Prerequisites
To complete this tutorial, you need the following resources and privileges:
A working Azure AD tenant with Azure AD Premium P1 or trial licenses enabled.
If you need to, create one for free.
An account with Conditional Access Administrator, Security Administrator, or Global Administrator privileges. Some MFA settings can also be managed by an Authentication Policy Administrator. For more information, see Authentication Policy Administrator.
A non-administrator account with a password that you know. For this tutorial, we created such an account, named testuser. In this tutorial, you test the end-user experience of configuring and using Azure AD Multi-Factor Authentication.
If you need information about creating a user account, see Add or delete users using Azure Active Directory.
A group that the non-administrator user is a member of. For this tutorial, we created such a group, named MFA-Test-Group. In this tutorial, you enable Azure AD Multi-Factor Authentication for this group.
If you need more information about creating a group, see Create a basic group and add members using Azure Active Directory.
Create a Conditional Access policy
The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.
Conditional Access policies can be applied to specific users, groups, and apps. The goal is to protect your organization while also providing the right levels of access to the users who need it.
In this tutorial, we create a basic Conditional Access policy to prompt for MFA when a user signs in to the Azure portal. In a later tutorial in this series, we configure Azure AD Multi-Factor Authentication by using a risk-based Conditional Access policy.
First, create a Conditional Access policy and assign your test group of users as follows:
Sign in to the Azure portal by using an account with global administrator permissions.
Search for and select Azure Active Directory. Then select Security from the menu on the left-hand side.
Select Conditional Access, select + New policy, and then select Create new policy.
Enter a name for the policy, such as MFA Pilot.
Under Assignments, select the current value under Users or workload identities.
Under What does this policy apply to?, verify that Users and groups is selected.
Under Include, choose Select users and groups, and then select Users and groups.
Since no one is assigned yet, the list of users and groups (shown in the next step) opens automatically.
Browse for and select your Azure AD group, such as MFA-Test-Group, then choose Select.
We've selected the group to apply the policy to. In the next section, we configure the conditions under which to apply the policy.
Configure the conditions for multi-factor authentication
Now that the Conditional Access policy is created and a test group of users is assigned, define the cloud apps or actions that trigger the policy. These cloud apps or actions are the scenarios that you decide require additional processing, such as prompting for multi-factor authentication. For example, you could decide that access to a financial application or use of management tools require an additional prompt for authentication.
Configure which apps require multi-factor authentication
For this tutorial, configure the Conditional Access policy to require multi-factor authentication when a user signs in to the Azure portal.
Select the current value under Cloud apps or actions, and then under Select what this policy applies to, verify that Cloud apps is selected.
Under Include, choose Select apps.
Since no apps are yet selected, the list of apps (shown in the next step) opens automatically.
Tip
You can choose to apply the Conditional Access policy to All cloud apps or Select apps. To provide flexibility, you can also exclude certain apps from the policy.
Browse the list of available sign-in events that can be used. For this tutorial, select Microsoft Azure Management so that the policy applies to sign-in events to the Azure portal. Then choose Select.
Configure multi-factor authentication for access
Next, we configure access controls. Access controls let you define the requirements for a user to be granted access. They might be required to use an approved client app or a device that's hybrid-joined to Azure AD.
In this tutorial, configure the access controls to require multi-factor authentication during a sign-in event to the Azure portal.
Under Access controls, select the current value under Grant, and then select Grant access.
Select Require multi-factor authentication, and then choose Select.
Activate the policy
Conditional Access policies can be set to Report-only if you want to see how the configuration would affect users, or Off if you don't want to the use policy right now. Because a test group of users is targeted for this tutorial, let's enable the policy, and then test Azure AD Multi-Factor Authentication.
Under Enable policy, select On.
To apply the Conditional Access policy, select Create.
Test Azure AD Multi-Factor Authentication
Let's see your Conditional Access policy and Azure AD Multi-Factor Authentication in action.
First, sign in to a resource that doesn't require MFA:
Open a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com.
Using a private mode for your browser prevents any existing credentials from affecting this sign-in event.
Sign in with your non-administrator test user, such as testuser. Be sure to include
@
and the domain name for the user account.If this is the first instance of signing in with this account, you're prompted to change the password. However, there's no prompt for you to configure or use multi-factor authentication.
Close the browser window.
You configured the Conditional Access policy to require additional authentication for the Azure portal. Because of that configuration, you're prompted to use Azure AD Multi-Factor Authentication or to configure a method if you haven't yet done so. Test this new requirement by signing in to the Azure portal:
Open a new browser window in InPrivate or incognito mode and browse to https://portal.azure.com.
Sign in with your non-administrator test user, such as testuser. Be sure to include
@
and the domain name for the user account.You're required to register for and use Azure AD Multi-Factor Authentication.
Select Next to begin the process.
You can choose to configure an authentication phone, an office phone, or a mobile app for authentication. Authentication phone supports text messages and phone calls, office phone supports calls to numbers that have an extension, and mobile app supports using a mobile app to receive notifications for authentication or to generate authentication codes.
Complete the instructions on the screen to configure the method of multi-factor authentication that you've selected.
Close the browser window, and log in again at https://portal.azure.com to test the authentication method that you configured. For example, if you configured a mobile app for authentication, you should see a prompt like the following.
Close the browser window.
Clean up resources
If you no longer want to use the Conditional Access policy that you configured as part of this tutorial, delete the policy by using the following steps:
Sign in to the Azure portal.
Search for and select Azure Active Directory, and then select Security from the menu on the left-hand side.
Select Conditional access, and then select the policy that you created, such as MFA Pilot.
select Delete, and then confirm that you want to delete the policy.