This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
MFA is one of the most effective layers of security we can add to protect our user identities. In the last post, we went through setting up MFA for our organization, enforcing it through various methods and touched on some of the benefits of Conditional Access. Once MFA is configured, we need to be able to monitor how it performs and update the configuration as required.
To do that, let’s dive into the MFA configuration in the Azure AD portal.
Manage MFA Configuration
To manage Azure MFA, open the MFA Blade in Azure AD, located in the “Security” configuration. Here we will see various settings that we can configure to manage how MFA performs in our environment.
First up is the Account Lockout settings. These settings allow us to enforce a lock on accounts that have received a denial from an MFA request. We can configure how many denials are tolerated before the account becomes locked, how long before the count of denials is reset (in our configuration below we only have one denial before lockout so this setting doesn’t matter) and how long the account is locked for.
When an account becomes locked, we can manually unlock it by opening the “Block/Unblock Users” section. This allows us to unblock the user account and give a reason for our audit logs. We can also manually block users, for instance if one of our users lost their phone with the authenticator app on it, we can prevent MFA requests being sent for that user by blocking them.
If a user is receiving unsolicited MFA requests, we can allow them to submit fraud alerts themselves. We can enable Fraud alerts and trigger an account lock on a user who reports fraud. We can also specify the code the user should dial during an MFA phone call to report fraud. The default for this is “0” but if you upload custom greetings then you can update the response here.
When a user reports Fraud, it is reported in the sign in details, however, we can also specify recipients to be alerted when fraud is reported in the “Notifications” section.
If we would like to use hardware tokens for authentication / MFA we can register the details of our tokens in the OAUTH tokens section. More details on OAUTH tokens here.
Finally, we can customize phone call authentication with custom greetings.
Manage User MFA
Over time, users will get new mobile devices, lose older ones and their details may change. This can lead to a problem with MFA. To help manage this, we can open up the “Authentication Methods” page in the Azure AD user profile to complete various tasks.
We can add or amend the users authentication details when they get a new phone number or personal email address for example.
We also have the option to Revoke MFA sessions. This is require the user to provide MFA on any device they authenticate on, even if they have previously satisfied the MFA requirement and have ticked the “Remember MFA on this device” option. This can be particularly useful when a user misplaces a device they use regularly.
We also have the option to require that a user re-registers MFA, this can be used when the user gets a new mobile device for example, they can re-register the new authenticator app without relying on the old device.
To monitor user MFA behaviour, we can look at out Azure AD sign-in logs. Here we can filter our logs for the authentication requirement to see sign-ins which were/were not challenged for MFA. We can then assess the reasons behind the users MFA requirement.
When we use conditional access, we can troubleshoot the policies using the Conditional Access Policy Details tool. I’ve posted about this before here and I recommend checking it out.
In the sign-in log entries, we can also see the MFA requirement under Authentication Details. In the below example we see that the user was subject to MFA, however, since they already had a valid access token which they provided MFA to receive, the MFA requirement was satisfied by this token and they weren’t prompted.
In this post we’ve detailed the settings and monitoring of MFA. MFA is one of the easiest and most effective ways to provide additional protection to your environment. More info on MFA setup and monitoring is available at the below links: