Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) with Conditional Access – Part 4
LIFE IS BEAUTIFUL 🙂 I hope we all are safe:) STAY SAFE, STAY HEALTHY 🙂 STAY HOME 🙂
In last couple of articles we are discussing about cloud security – Azure AD and authentications
- Cloud Security- Introduction to Azure Security and Azure Security Center
- Cloud Security – Azure Active Directory authentication – Part 1
- Cloud Security – Azure Active Directory authentication – self-service password reset – Part 2
- Cloud Security – Azure Active Directory authentication – Configuring Multi Factor Authentication (MFA) – Part 3
Best practice is to have multiple verification methods for all users.
Recommended way to use MFA is with Conditional Access Policies.
In this article we will discuss what is MFA with conditional access how to configure it.
Take Away from this article:
- What is Conditional Access?
- License requirement for Conditional Access
- How to configure Conditional Access Policies for Multi-Factor authentication with example?
- Deleting Conditional Access Policy
What is Conditional Access?
- Any organization mainly faces following challenges related to the security
- Empower users to be productive wherever and whenever
- Secure the organization’s resources
- Conditional Access is a tool used by Azure AD
- Conditional Access enforces the organizational policies
- Conditional Access allows to create and define policies which happens during signing events and request to perform some additional actions and then user granted to access a resource / application / service.
- Conditional Access policies are nothing but some set of access if any identity (User, Device, Application etc.) wants to access a resource (for ex – organization secured application), these actions must need to complete
- By applying these Conditional Access Policies we keep our organization very secure and right users can access right data only what they need to access
- Conditional Access policies secure our organization
- Conditional Access policies are enforced after the first-factor authentication has been completed.
License requirement for Conditional Access feature?
- Azure AD Premium P1 license is required to use this feature
- Customer having Microsoft 365 Business Premium licenses also can use this feature
Prerequisites for Creating Conditional Access Policies:
- Azure AD tenant with one of the license mentioned in above section “License requirement for Conditional Access” OR trial license
- An account with Global Administrator role
- Test account for testing
Creating Conditional Access Policies:
- Sign in to the Azure portal using an account with global administrator permissions
- From Azure Portal go to “Azure Active Directory” , click on “View” button as shown in above Fig1
- We will be redirected to “Azure Active Directory” dashboard as shown in below Fig2
- From “Azure Active Directory” dashboard we will go to “Security” section as shown in below Fig2
- We will be redirected to “Security” dashboard as shown in below Fig3
- In right hand side pane there is “Documentation” section, to know more details please have a look once “Azure AD Conditional Access” link.
- Click on “Conditional Access” from left side pane as shown in above Fig3, we will be redirected to “Conditional Access” dashboard as shown in below Fig4
- Now in this article we will go for creating new policy.
- New Policy use case – Configure condition for Multi-Factor authentication : Consider your organization need to control the access to only “Graph Explorer” app and not to whole Office 365 portal or other Microsoft 365 Apps. And this condition is also for only one user. This is just sample use case to demonstrate conditional access feature.
- Lets create new policy. Click on “+ New policy” link available in right side pane on the top on Conditional Access dashboard as shown in above Fig4
- We will be redirected to “New Conditional access policy” dashboard as shown in below Fig5
- On “New Conditional access policy” dashboard we have various options as
- Name – policy name – “testing MFA with Graph Explorer App”
- Assignments >> Users and groups – here we need to select either users or groups for which we need to enable MFA / Condition. Here as shown in above Fig5, we have user email@example.com – for this user we are enabling Multi-Factor authentication for accessing “Graph Explorer” app
- Cloud apps or actions – App for which we need to set policy or here need to enable “MFA”. Here in this example we are selecting “Graph explorer (official site) as shown in below Fig6
- Grant – This setting controls whether to allow user access or deny. Whether require “multi-factor authentication” or not and respective other settings as shown in Fig7
- Next click on “Create” button at the bottom and new policy will be created successfully as shown in below Fig8
- We have new policy in place we are ready to test. We have restricted the app for specific user – “firstname.lastname@example.org” for specific app – “Graph Explorer (official site)”
Testing with the user with No Admin Access –
- Navigate to “Graph Explorer” site – https://developer.microsoft.com/en-us/graph/graph-explorer in new browser
- Sign in to “Graph Explorer” by clicking on “Sign in to Graph Explorer” blue button from left side pane as shown in above Fig9
- Sign in with user – “email@example.com”, make sure this user has no Admin access
- Once signed with user, “More information required” dialog will appear as shown in below Fig10
- Click on “Next” blue button at bottom as shown in above Fig 10
- We will be redirected to “Additional security verification” dialog as shown in below Fig11
- Complete the verification process, make sure it happens successfully as shown in below Fig12.
- Once “Additional security verification” happens successfully, user could successfully log in to “Graph Explorer” app 🙂
- When same user (here – firstname.lastname@example.org) logins with other Microsoft 365 apps like SharePoint Online, OneDrive, Outlook, OneNote and so on additional security verification is not required. Only UserName and Password is sufficient. Since only “Graph Explorer” app is restricted for the user.
- If we are do not want this policy now, we could delete the policy as shown in below Fig13
We have very good series on Azure, lots of discussion on Azure, please visit – https://knowledge-junction.com/?s=azure
Thanks for reading 🙂 If its worth at least reading once, kindly please like and share. SHARING IS CARING 🙂
Enjoy the beautiful life 🙂 Have a FUN 🙂 HAVE A SAFE LIFE 🙂 TAKE CARE 🙂