that, add the Non-MFA-Azure security group to the excluded policy setting.

Configure Azure AD Multi-Factor Authentication Conditional access policy users and groups exclude settings

Step 4: Cloud apps or actions

Click Cloud apps and follow with Include. Select All cloud apps.

Configure Azure AD Multi-Factor Authentication Conditional access policy cloud apps or actions include settings

Step 5: Conditions

Click Conditions and follow with Locations. Click on Yes. Click Include and select Any location.

Configure Azure AD Multi-Factor Authentication Conditional access policy conditions include settings

Click Exclude and select Selected locations. Select the named locations that you created in the previous steps.

Configure Azure AD Multi-Factor Authentication Conditional access policy conditions exclude settings

Step 6: Grant

Click Grant. Select Grant access. Check the checkbox Require multi-factor authentication. Click on Select.

Configure Azure AD Multi-Factor Authentication Conditional access policy grant settings

Step 7: Enable policy

Click the On switch to enable the policy. Select I understand that my account will be impacted by this policy. Proceed anyway. Click Create.

Remember to test the Conditional Access MFA policy before you apply it to all the users.
Configure Azure AD Multi-Factor Authentication Enable Azure MFA Conditional Access policy

The policy shows up in the Conditional Access policies list.

Azure AD Conditional Access policies list

Verify your work

After you configure the policy, the users will get a message that they need to set up MFA when they use services that require MFA. For example, when they sign in to Office 365 portal.

Users will not get a notification to set up MFA or MFA authorization if they are at the locations which are excluded from MFA. In this example, the Head Office and the Branch Office.

Below is an example of how it looks when a user logs in to Office 365 portal after configuring Azure AD Conditional Access based MFA.

Sign-in MFA more information required

The user will now use the instruction that you provided to set up MFA.

Read more: Add tag to external emails in Microsoft 365 for extra security »

Conclusion

In this article, you learned how to configure Azure AD Multi-Factor Authentication. Create a Non-MFA security group and add the Service Accounts to that group. Otherwise, the accounts will have problems after you enable MFA. Before you roll out MFA for all users, test the policy first on a couple of test users or a Pilot group. Don’t forget to create an instruction on how to set up MFA and send it to the users.

Did you enjoy this article? You may also like Install and configure Azure AD Connect. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top