Almost 90% of security incidents reported in last 5 years were due to identity misconfiguration. This can also be seen and asserted how OWASP Top 10 Security Vulnerabilities changed from 2017 to 2021 and now lists "Broken Access Control" as top security issue to tackle for organizations globally.
This will be a multi-part blog demonstrating different Microsoft security solutions to validate and protect identities across digital landscape. In Part-01 we will discuss Multi-Factor Authentication (MFA) and how we can make use of this feature to simplify basic user access control and secure user accounts in our organization.
Part-01: Implementing Multi-Factor Authentication (MFA)
With an active azure subscription let us provision two users to implement and validate MFA feature provided by Entra ID service from Microsoft. Right after we have logged into azure portal, this is the screen or main dashboard available to us.
 |
| MS Azure dashboard |
Now either we can search for Entra ID from the search bar or just select from listed services under Azure Services header. Let's navigate to Entra ID service and select Users under Manage.
 |
| Manage users in Entra portal |
This shows us all the users currently active in MS Entra; if you have not created any user yet, you will only see one user which is your admin account. So, let's add two users for now using the Add button up top. This allows us to create users and also invite users for collaboration but at this instance we are adding users to our MS Entra account.
 |
| Adding users |
While creating these accounts let us make use of the auto generated password for logging and testing out MFA as these accounts will be prompted to change password in future logins.
 |
| Add Basic Info |
After adding basic information lets head over to Properties tab to fill out other Identity Information, Manager for this account/user and the Usage Location under settings before we review and create this test account. I have chosen myself for manager role for these test accounts, so we select the admin account naturally to manage this user.
 |
| Add Manager for this test account |
Finally, we have to add the location information too. As I am based in India currently, so I will be choosing India. This will play a role in testing out PIM, PAM and conditional access in follow up blogs.
 |
| Add User Access Location |
Now I have already created two test users for enabling and validating MFA features. And you should also see this in Users screen which lists all active accounts. |
| Users list |
We are done configuring and provisioning users for MFA. As of now there are two options for MFA:- Per-User MFA
- MS Entra ID Authentication Methods
Let's take a look at Per-User MFA first as this is foundational to another MFA options in MS Entra. This is where we simply select one of the test accounts we created and enable Per-User MFA. Now enabling it for an account might let user to skip this process whenever they log in for about 14 days but when we Enforce MFA right after enabling it; user then will have no option to skip it and go through MFA steps to get access to your organization's Azure portal.
 |
| Enabling Per-User MFA |
 |
| Enable and Enforce MFA |
As you can see, I have enabled and enforced Per-User MFA for TestUser01 and now we can verify if this is working correctly as we configured so far. Now to validate this let us use any other browser and try logging into Azure portal using the email and password associated with that test account we created, enabled and enforced Per-User MFA for. |
MFA Dialogue Screen
|
Here we see the Action Required message after we have provided the credential for MFA enabled account. Clicking next will want that user to authenticate using an authenticator app. I have already downloaded Microsoft Authenticator App and have done my account setup in there. We need to add the test account as Work or School Account when asked to scan the QR code through the authenticator app. |
| Adding the test account in MS Authenticator app |
After clicking Next we will be prompted to enter a two-digit code through authenticator app for us to successfully login to the Azure portal. |
| MS Authenticator 2-digit code |
 |
| Success Message |
 |
| Successful Login through MFA |
And with the correct insertion of the code through the authenticator app we can see a success message screen and the azure portal welcome screen. You can now see the test account in the top right corner of the window. We have successfully tested the Per-User MFA feature provided by MS Entra ID.
Per-User MFA is a service associated with Azure Active Directory which now has been renamed as Entra ID and with this new service we get extra capabilities for enforcing MFA. Entra ID offers a lot more than MFA through push notification and these can be found under Manage > Security > Authentication Methods. You can navigate to the following screen which lists out all the Authentication Methods provided by Entra ID and how they work as a robust method of Identity as Primary Security Perimeter.
 |
| Security options in MS Entra ID |
 |
| All the Authentication Methods |
This concludes the first part of this blog. We have walked through the essential steps to enable and configure MFA, from setting it up for our users to addressing common challenges. As threats evolve, so must our security strategy, and MFA is a critical first step in building a resilient identity management framework.
Stay tuned for the next part of this series, where we dive deeper into Privileged Identity Management (PIM) and Privileged Access Management (PAM) to explore how to manage elevated access securely and efficiently.
Comments
Post a Comment