Configure Azure Multi-Factor Authentication settings

Settings

Block and unblock users

Use the block and unblock users feature to prevent users from receiving authentication requests.Users remain blocked for 90 days from the time that they are blocked.

Block a user

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > Block/unblock users.
  3. Select Add to block a user.
  4. Select the Replication Group. Enter the username for the blocked user as username@domain.com. Enter a comment in the Reason field.
  5. Select Add to finish blocking the user.

Unblock a user

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > Block/unblock users.
  3. Select Unblock in the Action column next to the user to unblock.
  4. Enter a comment in the Reason for unblocking field.
  5. Select Unblock to finish unblocking the user.

Fraud alert

Configure the fraud alert feature so that your users can report fraudulent attempts to access their resources.

Turn on fraud alerts

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > Fraud alert.
  3. Set the Allow users to submit fraud alerts setting to On.
  4. Select Save.

Configuration options

  • Block user when fraud is reported: If a user reports fraud, their account is blocked for 90 days or until an administrator unblocks their account.
  • Code to report fraud during initial greeting: When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #.

View fraud reports

  1. Sign in to the Azure portal.
  2. Select Azure Active Directory > Sign-ins > Authentication Details. The fraud report is now part of the standard Azure AD Sign-ins report and it will show in the “Result Detail” as MFA denied, Fraud Code Entered.

Notifications

Configure email addresses here for users who will receive fraud alert emails in Azure Active Directory > Security > Multi-Factor Authentication > Notifications.

Phone call settings

Caller ID

MFA caller ID number — This is the number your users will see on their phone. Only US-based numbers are allowed.

When Multi-Factor Authentication calls are placed through the public telephone network, sometimes they are routed through a carrier that doesn’t support caller ID. Because of this, caller ID is not guaranteed, even though the Multi-Factor Authentication system always sends it.

Custom voice messages

You can use your own recordings or greetings for two-step verification with the custom voice messages feature. These messages can be used in addition to or to replace the Microsoft recordings.

Before you begin, be aware of the following restrictions:

  • The file size limit is 1 MB.
  • Authentication messages should be shorter than 20 seconds.

Custom message language behavior

When a custom voice message is played to the user, the language of the message depends on these factors:

  • The language detected by the user’s browser.
  • Other authentication scenarios may behave differently.
  • The language of any available custom messages.
  • This language is chosen by the administrator, when a custom message is added.

For example, if there is only one custom message, with a language of German:

Set up a custom message

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > Phone call settings.
  3. Select Add greeting.
  4. Choose the type of greeting.
  5. Choose the language.
  6. Select an .mp3 or .wav sound file to upload.
  7. Select Add.

One-time bypass

The one-time bypass feature allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

Create a one-time bypass

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > One-time bypass.
  3. Select Add.
  4. If necessary, select the replication group for the bypass.
  5. Enter the username as username@domain.com. Enter the number of seconds that the bypass should last. Enter the reason for the bypass.
  6. Select Add. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires.

View the one-time bypass report

  1. Sign in to the Azure portal.
  2. Browse to Azure Active Directory > Security > MFA > One-time bypass.

Caching rules

You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature. Subsequent authentication attempts for the user within the specified time period succeed automatically. Caching is primarily used when on-premises systems such as VPN, send multiple verification requests while the first request is still in progress.

Set up caching

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > Caching rules.
  3. Select Add.
  4. Select the cache type from the drop-down list. Enter the maximum number of cache seconds.
  5. If necessary, select an authentication type and specify an application.
  6. Select Add.

MFA service settings

Settings for app passwords, trusted IPs, verification options, and remember multi-factor authentication for Azure Multi-Factor Authentication can be found in service settings. Service settings can be accessed from the Azure portal by browsing to Azure Active Directory > Security > MFA > Getting started > Configure > Additional cloud-based MFA settings.

The trusted IP address ranges can be private or public.

App passwords

You can use an app password in place of your traditional password to allow an app to bypass two-step verification and continue working.

App passwords do not work with Conditional Access based multi-factor authentication policies and modern authentication.

Considerations about app passwords

When using app passwords, consider the following important points:

  • The actual password is automatically generated and is not supplied by the user. The automatically generated password is harder for an attacker to guess and is more secure.
  • There is a limit of 40 passwords per user.
  • Applications that cache passwords and use them in on-premises scenarios can start to fail because the app password isn’t known outside the work or school account.
  • After Multi-Factor Authentication is enabled on a user’s account, app passwords can be used with most non-browser clients like Outlook and Microsoft Skype for Business.

Guidance for app password names

App password names should reflect the device on which they’re used. If you have a laptop that has non-browser applications like Outlook, Word, and Excel, create one app password named Laptop for these apps.

Federated or single sign-on app passwords

Azure AD supports federation, or single sign-on (SSO), with on-premises Windows Server Active Directory Domain Services (AD DS). If your organization is federated with Azure AD and you’re using Azure Multi-Factor Authentication, consider the following points about app passwords.

The following points apply only to federated (SSO) customers.

  • The Identity Provider (IdP) is not contacted for federated (SSO) users, unlike the passive flow. The app passwords are stored in the work or school account.
  • On-premises client Access Control settings aren’t honored by the app passwords feature.
  • No on-premises authentication logging/auditing capability is available for use with the app passwords feature.

Allow users to create app passwords

By default, users can’t create app passwords. The app passwords feature must be enabled. To give users the ability to create app passwords, use the following procedure:

  1. On the left, select Azure Active Directory > Users.
  2. Select Multi-Factor Authentication.
  3. Under Multi-Factor Authentication, select service settings.
  4. On the Service Settings page, select the Allow users to create app passwords to sign in to non-browser apps option.

Trusted IPs

The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet.

Enable named locations by using Conditional Access

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Security > Conditional Access > Named locations.
  3. Select New location.
  4. Enter a name for the location.
  5. Select Mark as trusted location.
  6. Enter the IP Range in CIDR notation like 192.168.1.1/24.
  7. Select Create.

Enable the Trusted IPs feature by using Conditional Access

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Security > Conditional Access > Named locations.
  3. Select Configure MFA trusted IPs.
  4. On the Service Settings page, under Trusted IPs, choose from any of the following two options:

Enable the Trusted IPs feature by using service settings

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Users.
  3. Select Multi-Factor Authentication.
  4. Under Multi-Factor Authentication, select service settings.
  5. On the Service Settings page, under Trusted IPs, choose one (or both) of the following two options:
  • For requests from a specified range of IP address subnets: To choose this option, enter the IP addresses in the text box by using CIDR notation.

Verification methods

When your users enroll their accounts for Azure Multi-Factor Authentication, they choose their preferred verification method from the options that you have enabled.

Enable and disable verification methods

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Users.
  3. Select Multi-Factor Authentication.
  4. Under Multi-Factor Authentication, select service settings.
  5. On the Service Settings page, under verification options, select/unselect the methods to provide to your users.
  6. Click Save.

Remember Multi-Factor Authentication

The remember Multi-Factor Authentication feature for devices and browsers that are trusted by the user is a free feature for all Multi-Factor Authentication users.

How the feature works

The remember Multi-Factor Authentication feature sets a persistent cookie on the browser when a user selects the Don’t ask again for X days option at sign-in. The user isn’t prompted again for Multi-Factor Authentication from that same browser until the cookie expires. If the user opens a different browser on the same device or clears their cookies, they’re prompted again to verify.

Enable remember Multi-Factor Authentication

  1. Sign in to the Azure portal.
  2. On the left, select Azure Active Directory > Users.
  3. Select Multi-Factor Authentication.
  4. Under Multi-Factor Authentication, select service settings.
  5. On the Service Settings page, manage remember multi-factor authentication, select the Allow users to remember multi-factor authentication on devices they trust option.
  6. Set the number of days to allow trusted devices to bypass two-step verification. The default is 14 days.
  7. Select Save.

--

--

--

Azure Cloud Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Ache as Diferenças Hack Free Resources Generator

Best Apps for Secret Texting in 2021

Concerned About Privacy? The Surprising Risks of Sharing Your Network

D’CENT Wallet integrates Simplex by Nuvei to provide fiat onramp to the broader crypto ecosystems

New Details in Mueller Indictment Confirm No One Was Ready

Single-Sign-On (SSO) capabilities with Identity Providers

How to hear the Bloodhound barking

Collaboration was a security backwater. What changed?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Lad

Sagar Lad

Azure Cloud Engineer

More from Medium

How to: Create Dashboard to visualize Branches ahead/behind on GitHub

Site Recovery Strategy in Azure

Let’s Deploy Azure Analysis Service AAS through Azure DevOps Pipeline

Azure Resource Deployment with Bicep