The term "authentication" refers to the process of identifying a user's identity to determine whether the user is authentic or not. Multi-Factor Authentication (MFA) is an addition to the two-step verification process. This makes it pretty difficult for attackers to hack someone's ID. Even if the hacker or attacker knows the user ID and password, these are useless without an additional authentication method. This is a reliable security feature that can ensure strong protection for your accounts. In this article, we will explore the MFA options available for Microsoft ecosystem products, taking a closer look at what and what they are, what are the advantages and how to activate multi-factor authentication with some practical examples.
Security breaches are very common nowadays: phishing, ransomware, and a whole host of other familiar names that are very disliked by Cybersecurity experts. Unfortunately, the days are over when a simple username/password was sufficient for data security and relying exclusively on passwords to protect your data is like writing physical letters in the era of emails: very romantic but naive and impractical.
Data, as we all know, is now as crucial as your capital and is as precious as it is very vulnerable to external attacks. That's why you need more than just passwords to protect your computer systems from threats and malicious agents.
Multi-Factor Authentication, commonly referred to as MFA, is a multi-step verification method that requires more than one authentication method. Extra layers of security are added to your online interactions (registrations and transactions), helping to keep your account as safe as possible from these unpleasant events.
Microsoft offers within its software ecosystems the possibility of implementing multifactor authentication to prevent unauthorized access to Microsoft accounts.
Basic MFA is included with all Microsoft 365/Office 365 subscriptions and, when enabled for a user account, is required for each authentication of that user. In addition to the basic MFA, two other approaches are also available: Conditional Access (which requires premium licenses such as Microsoft 365 Business Premium or Entra ID P1/P2) and Legacy Per-User MFA (which is not recommended by Microsoft, more information in the dedicated section).
Starting October 15, 2024, Microsoft will require that all administrators use Multi-Factor Authentication (MFA) when accessing the Azure portal, the Microsoft Login admin center, and the Intune admin center. This requirement extends to all services accessible through the Azure portal, the Entra administration centers, and Intune, such as Windows 365 Cloud PC.
This change is part of a gradual implementation, involving administration portals in Phase 1 (from October 2024), while in Phase 2 (early 2025), MFA will also be necessary for Azure CLI, PowerShell, Azure mobile app and IaC tools.
Microsoft's move represents a crucial step in strengthening IT security by reducing the risk of unauthorized access to administrative accounts and is at the same time an excellent time to discuss in more detail the benefits of MFA for the security of your data and how to implement this functionality, now essential within any modern cybersecurity strategy.
As already mentioned, passwords can be easily hacked and there is an incredible variety of threats that can compromise the security of your digital infrastructures: automatic password generators, social hacking, ransomware trying to sneak in, or former employees who abuse the credentials of their previous company.
These are just a few examples, but there are many other cases where the security of your data can be fragile.
Put simply, you can't rely on passwords alone.
Sad, but this is the reality of the facts.
If you use multiple devices and you are not sure that the accesses are legitimate (your verified users or unknown sources that try to access your password-protected site from strange places or unrecognized devices), the security of your data is very vulnerable and appropriate countermeasures must be taken.
In recent years, MFA has become a pretty popular authentication method, and to be honest, you're already using two-factor authentication in many of your daily activities without knowing it. For example, when withdrawing money from an ATM (hardware token: debit card + password) or accessing online banking services (temporary password + normal password).
With two-factor authentication, even if someone knew the password, they would still need access to second-factor resources, such as a cell phone, email or, in the most extreme cases, even a fingerprint. So, if a hacker wanted to steal the data of one of our employees, in addition to the password, he should also have access to, for example, the fingerprints of that employee (if biometrics have been selected).
The MFA helps to securely access websites, electronic carts, backends or any application, adding multiple layers to protect the most important data and information, and what makes it a strong security measure is the fact that authentication factors must be a combination of two elements that are not easily duplicated.
The three most common factors are respectively:
A combination of two factors makes it more difficult for attackers to hack an account, since, if a password or PIN is compromised, a code generated by the smartphone or a fingerprint (which are harder to steal) would still be necessary to complete the login.
The importance of the MFA was highlighted by the attack on Twitter in 2020 and the Anthem Insurance data breach in 2015, where the MFA could have significantly reduced risks.
If you are still not convinced then let's see, statistics in hand, to rattle off some other numbers and understand how much MFA can really be a decisive factor in your cybersecurity strategies:
To successfully implement business processes within the Microsoft 365 ecosystem, the following skills are needed:
Dev4Side Software has the vertical technical skills to provide you with a single, transversal point of contact for all the elements of your subscription.
Microsoft offers MFA functionality in its ecosystem that can be implemented to prevent unauthorized access to Microsoft accounts (email, SharePoint, Teams Voice, etc.). Basic MFA is included with all Microsoft 365/Office 365 subscriptions, but it represents an “all or nothing” experience per user. When enabled for a user account, the MFA requires authentication for each login by that user.
Organizations that have subscribed to higher-level versions of Microsoft 365, such as Business Premium, have access to a more sophisticated version of Microsoft's MFA. Conditional Access uses conditions to more precisely regulate how MFA is applied within organizations. For example, you can configure authentication so that logins from the office are verified every 90 days, while those from remote locations must be verified every 30 days.
Advanced MFA is not only more convenient, it also allows you to apply stricter MFA policies to high-risk behavior. If someone logs in from a new or unusual location, you can request MFA authentication every time they try to sign in. Advanced MFA offers greater control in balancing convenience and security.
Microsoft 365 supports multi-factor authentication for accounts using:
Many authentication methods are even combined.
To best protect important accounts and resources, it's critical to consider which authentication methods are the strongest and which cause the least frustration for end users.
Enter ID offers a unique feature called “authentication strength” (level of authentication, available in premium Entra ID P1/P2 licenses or equivalent), which allows administrators to determine the level of authentication they require from users.
Authentication strength is a conditional access control that allows administrators to determine what combination of authentication methods can be used to access an app or resource. This gives administrators greater flexibility in authentication: they can choose stronger authentication methods for the most critical resources, or weaker authentication methods for non-sensitive applications.
Microsoft defines the level of authentication in three different ways:
In this regard, Microsoft officially recommends the use of phishing-resistant MFA for administrative accounts with elevated privileges.
The Multi-Factor Authentication (MFA) authentication level is the weakest of the authentication levels. However, it gives users greater freedom in choosing how to authenticate to access a given resource, since it supports the widest range of authentication options.
The supported authentication options are as follows:
Passwordless MFA is the intermediate level in terms of security and can be used to eliminate the insecurity caused by passwords.
It supports the following authentication methods:
Unfortunately, because the Authenticator app is often used on a smartphone, it can be difficult to implement this authentication method if you work in an extremely secure environment that limits the use of phones. This would further reduce authentication options, paving the way for the next stronger authentication method.
The phishing-resistant MFA level is the most stringent level of authentication.
It supports only the following authentication methods:
Accounts that hold high-privilege administrative rights are frequently targeted by attacks, as gaining access to a single account with administrative rights offers an enormous advantage to attackers. At a minimum, we recommend using phishing-resistant MFA on these accounts to reduce the risk of compromise.
Phishing-Resistant MFA is definitely the preferred authentication method in high-risk environments that require the highest security requirements.
Microsoft Authenticator is a free application developed by Microsoft to provide greater security when accessing online accounts, in particular Microsoft accounts, but also for other compatible services. It is primarily used for two-factor verification (2FA), a system that adds a second layer of protection in addition to the password.
Its operation is extremely simple and can be summarized in the following steps:
Now that we have a clearer understanding of multi-factor authentication and the specific features of Microsoft MFA, it's time to move on to practice and see how it is possible to enable MFA for Microsoft business accounts.
There are three main ways to enable MFA functionality in Microsoft 365, so we'll take an in-depth look at all three, highlighting the necessary steps to follow for a successful implementation.
With predefined security policies, you provide your organization with pre-configured security settings managed by Microsoft to help protect your organization from identity-related attacks. Part of these settings involves automatically enabling multi-factor authentication (MFA) for all administrative and user accounts.
To activate the default security policies, simply follow the following steps, starting with logging in to the Microsoft 365 Admin Center with Security Administrator, Conditional Access Administrator or Global Admin credentials.
After that, just go to the Azure Active Directory portal (now Enter ID) under the Admin Centers section.
Once on the Azure AD page, we will have to choose Manage from the menu on the left of the dashboard and select Properties. On that page, we'll see Manage Security Defaults at the bottom of the page.
If you see Yes selected in the Enable Security Defaults item (located on the right side of the panel), no additional action is necessary. Otherwise, simply select Yes to enable the default security policies. It should be noted that Security Defaults and Conditional Access are two mutually exclusive features; therefore, to use the latter, it will be necessary to deactivate the first.
With Conditional Access policies, you can create granular or specific policies for organizations with more complex security requirements. These policies determine whether or not access will be granted to users based on the specified conditions under which the accesses are evaluated.
This simplifies the work of administrators, since it is possible to assign multi-factor authentication (MFA) requirements based on group membership, instead of configuring MFA for individual user accounts.
To enable MFA with Conditional Access policies, you must first create a conditional access policy and add it to the specified groups.
With the global administrator credentials, we log in to the Azure portal and choose Enter ID. Next, in the left menu, choose Security > Conditional Access > +New policy. Create a name for the policy.
Go to Assignments > Users and groups, then select the Select users and groups radio button.
Check the box for Users and groups and click Select to see the users and groups available in Azure AD.
Choose your Azure AD group and select Done to apply the new policy.
Next, we need to configure the conditions for multi-factor authentication when a user logs in to the Azure portal to define which cloud apps and actions will trigger the new policy.
In Apps or cloud actions, you can choose to apply your policy to All Apps or Select Apps (if you want to exclude certain apps from the policy).
In this case, since we are configuring the MFA for Azure accesses, we choose Select Apps, we select Microsoft Azure Management > Select > Done.
Under Access Controls, choose Grant and select the Grant Access option button.
Check the box for Require multi-factor authentication > Select.
Activate the policy by setting the Enable policy option to On, then select Create to apply the Conditional Access policy.
Although Microsoft strongly recommends using only default security policies or conditional access policies, you can still enable multi-factor authentication (MFA) on a per-user basis.
However, keep in mind that this would be more inconvenient both for the administrator (since he will have to configure the settings for each individual user) and for the users (since they will have to perform the MFA every time they log in, unless they come from a trusted IP address or the “remember MFA on trusted devices” functionality is active). In addition, Microsoft strongly discourages the use of this authentication mode if you can use Conditional Access or Security Defaults.
There are three states to know to verify if a user is registered for Azure AD multi-factor authentication or not:
To change a user's status, log in to the Azure portal with global administrator credentials. In Enter ID, go to Users > All Users. Click on multi-factor authentication.
Find the user for whom we want to enable MFA (you can change the view at the top of Users) and check the box next to the name.
In the panel on the right, under Quick Steps, we choose Enable or Disable, and then confirm the selection in the pop-up window that opens.
Administrators can move users between states, such as Enabled to Enforced or Enforced to Disabled. However, it is not recommended to change a user's status directly to Enforced unless they are already registered.
Threats to business data are commonplace and some of the worst scenarios involve outdated credentials and access methods that can jeopardize its security.
Therefore, when you rely on security solutions such as Microsoft's, it is necessary to know in depth all the options available in order to build the best possible defensive perimeter even around what can unquestionably become the weakest link in your defensive chain: the individual user.
Options that, as we have been able to see, are extremely varied and suitable for every level of security, in order to guarantee administrators and security experts the greatest degree of control and severity over user access to their systems, without sacrificing the simplicity of adoption for the latter.
Microsoft's multi-factor authentication is a security measure that adds a second level of verification in addition to the classic password. This means that even if someone knows the login credentials, they will not be able to log in without proving that they also have a second element, such as a temporary code generated on an app or a fingerprint. It's a system that makes accounts much harder to hack.
Using MFA protects accounts from a wide range of cyber threats, including phishing and automated attacks. According to Microsoft, activating MFA almost completely reduces the risk of unauthorized access to accounts, even if credentials are stolen. It is a particularly useful protection in business environments where sensitive data must be safeguarded with the highest level of security.
MFA can be activated through predefined security settings, conditional access policies, or individual user configurations. The first two options are those recommended by Microsoft, because they allow for simpler and more centralized control, while manual configuration for each user is considered less efficient and more complex to manage, as well as being limited in terms of flexibility.
Microsoft Authenticator is a mobile app that allows you to protect your accounts by requiring a smartphone verification every time you log in. After entering the password, the app can generate a temporary code or send a push notification to the user, who must approve or deny access. Alternatively, the app also allows you to log in without entering a password, using only facial recognition, fingerprint or a PIN.
Microsoft supports several methods for authenticating, including codes received via SMS or phone call, Authenticator app notifications, physical devices such as FIDO2 keys, biometric solutions such as Windows Hello for Business, and digital certificates. Some methods can be combined to further increase the level of security, adapting to the specific needs of each organization.
The “Phishing-Resistant” authentication level is the most secure of those offered by Microsoft. It uses methods that do not depend on easily interceptable passwords or codes, but on physical or certified tools that cannot be easily copied or stolen. It is primarily designed to protect administrative accounts and critical systems, where the risk of attack is high.
The main difference between these three levels lies in the degree of security and in the type of authentication methods accepted. Traditional MFA is the most accessible level, but it is also the least resistant to sophisticated attacks. The Passwordless MFA completely eliminates passwords, increasing security. The Phishing-Resistant level is the most advanced and limits use to methods that are particularly robust and difficult to circumvent.
Starting October 15, 2024, all administrators who access the Azure portal, the Entra admin center, or Intune must use the MFA. In the following months, the requirement will also be extended to other tools such as Azure CLI, PowerShell and mobile apps. This is a measure that aims to significantly strengthen the security of access to critical environments.
This approach is not recommended because it is less practical for the administrator, who must manually configure each individual user, and it is stricter for the user, who finds himself having to carry out the verification every time he logs in without the possibility of customized conditions. It also doesn't offer the benefits and flexibility of more modern alternatives, such as predefined security policies or conditional access policies.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
