What is Microsoft Entra ID MFA?

Understanding Microsoft Entra ID MFA

Microsoft Entra ID MFA (formerly Azure AD MFA) is a cloud-based identity verification feature in Microsoft Entra ID that secures user and application sign-ins by prompting them for an additional authentication factor, like a unique six digit code, fingerprint, or a compliant device for the sign-in process, making it significantly harder for attackers to gain access.

Microsoft Entra ID MFA can also make use of a combination of other factors such as the location of sign-ins, the time of signing in, and the role of the user to verify the authenticity of the sign-in request, making it more secure even when some of the usual factors are compromised.

What can Microsoft Entra ID MFA secure?

Microsoft Entra ID MFA can secure more than your Microsoft Entra ID sign-ins. It can also secure your organization's applications against unauthorized access. Here’s a closer look at what Microsoft Entra ID MFA can secure.

• Azure portal and services: These include the various admin centers of Microsoft 365, such as Entra, the Exchange Admin Center, and Microsoft Defender.
• Microsoft 365 applications: You can also secure access to your Microsoft 365 applications, such as Word, Outlook, OneDrive, and SharePoint Online, ensuring only authorized users are allowed access to your organization's information.
• On-oremises applications: Using Microsoft Entraapplication proxy or other third-party solutions, you can protect your on-premises legacy systems and internal applications with modern authentication methods and run checks for breached credentials in realtime.
• VPN and network access: Safeguard remote access to your corporate network by integrating Microsoft Entra ID MFA with your VPN solutions.
• Third-party SaaS applications: You can implement Microsoft Entra ID MFA to secure an extensive gallery of pre-integrated, third-party applications. This includes tools like Salesforce, Dropbox, and ServiceNow.
• Custom applications: Secure your custom-built applications by integrating them with Microsoft Entra ID for authentication and MFA.

Why do you need Microsoft Entra ID MFA?

For the users in an organization, especially those relying on a cloud directory like Microsoft Entra ID, it is essential to trust in authentication factors that cannot be cloned, guessed, or replicated digitally. Leveraging unique, non-replicable authentication methods ensures robust security and is a staple requirement for an IAM environment.

Microsoft Entra ID MFA is seamlessly integrated with Microsoft Entra ID, which brings in comprehensive security advantages for your Microsoft 365 users. These include:

• SSO compatibility: Microsoft Entra ID MFA can work in tandem with Microsoft Entrasingle sign-on (SSO), enabling users to access multiple applications with a single set of credentials while still benefiting from MFA's enhanced security.
• Advanced threat protection: By leveraging Microsoft Entra ID Protection, you can automatically enforce Microsoft Entra ID MFA for high-risk users and sign-ins. This proactive approach helps prevent unauthorized access by adapting to the threat landscape in realtime.
• Comprehensive reporting and insights: Microsoft Entra ID provides detailed reports and insights into MFA usage, including users who successfully completed Microsoft Entra ID MFA, users who failed to authenticate using Microsoft Entra ID MFA, authentication patterns, and potential security threats.
• Scalability and reliability: As a cloud-based solution, Microsoft Entra ID MFA can easily scale with your users in Microsoft Entra ID—you don't have to reconfigure it for every user, and policies are consistently applied across your entire Microsoft 365 environment.
• Flexible authentication options: Microsoft Entra ID MFA supports the use of authentication factors based on dynamic conditions, providing flexibility to tailor security measures to your organization's specific needs. This approach ensures that in high-risk scenarios, if one MFA factor is compromised, the overall environment remains protected.

Verification factors available in Microsoft Entra ID MFA

When users undergo Microsoft Entra ID MFA, their identity will be verified by using two or more of the following verification methods:

• Microsoft Authenticator (passkeys, mobile notification, software-based OAuth)
• Windows Hello for Business (facial recognition, fingerprint verification, PIN, security keys)
• FIDO2 passkeys
• Certificate-based authentication
• External authentication methods
• OAuth hardware and software tokens
• SMS
• Voice call

Administrators can configure verification methods for the entire tenant or for specific groups. If administrators do not enforce a particular method, users can select their preferred authentication method using the Microsoft Entra Self-Service Portal.

The verification methods can also be applied on a basis of other factors, such as sign-in location or user roles,to control the access granted based on these factors. This is achieved using Conditional Access policies.

Enhance Microsoft Entra ID MFA with Conditional Access

Microsoft Entra ID Conditional Access policies are a set of rules that control the access a user is granted based on physical factors and not authentication methods. This guarantees that only authorized users using compliant devices from approved locations can access crucial resources.

For example: If a user is trying to sign in from their typical sign-in location using their compliant device, they will be authenticated with the default configuration. However, when they try to login from a different location or a different device, they will be made to undergo a second authentication prompt to ensure that their default authentication methods are not compromised. These can also be applied when accessing certain resources or applications, too. If the user is accessing an application before or after a certain time period, the policy can be configured to block access for them until they retry it during the specified time period.

You can also use Conditional Access policies to disable MFA prompts when users log in under conditions that you can trust or for low-risk users who access a resource frequently.

Some common use cases where Conditional Access policies can be implemented include:

• Requiring MFA for users with administrative roles
• Blocking sign-ins for users attempting to use legacy authentication protocols
• Blocking or granting access from specific locations
• Blocking risky sign-in behaviors
• Requiring compliant devices to access specific applications

If you wish to enable MFA only for the above-mentioned scenarios for your entire tenant, you can enable security defaults to implement MFA using Microsoft Authenticator as the second authentication factor.

Prerequisites to implement Microsoft Entra ID MFA

Microsoft Entra ID MFA can be enabled for all users in your organization. However, the extent of its application is determined by the licenses applied to your users.

Users who are assigned the Global Administrator role can enable Microsoft Entra ID MFA with two-step verification at no additional cost.

Using Conditional Access policies requires the Microsoft Entra ID P1 license as a minimum requirement. Implementing MFA with risk-based policies that identify high-risk users and sign-ins dynamically requires the use of Microsoft Entra ID Protection, which requires a Microsoft Entra ID P2 license. When said licenses required for Conditional Access policies expire, the policies aren't automatically disabled or deleted. However, you can no longer update them.

For users of Microsoft Entra ID Free licenses, you can use security defaults to prompt all users for MFA, but you don't have granular control over enabled users or scenarios.

How does Microsoft Entra ID MFA work?

With all of the features of Microsoft Entra ID MFA on the table, we can now visualize how the entire process of verifying user identities works.

• The user begins the authentication process by entering their primary credentials, typically a username and password. If the credentials are correct, the authentication process proceeds to the next step.
• In cases where a Conditional Access policy is applied, the conditions mentioned in the policy are checked. If they match the configured conditions, the configured action takes place.
• If the configured action is to verify using an additional factor, the user is prompted to provide a second form of verification from the methods mentioned above. Once the second factor is successfully verified, the Conditional Access policy is checked again for additional MFA prompts.
• If the Conditional Access policy is satisfied, the user will be granted access to the resource.
• If any of these steps fail, the user will be denied access to the resource.

• A user attempts to sign in using their credentials.
• The Conditional Access policy is applied.
• Sign-in conditions are checked against Conditional Access policies.
• If conditions are satisfied, sign-in factors configured using Microsoft Entra ID MFA are verified.
• If the sign-in is successful and the Conditional Access policy is satisfied, the user is granted access.
• If the Conditional Access policy is not satisfied or invalid credentials are used, access is denied.

How to set up Microsoft Entra ID MFA

Microsoft Entra ID MFA can be implemented in four different ways depending on the requirements of your organization. These are:

• Conditional Access policies: Used when you need a dynamic set of authentication methods that change based on factors and risks associated with the sign-in process and to block or grant access based on meeting the policy's requirements.
• Security defaults: Used when you want to quickly enable MFA for all users within an organization without needing to create detailed policies.
• Per-user MFA: Used when you need granular control over manually enabling or disabling MFA for individual users.
• Using Entra ID Protection: Used when you need to apply MFA only to high-risk users and sign-ins based on risk-based policies to ensure MFA is only used when there's an actual risk.

Implement Microsoft Entra ID MFA for your end users with ADSelfService Plus

ManageEngine ADSelfService Plus offers adaptive MFA with 20 different authenticators, including Microsoft Entra ID MFA. You can use MFA to protect on-premises and cloud application logins, computers, VPNs, OWA, and self-service password management tasks. With ADSelfService Plus, you can customize the MFA authentication process for various user accounts based on their OU and group memberships, allowing you to secure your privileged accounts and activities against cyberthreats.

People also ask