Step-By-Step: Enabling Multi-Factor Authentication for Azure Active Directory Users


Multi-factor authentication (MFA) provides an additional layer of security to confirm the identity of a user. Methodologies utilized can include PIN, phone call, smart cards, biometrics etc.There are many MFA service providers currently in market that offer both on-premises service or via cloud based service.

Integrating MFA to secure an on-premises active directory implementation, especially with it is synchronized or federated with Azure Active Directory, can extend the security boundaries of said infrastructure.

This Step-By-Step post will demonstrate how easy it is to enable multi-factor authentication for Azure Active Directory users.

For this walkthrough, this lab consists of Windows Server 2016 TP4 on-premises AD configured to sync with azure ad. Multi-factor authentication will be enabled on an azure user account which is sync from on-premises AD.

  1. Log in to your azure portal
     
  2. Next navigate to Active Directory
     
     mfa1
     
  3. Navigate to the corresponding AD directory and go to users
     
    mfa2
     
    NOTE:This demo utilizes user account user1 which is in sync from local active directory
     
  4. Select the user account and click on manage multi-factor authentication
     
    mfa3

    NOTE: A new page loads to manage MFA. As you can see currently for “user1” MFA disabled
     
     mfa4
     

  5. To enable, click on tick box next to user1 and click on option enable in right hand panel
     
     mfa5

     

  6. Click on enable multi-factor auth once the pop up window appears with help options
     
    mfa6
     
  7. Log in azure portal to ensure MFA has been enabled
     
     mfa7
     
  8. Should it state MFA is enabled, next click on setup now to proceed
     
    mfa8
     mfa9
     
  9. In the next page provides 3 options to select as a desired authentication method: 
     
    - Authentication phone – This will send SMS or also can setup to call back to the given number. Please note if you use this option SMS and call charges will be added.
     
    - Office Phone – This option is to request contact using office phone specified by admin
     
    - Mobile App – With this option you can install mobile application (Azure Authenticator) on your phone and it can set to send notification via app when try to login or to use verification code
     
    mfa10

     

  10. Select the desired option and its settings and click on setup
     
    mfa11
     
  11. For this demo the mobile app option was selected. Revisit the login page once setup is completed to ensure its success.
     

    mfa12

As per this example, MFA is now requesting verification via PIN. Thus the enablement of MFA is successful.

Comments (0)

Skip to main content