Prerequisites for deploying Azure AD MFA

Based on our PoC model,

Hybrid identity scenarios – Deploy Azure AD Connect and synchronize user identities between the on-premises Active Directory Domain Services (AD DS) and Azure AD.

Method selected – Microsoft Authenticator app [Password less login]

In the Azure portal, you configure Conditional Access policies under Azure Active Directory > Security > Conditional Access.

Follow the steps below:

  • Meet the necessary prerequisites
  • Configure chosen authentication methods
  • Configure your Conditional Access policies
  • Configure session lifetime settings
  • Configure Azure AD MFA registration policies

Settings to be configured

Account lockout

To prevent repeated MFA attempts as part of an attack, the account lockout settings let you specify how many failed attempts to allow before the account becomes locked out for a period of time. The account lockout settings are only applied when a pin code is entered for the MFA prompt.

The following settings are available:

  • Number of MFA denials to trigger account lockout
  • Minutes until account lockout counter is reset
  • Minutes until account is automatically unblocked

To configure account lockout settings, complete the following settings:

  1. Sign in to the Azure portal as an administrator.
  2. Browse to Azure Active Directory > Security > MFA > Account lockout.
  3. Enter the require values for your environment, then select Save.

Block a user

To block a user, complete the following steps:

  1. Browse to Azure Active Directory > Security > MFA > Block/unblock users.
  2. Select Add to block a user.
  3. Enter the username for the blocked user as username@domain.com, then provide a comment in the Reason field.
  4. When ready, select OK to block the user.

 

Unblock a user

To unblock a user, complete the following steps:

  1. Browse to Azure Active Directory > Security > MFA > Block/unblock users.
  2. In the Action column next to the desired user, select Unblock.
  3. Enter a comment in the Reason for unblocking field.
  4. When ready, select OK to unblock the user.

Fraud alert

The fraud alert feature lets users report fraudulent attempts to access their resources. When an unknown and suspicious MFA prompt is received, users can report the fraud attempt using the Microsoft Authenticator app or through their phone.

The following fraud alert configuration options are available:

  • Automatically block users who report fraud: If a user reports fraud, the Azure AD MFA authentication attempts for the user account are blocked for 90 days or until an administrator unblocks their account. An administrator can review sign-ins by using the sign-in report, and take appropriate action to prevent future fraud. An administrator can then unblock the user’s account.
  • Code to report fraud during initial greeting: When users receive a phone call to perform multi-factor authentication, they normally press # to confirm their sign-in. To report fraud, the user enters a code before pressing #. This code is 0 by default, but you can customize it.

To enable and configure fraud alerts, complete the following steps:

  1. Browse to Azure Active Directory > Security > MFA > Fraud alert.
  2. Set the Allow users to submit fraud alerts setting to On.
  3. Configure the Automatically block users who report fraud or Code to report fraud during initial greeting setting as desired.
  4. When ready, select Save.