Step-By-Step: Enabling Multi-Factor Authentication for Azure Active Directory Users

Multi-factor authentication (MFA) provides an additional layer of security to confirm the identity of a user. Methodologies utilized can include PIN, phone call, smart cards, biometrics etc.There are many MFA service providers currently in market that offer both on-premises service or via cloud based service.

Integrating MFA to secure an on-premises active directory implementation, especially with it is synchronized or federated with Azure Active Directory, can extend the security boundaries of said infrastructure.

This Step-By-Step post will demonstrate how easy it is toenable multi-factor authentication for Azure Active Directory users.

For this walkthrough, this lab consists of Windows Server 2016 TP4 on-premises AD configured to sync with azure ad. Multi-factor authentication will be enabled on an azure user account which is sync from on-premises AD.

1. Log in to your azure portal
    

2. Next navigate to Active Directory
    
    
    

3. Navigate to the corresponding AD directory and go to users
    
   
    
   NOTE: This demo utilizes user account user1 which is insync from local active directory
    

4. Select the user account and click on manage multi-factor authentication
    
   

   NOTE: A new page loads to manage MFA. As you can see currently for “user1” MFA disabled
    
    
    

5. To enable, click on tick box next to user1 and click on option enable in right hand panel
    
    

    

6. Click on enable multi-factor auth once the pop up window appears with help options
    
   
    

7. Log in azure portal to ensure MFA has been enabled
    
    
    

8. Should it state MFA is enabled, next click on setup now to proceed
    
   
    
    

9. In the next page provides 3 options to select as a desired authentication method: 
    
   - Authentication phone – This will send SMS or also can setup to call back to the given number. Please note if you use this option SMS and call charges will be added.
    
   - Office Phone – This option is to request contact using office phone specified by admin
    
   - Mobile App – With this option you can install mobile application (Azure Authenticator) on your phone and it can set to send notification via app when try to login or to use verification code
    
   

    

10. Select the desired option and its settings and click on setup
     
    
     

11. For this demo the mobile app option was selected. Revisit the login page once setup is completed to ensure its success.
     

As per this example, MFA is now requesting verification via PIN. Thus the enablement of MFA is successful.