I am currently studying for the AZ 500 exam which focuses on Microsoft Azure Security Technologies. This is the next blog post in that series.
The first major section in the Az500 exam is focused on managing identity and access. The goal of this post is to talk about multi-factor authentication.
In his talk (https://1990.sambego.tech/), Sam Bego discusses that the glory days of passwords are behind us. While his talk focuses much more on the future state (read: passwordless authentication), those of us in the real world still have to deal with the hear and now. And for the time being, passwords are here to stay.
So this begs the question, what is multi-factor authentication?
Breaking this down a bit, lets first start off with a definition for authentication. Authentication is the act of verifying the identity of an entity on the network. This “act” generally occurs as a pre-cursor to that entity gaining access to some resource or some set of information. In the authentication process we assume that if an entity provides us with the correct (and valid) set of authentication information, then they must be who they say they are.
Authentication information can be broken down in to the following factors.
When we make mention of multi-factor authentication, what we are simply doing is using more than one of the factors above to make an authentication decision. The most common use case is the pairing of a password (something you know) with an app installed on your phone (something you have). The general idea here is that it is harder to steal both these factors than any one of them, thus increasing the security of the authentication request.
The right answer to this question is obviously all the time. The real answer to this question is, it depends. Traditional viewpoints on this is that multi-factor authentication adds an extra step to the process, and thus should be justified. There is also considerations on managing the second factor of authentication (the phone app, a hardware token, etc) and further the enhancements to one’s account recovery process.
Circling back, the best security advice I can give is that you should always make use of multi-factor authentication. You must make use of multi-factor authentication when:
As with everything Microsoft, there is a section on licensing that one has to through to understand how they can enable a feature that they want. Please note, I have not taken the 6-year course on licensing, so this is just an overview.
Typically, there are 3 ways you can “enable” MFA for you or your users. The easiest to purchase some bundle that contains Azure Active Directory Premium or Microsoft 365 Business. These are typically per user / per month type licenses that give you access to a bunch of handy security features. You can find out more information here (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks).
One important thing to note is that each “way” you can get MFA comes with a different set of features. Reference the chart here (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing) for a feature comparison between the different options. You can also look at the Azure Active Directory pricing page here (https://azure.microsoft.com/en-ca/pricing/details/active-directory/) for more information on feature differences.
There are typically a few different steps that one would go through when enabling/configuring MFA. The steps to go through are defined here (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted) and consist of the following (at a high level):
There is a lot you can do with the Azure Active Directory MFA. This includes concepts like going passwordless (which is currently in preview). A full detailed view on the configurable settings can be found here( https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings )
In this post we talked a bit about Azure Active Directory Multi Factor Authentication, licensing requirements, and how to set up and configure it.