Study Guide Series: Exam MS-500 – Manage and Monitor MFA

This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.

MFA is one of the most effective layers of security we can add to protect our user identities. In the last post, we went through setting up MFA for our organization, enforcing it through various methods and touched on some of the benefits of Conditional Access. Once MFA is configured, we need to be able to monitor how it performs and update the configuration as required.

To do that, let’s dive into the MFA configuration in the Azure AD portal.

Manage MFA Configuration

To manage Azure MFA, open the MFA Blade in Azure AD, located in the “Security” configuration. Here we will see various settings that we can configure to manage how MFA performs in our environment.

First up is the Account Lockout settings. These settings allow us to enforce a lock on accounts that have received a denial from an MFA request. We can configure how many denials are tolerated before the account becomes locked, how long before the count of denials is reset (in our configuration below we only have one denial before lockout so this setting doesn’t matter) and how long the account is locked for.

When an account becomes locked, we can manually unlock it by opening the “Block/Unblock Users” section. This allows us to unblock the user account and give a reason for our audit logs. We can also manually block users, for instance if one of our users lost their phone with the authenticator app on it, we can prevent MFA requests being sent for that user by blocking them.

If a user is receiving unsolicited MFA requests, we can allow them to submit fraud alerts themselves. We can enable Fraud alerts and trigger an account lock on a user who reports fraud. We can also specify the code the user should dial during an MFA phone call to report fraud. The default for this is “0” but if you upload custom greetings then you can update the response here.

When a user reports Fraud, it is reported in the sign in details, however, we can also specify recipients to be alerted when fraud is reported in the “Notifications” section.

If we would like to use hardware tokens for authentication / MFA we can register the details of our tokens in the OAUTH tokens section. More details on OAUTH tokens here.

Finally, we can customize phone call authentication with custom greetings.

Manage User MFA

Over time, users will get new mobile devices, lose older ones and their details may change. This can lead to a problem with MFA. To help manage this, we can open up the “Authentication Methods” page in the Azure AD user profile to complete various tasks.

We can add or amend the users authentication details when they get a new phone number or personal email address for example.

We also have the option to Revoke MFA sessions. This is require the user to provide MFA on any device they authenticate on, even if they have previously satisfied the MFA requirement and have ticked the “Remember MFA on this device” option. This can be particularly useful when a user misplaces a device they use regularly.

We also have the option to require that a user re-registers MFA, this can be used when the user gets a new mobile device for example, they can re-register the new authenticator app without relying on the old device.

Monitoring MFA

To monitor user MFA behaviour, we can look at out Azure AD sign-in logs. Here we can filter our logs for the authentication requirement to see sign-ins which were/were not challenged for MFA. We can then assess the reasons behind the users MFA requirement.

When we use conditional access, we can troubleshoot the policies using the Conditional Access Policy Details tool. I’ve posted about this before here and I recommend checking it out.

In the sign-in log entries, we can also see the MFA requirement under Authentication Details. In the below example we see that the user was subject to MFA, however, since they already had a valid access token which they provided MFA to receive, the MFA requirement was satisfied by this token and they weren’t prompted.

Summary

In this post we’ve detailed the settings and monitoring of MFA. MFA is one of the easiest and most effective ways to provide additional protection to your environment. More info on MFA setup and monitoring is available at the below links:

Multi-factor authentication for Microsoft 365 – Microsoft 365 admin | Microsoft Docs

Set up multi-factor authentication for users – Microsoft 365 admin | Microsoft Docs

Enable Modern Authentication for Office 2013 on Windows devices – Microsoft 365 admin | Microsoft Docs

Azure AD Sign-ins Conditional Access Policy Details (Preview) – Sean McAvinue

One thought on “Study Guide Series: Exam MS-500 – Manage and Monitor MFA

  1. Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s