Multi-factor Authentication For All Privileged Users

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu. This will open Azure MFA management portal.

05 From View dropdown list, select the privileged user category that you want to examine. The privileged users can be owners, co-administrators or contributors.

06 Choose the user that you want to examine and check the feature status available in the MULTI-FACTOR AUTH STATUS column. If the status is Disabled, the MFA feature is not enabled, therefore the authentication process for the selected privileged Microsoft Azure user is not MFA-protected.

07 Repeat steps no. 6 for each user that you want to examine available in the current user category.

08 Repeat step no. 5 – 7 for each privileged user category within the Microsoft Entra ID.

01 Run ad user list command (Windows/macOS/Linux) using query filters to list all Microsoft Entra ID users:

az ad user list
  --query '[].{userPrincipalName:userPrincipalName}'
  --output table

02 The command output should return a table that contains all your Microsoft Entra ID user names:

UserPrincipalName
-----------------------------------------------
azuremanager@cloudconformity.onmicrosoft.com
azadministrator@cloudconformity.onmicrosoft.com

03 Run role assignment list command (Windows/macOS/Linux) with custom query filters to return the name of the access control role(s) assigned to the Microsoft Entra ID user that you want to examine:

az role assignment list
  --include-classic-administrators true
  --assignee azuremanager@cloudconformity.onmicrosoft.com
  --query '[].{roleDefinitionName:roleDefinitionName}'

04 The command output should return an array that contains the name of the role assigned to the specified Microsoft Entra ID user. The role name indicates if the examined user is privileged (i.e. has write access to Azure resources) or not. The name of the privileged user role must be Owner, *Contributor or *Administrator:
If the roleDefinitionName attribute value is set to Owner, *Contributor or *Administrator, as shown in the output example above, the selected user has privileged access, thus the Audit process continues with the next step. Otherwise, the user is not privileged and the conformity rule audit ends here.

05 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID:

06 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace highlighted placeholder with your own Microsoft Entra ID environment name):

07 Run Get-MsolUser PowerShell command (using MSOnline module) with custom query filters to identify if the selected Azure Microsoft Entra ID user has registered for Multi-Factor Authentication (MFA):

08 The command output returns the verified Microsoft Entra ID user name if MFA is disabled, otherwise the command does not produce an output at all:
If Get-MsolUser command output returns the name of the examined user, the MFA feature is not enabled, therefore the authentication process for the selected privileged Microsoft Azure user is not MFA-protected.

09 Repeat steps no. 3 – 8 for each Microsoft Entra ID user that you want to examine.

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Click on the Multi-Factor Authentication button available in the blade top menu.

05 On the Multi-Factor Authentication management page, click service settings to access the MFA configuration settings.

06 On the service settings page, under verification options, select the method(s) that you want to use for Multi-Factor Authentication from Methods available to users.

07 Click Save to apply the changes, then click Close to return to the settings page.

08 Click users and select the appropriate privileged user category from the View dropdown list. The privileged users can be owners, co-administrators or contributors.

09 Select the user that you want to enroll in MFA (see Audit section part I to identify the right user) and click Enable under quick steps, in the right menu.

10 On the action confirmation box, click enable multi-factor auth to enable Multi-Factor Authentication for the selected Microsoft Azure user. Click Close to return to the console.

11 Install Microsoft Authenticator application, then sign in to your Microsoft Azure account with the user configured for MFA at the previous steps. Once signed in, you will be redirected to the Additional security verification page and asked to complete the MFA registration process.

12 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the Microsoft Authenticator app. Click Set up to initiate the registration process.

13 Open the mobile app, choose Add account add and select Work or school account.

14 Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next.

15 Back on the Additional security verification page, click Next to continue the process. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

16 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for adding phone verification to your user password, then choose Next. Click Done to finish the MFA registration process. The MFA state for the user should be automatically switched to Enforced once the registration process is completed.

17 Repeat steps no. 9 – 16 for each privileged user that you want to reconfigure for MFA, available in the current user category.

18 Repeat step no. 9 – 17 for each privileged user category within your Microsoft Entra ID.

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID:

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace highlighted details with your own Microsoft Entra ID details):

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

03 Define an array of strong authentication (i.e. MFA) requirements, that will be used later as value for the –StrongAuthenticationRequirements parameter in order to activate MFA using the Set-MsolUser command:

$mfa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mfa.RelyingParty = "*"
$mfa.State = "Enabled"
$setmfa = @($mfa)

04 Run Set-MsolUser PowerShell command (using MSOnline module) using the name of the user that you want to reconfigure as –UserPrincipalName parameter value (see Audit section part II to identify the right user) and the strong authentication requirements parameter defined at the previous step to update the selected user configuration in order to enable Multi-Factor Authentication (MFA):

Set-MsolUser
-UserPrincipalName azuremanager@cloudconformity.onmicrosoft.com
-StrongAuthenticationRequirements $setmfa

05 Now that the feature is enabled for the selected Azure user, you have to start the Multi-Factor Authentication (MFA) registration process. Install Microsoft Authenticator application then sign in to your Microsoft Azure account with the user configured for MFA at the previous step. Once signed in, you will be redirected to the Additional security verification page and prompted to complete the registration process.

06 On the verification page, under Step 1: How should we contact you, select Mobile app and Use verification code option to specify how do you want to use the Microsoft Authenticator app. Click Set up to initiate the registration process.

07 Open the mobile app, choose Add account add and select Work or school account.

08 Inside Configure mobile app box, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, click Next.

09 Back on the Additional security verification page, click Next to continue the process. Under Step 2: Enter the verification code from the mobile app, enter the verification code displayed on your Microsoft Authenticator app and click Verify.

10 For Step 3: In case you lose access to the mobile app, provide a phone number that will be used for adding phone verification to your user password, then choose Next. Click Done to finish the MFA registration process. The user MFA status should be automatically switched to the Enforced once the registration process is completed.

11 Repeat steps no. 1 – 10 for each privileged Microsoft Azure user that you want to reconfigure in order to enable Multi-Factor Authentication (MFA).