Hello and welcome back to Cyber Aires. Microsoft Azure Administrator, A Z 103 course. I'm your instructor, Will Carlson. And this is Episode 51 about azure multi factor authentication. In today's episode, we're gonna talk about learn about what is multi factor authentication.
We're gonna mention that Microsoft, thank you in Azure has enabled multi factor US indication for free for administrator accounts.
And we're also going to go through it and discuss and configure multi factor authentication for regular users in portal as well.
But first of all, for any that may not know what is multi factor authentication? Well,
we're all familiar with a user name and password, but the risk of years name and password is that if somebody compromises that user name and password, they can do anything they want to as if they were you. Multi factor. Authentication is a method to help prevent this, and
it requires a second factor or multi factor
to be used to log in to an account. So, for example, we have our user name and password, and that's one type of factor. That's something that we know
for it to be multi factor. We have to add one of another type of factor. And that can either be something I have, such as a token or an M f a dongle.
Or it could be a biometric or something that I am such a cz, a retina scan or a fingerprint being common ones there.
And as long as I have my user name and password
and my token, even if somebody compromises my username and password, if they do not have my tokens in this case typically a cell phone or ah, random generator on a key ring,
then they're not gonna be able to log in to my account. So the account requires a username and password and a number off of my token as well.
That's gonna be multi factor authentication again. It's got to be multiple factors from those three factor types, something I know something I have or something that I am using. Two usernames and passwords is not multi factor because they're both from the same family of authorization types.
So let's go ahead and jump into portal, though, and talk about how to get some of these things set up for user's there.
I'm gonna go ahead and come in here to add your actor directory and I'm gonna click on users and we'll see up here in the top. There's a button for multi factor authentication, quite conveniently. Go ahead and click on that,
and that's gonna bring me into this Web page. Now this is the cloud multi factor authentication offering from Microsoft. There is also a non premise multi factor authentication set up where you can install the software on your own server and manage that server in multi factor authentication. Internally,
you should be aware of that. But for this video, we're gonna talk about the cloud based offering
not to enforce or enable multi factor authentication. All I have to do is select a user
This warning is gonna let us know that if the users don't regularly interface with the Web to get to their azure workloads, that it could cause some connective ity problems because they have to connect in using the Web first to set up their multi factor authentication.
You could send them this link and that will allow them to do that if they don't have one. But for now, we're just going to enable multi factor authentication. And then we're going to hit close.
And that's really all there is to setting up multi factor authentication. Now I want to 0.1 other thing out here. If I click on Michael Scott, I can see that I can enable multi factor authentication but have come back up here to Dwight. There's the option to enforce multi factor authentication,
and this is going to require it across the board no matter what. And if I click in force,
it's gonna let me know that
AP passwords. We're going to need to be created for any non browser based workloads.
You're as your environment may or may not have them, so this may or may not cause problems. But if we don't enable this, then users will continue to be able to log in to their non browser based applications without leveraging multi factor. That may or may not be a problem for you. If it is a problem for you, you can enforce M F A
and click in force multi factor authentication here. But keep in mind that for any app, non Web based applications, app passwords will need to be created. We're gonna go ahead and enforce multi factor here and it closed.
So what is an apt password? Well, let's come up here to service settings, and I know this doesn't look like much of a link, but let's go ahead and click on that,
and that's gonna take us to another set up here
in the cloud based M F A solution.
And you can see AP passwords here now at passwords are going to be a way for user's to interact with non Web based workloads here in Azure using multi factor authentication.
And essentially, what's gonna happen is a user's gonna log into the Web using M F A. And they can create unique, relatively long, actually gonna be Giotto generated relatively long, unique passwords that they'll copy into their application and act as
the safeguard for multi factor authentication in those applications.
We can also set trusted eyepiece here. So if you haven't on prim I P address and you don't want users toe have to use them FAA When they're in that particular environment, you can check mark this box,
put the I P ranges in there, and then you're good to go so those users won't have to deal with M F A. O when they're inside of those I p address range is one last thing I want to call your attention to. Here are the verification options.
Now you'll notice Cult A phone is great out, and that's because we're in a free subscription here. But,
user, you have the option to allow users to verify their identity and or reset their M f A based on this information. So text message to the phone on mobile app that as your app, notification or a verification code from AH hardware token such as Google authenticator or Last Pass has one as well. There are a number of
token applications that you could use here as well.
The last thing we can do here is check mark the box to allow devices to remember their multi factor authentication for a period of time. If you use multi factor authentication in any of your personal log ins, you most likely have experienced this. Typically there that's gonna be about 30 days. You can choose to enable it or not
or select the day the number of days that are relevant and to you
if we made any changes here. We go ahead and we click, save,
and then that's all there is to the set up for cloud multi factor authentication here in Azure.
Now, what will happen the next time Dwight logs into a Web based as your workload is, he will be prompted to put his username and password. And then he'll have to fill in these verifications steps. Now that we have the cloud based in FAA all set up, I can hop back here into portal, and I'm actually going to go ahead and connect in an incognito window
so that I can log in as Dwight.
All I had to do is go to portal that as your dot com, hyping Dwight's email address,
entering his password here and then select Sinan
and you can see that he's gonna be prompted to input some more information before he can log in to azure sauce It next
and you can see here. The first step and setting up in enabling azure multi factor authentication for a Nen user will be to send a code to a phone,
gonna go ahead and do this, and they will jump right back in
And now that I've entered in that verification code that was sent to my cell phone, I can see here that it's prompting me to copy and paste this app password. And again, these at passwords were going to allow me to utilize workloads that are not Web based here in Azure, so I can copy this off and save it
now that we have multi factor authentication all set up for Dwight, I can come back in here to add drachma directory,
and then I want to come down here to M F A to talk through some more of the settings here available to us and you can see here. This is where you can see about the options for multi factor authentication and azure, both in on premise device and the cloud based solution. And if you select convict this link here under configure, you'll get back to the Web page that we were at just a minute ago.
We have some options about account lockout. So how many times do they incorrectly enter their M F A before their account is locked out?
How long after that do we want to reset it
and then the amount of time before we unblocked the account that we can manually blocking on block users. So if a user loses their token, we could go ahead and block that account until the token is reset or recovered.
We can also allow users to submit fraud alerts.
When a user receives a phone call with their M F a token, they have the ability with this on. If they didn't initiate that m f a log in,
they can go ahead and press zero to say that the log in attempt is fraud. And then you can select whether you want to automatically block that user or whether if you turn this off, it's simply going to notify and log that that occurred. The user would be aware Long would be created, and nothing would happen from there with this on
if he used the press. Is zero at that phone call Prompt. It's going to block their accounts so nobody else can get in and brother actions can be taken by administrators.
But here we can enter in an email address to receive an FAA notifications. We have the ability to create other up Lord or download O Auth tokens for applications that leverage. Oh, off.
Here's where we can set options If we are on a paid account and would like to use the phone call for M F A. O, we can set options for that. Here providers is going to be something that's deprecate ID. If you click on this, you can see that there is nothing to be done here anymore. And there's a warning message.
One other thing of interest I want to point out here under multi factor authentication settings is the one time bypass, and
what this is for is, if you have a user that had lost their cell phone so they cannot receive their multi factor token, you can come in here and select add,
but in the user name and how long and seconds that you want this bypass to exist, type in a reason and then hit. Okay. And what that's going to do is allow the user that you just entered in
to bypass their multi factor authentication for that set amount of time and still be ableto log in to their azure workloads. Obviously, they'll need to be some controls on verifying the user is who they say they are before you enable this. But this is a safeguard in the event a user were toe lose their token.
The last thing I want to mention here is that Azure does allow us to enable multi factor authentication for free for all azure administrative
access. I highly recommend you enable in FAA for your administrator account so that your azure environment is much more difficult to compromise now for all of your regular users like Dwight. In this case, you either have to have an azure P two active directory subscription, or you can all a cart multi factor authentication as well.
You'll find more information about that in the pricing of those two options
in the azure documentation. So in today's episode, we talked about the fact that multi factor authentication four administrators is free here in Azure in the setup of M. F. A. For an administrator is very similar to what it was for. Dwight couldn't step through it here today because I already have it enabled on my administrator account.
But rest assured, it's exactly the same process as we went through for Dwight.
We step to the process in portal of configuring M F A. For a regular user that we talked about how you enable it, and then you can enforce it as well. And that enforcement is going to cause you to need to use AP passwords for your non Web based as your workloads.
And then we also talked briefly about the fact that you can use the cloud based M F A tool. Or you can bring that workload in house and manage mem. If a in your own environment as well coming up next. Well, that's a wrap. You made it through all of the instructional segments of Cyber Aires. Microsoft Azure Administrator A. Z 103 course. So the only thing we have left
is the course. Emery.
I hope to see you there.