Understanding Azure: identity management in the cloud with multi-factor authentication
Thursday, May 10, 2018
It’s time we stopped thinking about Azure as a mess of tangled wires (or servers) in the cloud. Using Azure and understanding how it can benefit your customer’s business is the way forward. In our series of ‘Understanding Azure’ blogs posts, we’re taking you through each part of Microsoft’s cloud platform in easy-to-digest chunks. Previously, we’ve spoken about how Azure Active Directory (AD) can use Single Sign-On (SSO) to alleviate your customer’s frustrations and boost productivity. Now, we’re turning our heads to Multi-Factor Authentication.
What is Multi-Factor Authentication?
At its most basic, Multi-Factor Authentication (MFA) is a way to authenticate users with more than one method of verification, whereby it adds a second level of encryption to prevent unauthorised users from signing in and helps to safeguard any user or corporate data. It’s essentially Microsoft’s way of taking two steps to verify the user is who they say they are. By now, your users should be familiar with this set up as they’ll usually have to secure their accounts outside of work with a personal phone number or a set of security questions.
What verification methods are available in Azure?
Depending on whether you’re using Azure on-premises or in the Cloud, you’ll have access to several different verification options. As well as inputting the password, an administrator can choose for the user to sign in with MFA by:
- Phone call – To the designated user’s phone, a pin may be necessary
- SMS text message – Requires the user to enter a six-digit code
- Mobile app notification – Verification request sent to the user’s smartphone, a pin may be necessary or the app may read it automatically
- Mobile app verification code – Sent to the user’s smartphone, changes every 30 seconds until the user enters it onto the sign-in page
- Third-party OATH tokens – An administrator can configure Azure MFA to accept third-party verification methods
Enabling Azure MFA
Azure MFA can be accessed in three distinct ways; through a specific license that features Azure MFA, via an Azure MFA Provider or via the Azure Active Directory in Office 365. Two-step verification is available by default to Office 365 administrators, but it contains limited features. If users want access to the full features of Azure MFA, they will need to subscribe to one of the following three licenses:
- Azure Multi-Factor Authentication
- Azure Active Directory Premium
- Enterprise Mobility + Security
If your users don’t want to purchase these licenses, but still want access to the full features, an administrator can set up an Azure MFA Provider account. There are two options that you can look at as an Azure reseller; per-user option or per-authentication. The latter is useful when users aren’t likely to need two-step verification often, but the former is much better as a long-term month-by-month option. For instructions on how to create an MFA provider, click here.
Once you’ve decided on which licensing path to take for your customer, your next step is to turn on two-step verification. Administrators can set this up for either an individual user or group, with the latter option able to configured with a conditional access policy. For more information, Microsoft have a handy step-by-step guide, right here.
By using Azure MFA, your customers are one step closer to keeping their company data secure. In our next few ‘Understanding Azure’ blogs, we’ll be exploring what else you can do to secure customer identities in the cloud.