Enforce (Azure) MFA with Conditional Access policies
Posted On October 22, 2019
Multi Factor Authentication (MFA) is an added security feature from Azure which I believe that should be enabled by default for everybody in Office 365 and Azure. There for this manual how to enforce (Azure) MFA for all users using Azure Multi Factor Authentication
MFA can prevent unauthorized access in case of the following events:
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from unfamiliar locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activities
Using Conditional access we can ensure that your users and company data is safe. Important to know is that Office 365 MFA is free of charge, and if you have Azure AD applications an Azure AD Premium license is required.
If you want to mark your locations as trusted location, you can do that if you have a static public IP. So the first steps are there to define your office locations.
STEP 1: From the Azure portal go to Azure Active Directory, and click on Conditional Access, Named locations, and finally click on New location
STEP 2: Fill in the name of the office, select it as an trusted location and fill in the IP range. You can also use the named location to assign countries and/or locations where you can always enforce MFA if you want to.
STEP 3: Now its time to go ahead with the settings for MFA. From Azure Active Directory click on MFA, and choose Additional cloud-based MFA settings.
From the multi-factor authentication “service settings” we can change a few options. Import part of this web-page is the authentication methods available to users. Select the options that you would like to allow. You can also enable remember MFA on trusted devices.
Configure Conditional Access policies
STEP 4: Go back to the Azure Active Directory, Conditional Access, and the policies. Click on New policy
STEP 5: First we will assign the users that the policy applies to. You can either choose a group, or even better, select All users. (For this manual I’ve just added a group)
STEP 6: Now we can select cloud apps to enforce this policy on. I am recommending to apply this policy to all cloud apps
STEP 7 (Optional): If you want to exclude trusted locations from steps 1 and 2 you can do this on the Conditions tab. Go to locations and configure the Excluded trusted location like below in the screenshot
STEP 8: On the Grant tab make sure that you Grant access, and mark the checkbox for Require multi-factor authentication.
STEP 9: Fill in the name of your Policy and make sure that it is enabled and click create. After this the policy should be effective within just a few minutes.