What is Multi-Factor Authentication
Two –step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-in and transaction. Azure multi-factor authentication is the method of verifying who you are that requires the use of more than just a username and password. Users are required to acknowledge a phone call, text message, or app notification from their smartphone after entering their passwords and they can only login after second authentication factor has been satisfied.
There are multiple options for verification methods:
- Typical Password
- Trusted device that is not easily duplicate such as a Phone
Why use Azure Multi-Factor Authentication
Today, every organization having the facilities to work from anywhere, connected from anywhere and people are increasingly connected with their smartphones, tablets, laptops and PCs, which means they need more security to access the company’s application, email etc. Azure multi-factor authentication is an easy to use and reliable solution for accessing your emails & applications. Azure multi-factor authentication is very simple to set up and use, it can set up with just a few simple clicks with extra protection to allows users to manage their devices. Azure MFA integrated cloud and on-premises Active Directory and Apps it also good for mission critical scenario. Azure MFA provide strong authentication using highest industry standards.
How Azure Multi-Factor Authentication Works
Azure Active Directory is the authentication authority for Office365, this application developed to support MFA use the Active Directory Authentication Library (ADAL) to authenticate to services using OAuth 2.0. OAuth is an open standard for authentication that is supported by many other third party vendors. The client application such as Outlook, OWA use Active Directory Authentication Library(ADAL) to get access to users’ data using the access tokens acquired through the authentication process. Using access tokens means that the applications can continue to access data without having to store or provide user credentials. There is two type of the tokens are used, a refresh token is issued following a successful user authentication. This is the master token that is used to acquire the access tokens necessary to access user data. For example, when the Outlook first connects and authenticates with Office365 a refresh token to get an access token that’s valid for Exchange, the same token is valid across the Office 365. A refresh token lasts two weeks; refresh tokens generate by Azure Active Directory. If you are not using /office 365 the more than two weeks, the refresh tokens with expiring and will need to be reestablished through authentication.
Photo courtesy of Microsoft
Methods available for two-step verification
When a user signs in, an additional verification is sent to the user. The following are a list of methods that can be used for this second verification.
A call is placed to a user’s registered phone asking them to verify that they are signing in by pressing the # sign or entering a PIN.
A text message will be sent to a user’s mobile phone with a six-digit code.Enter this code in to complete the verification process.
Mobile App Notification
A verification request is sent to a user’s smartphone asking them to complete the verification by selecting Verify from the mobile app. This will occur if you selected app notification as your primary verification method. Example -Phone Sign In -Microsoft Authenticator
Mobile app verification code
The mobile app, which is running on a user’s smartphone, displays a 6-digit verification code that changes every 30 seconds. The user finds the most recent code and enters it on the sign-in page to complete the verification process. This will occur if you selected a verification code as your primary verification method.
3rd party OATH tokens
Azure Multi-Factor Authentication can be configured to accept 3rd party verification methods.
Set up Multi-Factor Authentication in the Office 365
Go to the Office 365 admin center.
Navigate to Users and select Active Users then click on more option and select Setup Azure multi-factor auth, Your screen should look like one of the following:
Once clicked on Azure multi-factor auth, you will see the all users list
Now we need to enable MFA for one particular user, we can search and select user and enabled MFA
Here are the user's settings for MFA
Also, you can set the service settings
Now time to log in with account, we have given the account
Now here you can see asking for security verification and click on setup
Set up the Phone Authentication preferences
Set up the Office Phone Authentication preferences
Here you can set up Mobile App notification if you want
Now you can see the text message has been sent to selected mobile number
Now you can see the app password has been received
We can also verify via Power Shell
We will get the following log in windows
There are three versions of multi-factor authentication:
- Multi-Factor Authentication for Office 365
- Multi-Factor Authentication for Azure Administrators
- Azure Multi-Factor Authentication
here is the feature comparison of versions
Azure Multi-Factor Authentication provides selectable verification methods for both cloud and on-premises.