Configure Azure Multi-Factor Authentication settings

• You can access settings related to Azure Multi-Factor Authentication using Azure Active Directory > Security > MFA.

Settings

Block and unblock users

Use the block and unblock users feature to prevent users from receiving authentication requests.Users remain blocked for 90 days from the time that they are blocked.

Block a user

1. Sign in to the Azure portal as an administrator.
2. Browse to Azure Active Directory > Security > MFA > Block/unblock users.
3. Select Add to block a user.
4. Select the Replication Group. Enter the username for the blocked user as username@domain.com. Enter a comment in the Reason field.
5. Select Add to finish blocking the user.

Unblock a user

1. Sign in to the Azure portal as an administrator.
2. Browse to Azure Active Directory > Security > MFA > Block/unblock users.
3. Select Unblock in the Action column next to the user to unblock.
4. Enter a comment in the Reason for unblocking field.
5. Select Unblock to finish unblocking the user.

Fraud alert

Configure the fraud alert feature so that your users can report fraudulent attempts to access their resources.

Turn on fraud alerts

1. Sign in to the Azure portal as an administrator.
2. Browse to Azure Active Directory > Security > MFA > Fraud alert.
3. Set the Allow users to submit fraud alerts setting to On.
4. Select Save.

Configuration options

• Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account.
• Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #.

View fraud reports

1. Sign in to the Azure portal.
2. Select Azure Active Directory > Sign-ins > Authentication Details. The fraud report is now part of the standard Azure AD Sign-ins report and it will show in the “Result Detail” as MFA denied, Fraud Code Entered.

Notifications

Configure email addresses here for users who will receive fraud alert emails in Azure Active Directory > Security > Multi-Factor Authentication > Notifications.

Phone call settings

Caller ID

MFA caller ID number — This is the number your users will see on their phone. Only US-based numbers are allowed.

When Multi-Factor Authentication calls are placed through the public telephone network, sometimes they are routed through a carrier that doesn’t support caller ID. Because of this, caller ID is not guaranteed, even though the Multi-Factor Authentication system always sends it.

Custom voice messages

You can use your own recordings or greetings for two-step verification with the custom voice messages feature. These messages can be used in addition to or to replace the Microsoft recordings.

Before you begin, be aware of the following restrictions:

• The supported file formats are .wav and .mp3.
• The file size limit is 1 MB.
• Authentication messages should be shorter than 20 seconds.

Custom message language behavior

When a custom voice message is played to the user, the language of the message depends on these factors:

• The language of the current user.
• The language detected by the user’s browser.
• Other authentication scenarios may behave differently.
• The language of any available custom messages.
• This language is chosen by the administrator, when a custom message is added.

For example, if there is only one custom message, with a language of German:

• A user who authenticates in the German language will hear the custom German message.

Set up a custom message

1. Sign in to the Azure portal as an administrator.
2. Browse to Azure Active Directory > Security > MFA > Phone call settings.
3. Select Add greeting.
4. Choose the type of greeting.
5. Choose the language.
6. Select an .mp3 or .wav sound file to upload.
7. Select Add.

One-time bypass

The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

Create a one-time bypass

1. Sign in to the Azure portal as an administrator.
2. Browse to Azure Active Directory > Security > MFA > One-time bypass.
3. Select Add.
4. If necessary, select the replication group for the bypass.
5. Enter the username as username@domain.com. Enter the number of seconds that the bypass should last. Enter the reason for the bypass.
6. Select Add. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires.

View the one-time bypass report

1. Sign in to the Azure portal.
2. Browse to Azure Active Directory > Security > MFA > One-time bypass.

Caching rules

You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature. Subsequent authentication attempts for the user within the specified time period succeed automatically. Caching is primarily used when on-premises systems such as VPN, send multiple verification requests while the first request is still in progress.

Set up caching

1. Sign in to the Azure portal as an administrator.
2. Browse to Azure Active Directory > Security > MFA > Caching rules.
3. Select Add.
4. Select the cache type from the drop-down list. Enter the maximum number of cache seconds.
5. If necessary, select an authentication type and specify an application.
6. Select Add.

MFA service settings

Settings for app passwords, trusted IPs, verification options, and remember multi-factor authentication for Azure Multi-Factor Authentication can be found in service settings. Service settings can be accessed from the Azure portal by browsing to Azure Active Directory > Security > MFA > Getting started > Configure > Additional cloud-based MFA settings.

The trusted IP address ranges can be private or public.

App passwords

You can use an app password in place of your traditional password to allow an app to bypass two-step verification and continue working.

App passwords do not work with Conditional Access based multi-factor authentication policies and modern authentication.

Considerations about app passwords

When using app passwords, consider the following important points:

• App passwords are only entered once per application. Users don’t have to keep track of the passwords or enter them every time.
• The actual password is automatically generated and is not supplied by the user. The automatically generated password is harder for an attacker to guess and is more secure.
• There is a limit of 40 passwords per user.
• Applications that cache passwords and use them in on-premises scenarios can start to fail because the app password isn’t known outside the work or school account.
• After Multi-Factor Authentication is enabled on a user’s account, app passwords can be used with most non-browser clients like Outlook and Microsoft Skype for Business.

Guidance for app password names

App password names should reflect the device on which they’re used. If you have a laptop that has non-browser applications like Outlook, Word, and Excel, create one app password named Laptop for these apps.

Federated or single sign-on app passwords

Azure AD supports federation, or single sign-on (SSO), with on-premises Windows Server Active Directory Domain Services (AD DS). If your organization is federated with Azure AD and you’re using Azure Multi-Factor Authentication, consider the following points about app passwords.

The following points apply only to federated (SSO) customers.

• App passwords are verified by Azure AD, and therefore, bypass federation. Federation is actively used only when setting up app passwords.
• The Identity Provider (IdP) is not contacted for federated (SSO) users, unlike the passive flow. The app passwords are stored in the work or school account.
• On-premises client Access Control settings aren’t honored by the app passwords feature.
• No on-premises authentication logging/auditing capability is available for use with the app passwords feature.

Allow users to create app passwords

By default, users can’t create app passwords. The app passwords feature must be enabled. To give users the ability to create app passwords, use the following procedure:

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Select Multi-Factor Authentication.
4. Under Multi-Factor Authentication, select service settings.
5. On the Service Settings page, select the Allow users to create app passwords to sign in to non-browser apps option.

Trusted IPs

The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet.

Enable named locations by using Conditional Access

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Security > Conditional Access > Named locations.
3. Select New location.
4. Enter a name for the location.
5. Select Mark as trusted location.
6. Enter the IP Range in CIDR notation like 192.168.1.1/24.
7. Select Create.

Enable the Trusted IPs feature by using Conditional Access

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Security > Conditional Access > Named locations.
3. Select Configure MFA trusted IPs.
4. On the Service Settings page, under Trusted IPs, choose from any of the following two options:

Enable the Trusted IPs feature by using service settings

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Select Multi-Factor Authentication.
4. Under Multi-Factor Authentication, select service settings.
5. On the Service Settings page, under Trusted IPs, choose one (or both) of the following two options:

• For requests from federated users on my intranet: To choose this option, select the check box. All federated users who sign in from the corporate network bypass two-step verification by using a claim that is issued by AD FS. Ensure that AD FS has a rule to add the intranet claim to the appropriate traffic. If the rule does not exist, create the following rule in AD FS:
• For requests from a specified range of IP address subnets: To choose this option, enter the IP addresses in the text box by using CIDR notation.

Verification methods

When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled.

Enable and disable verification methods

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Select Multi-Factor Authentication.
4. Under Multi-Factor Authentication, select service settings.
5. On the Service Settings page, under verification options, select/unselect the methods to provide to your users.
6. Click Save.

Remember Multi-Factor Authentication

The remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users.

How the feature works

The remember Multi-Factor Authentication feature sets a persistent cookie on the browser when a user selects the Don’t ask again for X days option at sign-in. The user isn’t prompted again for Multi-Factor Authentication from that same browser until the cookie expires. If the user opens a different browser on the same device or clears their cookies, they’re prompted again to verify.

Enable remember Multi-Factor Authentication

1. Sign in to the Azure portal.
2. On the left, select Azure Active Directory > Users.
3. Select Multi-Factor Authentication.
4. Under Multi-Factor Authentication, select service settings.
5. On the Service Settings page, manage remember multi-factor authentication, select the Allow users to remember multi-factor authentication on devices they trust option.
6. Set the number of days to allow trusted devices to bypass two-step verification. The default is 14 days.
7. Select Save.