Multi-factor authentication (MFA) and the eventual abandoning of password based authentication is just around the corner. Of course MFA is available on many services right now, but saying goodbye to passwords is still a work in progress. The state of MFA with Microsoft isn’t scary at all, and it could be time to dip your toes into a more secure setup.
Microsoft, MFA and Biometrics
Microsoft has placed themselves pretty well as being an identity provider who can leverage Windows Hello for both enterprise and consumer customers for biometric authentication methods. There’s plenty of freely available documentation on how to achieve this, but it’s a big mindset and hardware change to have this available across your entire company.
Putting aside biometrics, Microsoft has a few nice, simple methods of MFA; SMS, Phone Call, and Authenticator App approval. SMS most people already know – log in, receive an SMS code, enter the code and away you go.
The Phone Call option is similar, except you receive an automated call and press a button on your phone to continue with the login. Lastly, the Authenticator App is the least quick for a user to set up, but the quickest to use ongoing. A one-time setup requires the user to download the Microsoft Authenticator app from their mobile phone’s store, point the phone at the screen to read a QR code, and they’re ready to go. Ongoing, they’ll just get a notification via the app on their phone for MFA, which they can instantly approve without needing to write in any more codes.
Enabling Microsoft MFA
If you’re a Microsoft customer and not using MFA, it’s quite easy to get started. Assuming you’re using Azure AD and have appropriate licensing, you could go off and just enable MFA for all your users through a nice big blue button;
Don’t do this unless you REALLY want your entire userbase to use MFA all the time. Some companies may need this, however there’s another method that gives you much more control over the criteria of when MFA is needed or not; Conditional Access.
Conditional Access
Conditional Access works a lot like other rule based solutions – click through the criteria you want to apply in a true/false fashion until you’ve set it up in a way that makes sense to your users and business. For example, you can allow locations to access Microsoft resources without MFA. This means that if someone is coming from an IP inside your company, you already trust them and don’t need to apply stricter conditions. You can also trust Intune or Hybrid AD joined devices this way.
Alternatively, you can target certain apps. If your payroll system was using Azure AD for auth (or you were exposing the internal payroll website externally via Azure AD App Proxy), you could set a rule against that particular app that MFA is always required.
Combining all these rules together means you can both tailor a solution, and adjust it when requirements change. There’s even a ‘What If’ option to test a rule to see what conditions apply to a certain user in a certain scenario.
The tools are there now to roll out an incredibly easy to use, allowing for granular selection of when to apply MFA. Check out Conditional Access and see how you can make it work for you.