AZ500 - Identity - Part 3

I am currently studying for the AZ 500 exam which focuses on Microsoft Azure Security Technologies. This is the next blog post in that series.

The first major section in the Az500 exam is focused on managing identity and access. The goal of this post is to talk about multi-factor authentication.

Passwords are so 1990

In his talk (, Sam Bego discusses that the glory days of passwords are behind us. While his talk focuses much more on the future state (read: passwordless authentication), those of us in the real world still have to deal with the hear and now. And for the time being, passwords are here to stay.

So this begs the question, what is multi-factor authentication?

Breaking this down a bit, lets first start off with a definition for authentication. Authentication is the act of verifying the identity of an entity on the network. This “act” generally occurs as a pre-cursor to that entity gaining access to some resource or some set of information. In the authentication process we assume that if an entity provides us with the correct (and valid) set of authentication information, then they must be who they say they are.

Authentication information can be broken down in to the following factors.

  • Something you know
    • This is typically a password, or some other memorized secret that only you (and the service you are authenticating against) should know
  • Something you have
    • Something you are in physically position of. It should be unique. This is typically an app on a phone, a token, a smell, etc
  • Something you are
    • This category represents the use of biometrics to help identify someone. So a finger print, an eye scan, etc.
  • Somewhere you are
    • Your physical location. This category can generally be used in conjunction with one of the other authentication factors.

When we make mention of multi-factor authentication, what we are simply doing is using more than one of the factors above to make an authentication decision. The most common use case is the pairing of a password (something you know) with an app installed on your phone (something you have). The general idea here is that it is harder to steal both these factors than any one of them, thus increasing the security of the authentication request.

When should you use Multi-factor authentication?

The right answer to this question is obviously all the time. The real answer to this question is, it depends. Traditional viewpoints on this is that multi-factor authentication adds an extra step to the process, and thus should be justified. There is also considerations on managing the second factor of authentication (the phone app, a hardware token, etc) and further the enhancements to one’s account recovery process.

Circling back, the best security advice I can give is that you should always make use of multi-factor authentication. You must make use of multi-factor authentication when:

  • You are dealing with high privileged accounts (like administrator accounts)
  • You are dealing with accounts that have access to sensitive data
  • You are dealing with accounts that have high risk of attack


As with everything Microsoft, there is a section on licensing that one has to through to understand how they can enable a feature that they want. Please note, I have not taken the 6-year course on licensing, so this is just an overview.

Typically, there are 3 ways you can “enable” MFA for you or your users. The easiest to purchase some bundle that contains Azure Active Directory Premium or Microsoft 365 Business. These are typically per user / per month type licenses that give you access to a bunch of handy security features. You can find out more information here (

One important thing to note is that each “way” you can get MFA comes with a different set of features. Reference the chart here ( for a feature comparison between the different options. You can also look at the Azure Active Directory pricing page here ( for more information on feature differences.


There are typically a few different steps that one would go through when enabling/configuring MFA. The steps to go through are defined here ( and consist of the following (at a high level):

  • Ensure you have all the pre-requisites for the type of environment you are working in
    • Cloud only vs hybrid
    • Protecting cloud only resources, vs protecting legacy on-prem applications
  • Ensure you have a good phased rollout approach
    • Think about the training and user communication you need to follow
  • Consider when/where you want to enforce MFA
    • Conditional access policies can be used to enforce MFA and you can get pretty granular on how/when MFA is enforced. This is designed to minimize the overhead/headache of needing MFA while increasing the security when you need it
  • Plan your authentication mechanisms
    • Most of the options are pretty secure, with software OTP being the best and text to phone being the worst
  • Plan how your users will be onboarded
    • In order to enforce MFA, users need to pick their MFA preferences and provide required information for that authentication type. Please note, some of this might be scriptable before hand
  • Integrate with your other authentication devices
    • This is the step where if you have on-prem resources you are protecting, you need to ensure they are configured correctly to use MFA
  • Profit
    • I think

Other Settings

There is a lot you can do with the Azure Active Directory MFA. This includes concepts like going passwordless (which is currently in preview). A full detailed view on the configurable settings can be found here( )


In this post we talked a bit about Azure Active Directory Multi Factor Authentication, licensing requirements, and how to set up and configure it.


About Shamir Charania

Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.

Share This Article