Enable Multi-factor authentication on the Azure Management Portal

In category CyberSecurity, Microsoft Azure | April 18, 2017

Multi-factor authentication means by its name, giving one more step of authentication to protect your account.  The authentication step can be a time-based one-time password sent from a cloud authentication provider such as Google Authenticator, Microsoft Authenticator. The authentication step can also be a one-time code generated from an immediate authentication server sent to your email or your mobile phone in form of SMS message. Sometimes you can see it in form of biology i.e. fingerprint. Whatever it is, after you enter your username and password in such a traditional way, you still need another step to completely get authenticated before having access to your resources. Multi-factor authentication is commonly required in security policy in medium to large organizations, including governmental environment.

Setting up multi-factor authentication can be challenging, depending on the platform you are working on. For example if working with SharePoint you need to break the default NTML authentication protocol to change to forms-based authentication. The full implementation is quite complicated, including some workaround to resolve User Profile synced account and People Picker user object. Well, this article is not about how to set up multi-factor authentication in SharePoint (I promise I will write it soon on my blog). This article instead is going to walk you through steps to enable multi-factor authentication on the Azure Management portal to give you better feeling of safety.

Why just a feeling? Yes, because security is not a silver bullet. It’s just about your feeling on something which is thought of security. When you do something you call security you are going to have a good feeling. Otherwise you would never have a good sleep.

Now let’s get started with what Microsoft classifies for Azure Management portal account.

Understanding Azure Management portal account

There are basically two types of account Microsoft allows you to use to log into Azure Management portal.

If you have a doubt, just go to log-in page then click Can’t access your account? you will see what Microsoft asks you. Work and School account is considered corporate account stored somewhere in your on-premises environment or Microsoft cloud identity service (Azure Active Directory). This type is commonly in form of email address (but actually it’s User Principal Name format) such as thuan@contoso.com. While Microsoft Account is previously called Windows Live ID.  But now Microsoft combines several things into a centralized system including Outlook.com, OneDrive, Skype, XboxLive, Bing or so on. Windows Live ID is no longer called by its name but people still prefer calling it. The new name is Microsoft account which many people are confused, misunderstanding that it’s used for internal Microsoft employees.

Every time when you log into Azure Management portal, you are not asked the account type. Instead, after you enter the username Microsoft will redirect you to corresponding identity service. For example, if you type your corporate account (Work and School account) you will be redirected to the federation server (e.g. Active Directory Federation Services server) for authentication. If that is an Office 365 account, the authentication identity service is Azure AD. However if that’s your personal Live ID, Microsoft does not redirect you to https://login.microsoftonline.com. Instead you are introduced Microsoft Live ID login page. This behavior would give you a conclusion that multi-factor configuration depends on the account you have entered to log into Azure Management Portal.

Read more about Authentication Scenarios for Azure AD here.

The authentication flow of Microsoft account is similar. I’ve heard of that the identity provider is leveraged under Azure AD but in a dedicated tenant.

Configure 2FA for Microsoft Account

To manage your security setting, log into https://account.microsoft.com/ with your Microsoft account. Navigate to Security page and find the link to more security options at the bottom. You will be asked again before having access to the Additional security options page. Click Setup two-step verification.

From Set up two-step verification page, carefully  read two-step introduction from Microsoft (I know nobody wants to spend time reading word by word) then click Next. From Set up an identity verification app page, choose a mobile device you want to install the app on. Microsoft gives an app called Microsoft Authenticator app In this case I choose the option for my iPhone.

  • If you use iOS, download here
  • If you use Windows Phone, download here
  • If you use Android, download here

After your mobile app is successfully installed on your mobile phone, open the app to add your personal Windows account. When you have successfully added your account to the app, click Next from Set up Microsoft Authentication app page. You will be given a new code to recover access to your account if you happen to forget. Copy the code and store somewhere in your computer or a cloud storage such as OneDrive. Click Next to complete the configuration. You are asked for further configuration depending on the device your use.

Now try to log into Azure portal with your Microsoft Live ID account. After entering username and password, you are redirected to a new page asking you to approve the login request containing the request ID (e.g. 46NGL). This perhaps is not something you may have known in terms of 2FA user experience which asks one-time password.

Open Microsoft Authenticator app on your phone, there is a approval pop-up that asks you approve the authentication request. The request ID in the pop-up matches 100% with the one displaying in the above page.

From the popup, simply tap on Approve to complete the task. Every time when you log into Azure, you need to approve the authentication request. What if you grant permission to someone else whose account is Microsoft Live ID? He can log into Azure Management Portal without having to set up multi-factor authentication. As far as I know there is no way to force Microsoft account to use another authentication step unless this account must enable individually. Even if you create a conditional access policy for Microsoft account, then the enforcement policy won’t be effective as of this article.

Configure multi-factor authentication for Azure AD account

If the account is created and managed by Azure AD, you have more control including conditional access to force multi-factor authentication. From the left azure service panel, click Azure Active Directory. You can get to Multi-Factor Authentication setting quickly by navigating to Users and groups > All users.

The screenshot above is the public preview version of Azure AD in the new portal. I’d highly suggest you to get familiar with it because the classic one is going to be migrated then deprecated.

Tip: you can open directly multi-factor authentication management page from here

From multi-factor authentication page, select the Azure account and click Enable. Steps to complete multi-factor authentication configuration are straightforward.

At the first time of login, if multi-factor has never been set up in a specific account, Azure gives this account a choice. After your successful login, you are asked to set up multi-factor.

Simply click Set it up now button and select your preferred method, then complete further steps to enable multi-factor.

Force multi-factor with Conditional Access

With Microsoft account there is no way as of this article to force to use multi-factor authentication during login time to Azure Management portal. However if your account is created and managed by Azure AD you can create an enforcement policy to force people in your organization to set up multi-factor authentication before they can log into Azure. This is recommended if you are managing an Azure team, which are granted to work on your Azure subscription.

Navigate to Azure Active Directory (Preview) then click Conditional access under Security category.

Click New policy from the panel. Enter the policy name, let’s say multi-factor enforcement policy. Under Assignments, click Users and groups then add the Azure AD account which you want to force to use multi-factor. Next, click Cloud apps and select Microsoft Azure Subscription Management. This is very important step because here you specify the app that the policy is applied to. Remember clicking Select every time you complete your selection.

Leave Condition setting blank because we do not evaluate this feature in this article. Under Access Controls, click Grant. Stick Grant access and Require multi-factor authentication. Also stick Require one of the selected controls (Preview). The last step is make sure Enable policy setting in On mode. Click Create to start creating the new policy.

You can test by just opening Azure Management Portal and try to log in using the account you added when creating a new enforcement policy.

More than a way to enable multi-factor for your Azure AD account. With Conditional access capability you can control a group of Azure AD accounts whose work on your Azure subscription.

What if non-Microsoft account?

What if the account you grant to your Azure subscription is a non-Microsoft account e.g. Gmail or Yahoo. After you add a gmail account, that account will receive an invitation email and he will be asked for creating a new Microsoft account which is associated to the invited gmail account.

After clicking Next, you will get to creating a new Microsoft account. Complete basic steps to get things done and use Gmail account to log into Azure Management portal.

Conclusion

Multi-factor authentication is part of identity protection which is a key component to developing defense-in-depth strategy in your Azure deployment. Think of a case when your account is compromised then all virtual machines are deleted, which you never wanted to see. Currently with everything out of the box, you can’t force someone using Microsoft account to be applied multi-factor authentication. There would be a solution in which you deploy an single sign-on solution incorporating with Azure AD identity service. Yes that would be a case but I’d think of it a super complicated case.

With Conditional access you can better control your Azure AD account, especially in this case of multi-factor authentication. Be prepared for multi-factor implementation to achieve a *good feeling*.

[Updated April 19, 2017 4:50 PM GMT +7] If you need the login to be simplified more than password, you can try Enable phone sign-in described here.

Share

Leave a Reply