Enterprise Mobility and Security Blog

RSS

Hey everyone! We have some exciting news to share on vastly improving your users’ Multi-Factor Authentication (MFA) experience by letting them skip MFA on trusted devices!

Given the huge amount of phishing, malware and breach attacks out there, we know that the password alone really isn’t enough to keep your accounts safe! Using MFA is how we shore up the password system. You can do this with Azure Active Directory MFA, requiring some or all of your users to pass an MFA challenge to log in. This is extra cool when tied in with our risk detection systems, something you can try for yourself in public preview at https://aka.ms/identityprotection.

One cool side effect of running the consumer identity system for Xbox, Outlook, Office365, and so many other services is we get a lot of ahem . . . “helpful feedback” about unnecessary MFA challenges. When you have hundreds of millions of active users every day, even a little friction causes a *lot* of support impact. So we have gotten very focused on how to reduce that friction while maintaining the excellent security MFA provides.

One of the main tools in our bag is trusted devices – once a user has passed an MFA challenge on a device, they can opt in to letting the MFA system “remember” that device for a period of time. Subsequent logins will use the device itself as a second factor, so that the user’s login experience is seamless, but the great security around MFA is maintained. And now it is available to you!

I am delighted to announce this is in GA now, so you can set this up today, and greatly improve your users’ experience (and greatly reduce your support overhead) – I’ve asked Shawn Bishop to give you a rundown – enjoy!

And as always, we’d love to receive any feedback or suggestions you have!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Products and Services

——————————-

Hey everyone! I’m Shawn Bishop from the Identity Security and Protection Get to Production Team. I am the resident expert on Azure Multi-Factor Authentication (MFA) and want to show you how easy it is to get MFA security with a great user experience!

  1. First, select your directory

  1. Now choose “configure” from the tabs:

  1. Scroll about half way down the page and select Manage service settings under “multi-factor authentication”:

  1. And you’re there! On the multi-factor authentication, the last setting there is “remember multi-factor authentication” – just click the box, set the number of days a device should be used for second factor before require an interactive challenge, and voila!

Ok, now what will your users see once you turn this on? When users get an MFA challenge, they will see a checkbox that says “Don’t ask again for n days,” where n is based on what you configured.

If the user loses their device, they can revoke the remembered MFA on their devices through the Additional Security Verification settings in their user profile at http://myapps.microsoft.com

Admins can also revoke any user’s remembered MFA in user settings.

This feature is available in all versions of Azure MFA, including MFA for Office 365 and MFA for Azure Admins – learn more here!
Have fun!

-Shawn