Deploy MFA Using Azure Conditional Access Policies

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys paul from this admin channel bringing you the best tips and tools for your sysadmin journey in this video we're going to cover the steps needed to implement multi-factor authentication in your environment using azure active directory conditional access so you can see here that i've already logged into portal.azure.com and i'm going to click on users and then multi-factor authentication and here is basically the setup where we need to determine which methods of authentication we're going to use so to do that i'm going to click on service settings and then once i click on that and that loads we can set up app passwords if we wanted to otherwise if we scroll down to the verification options we'll go ahead and select the notification through mobile app and verification code from mobile app or hardware token uh right below that i'm going to set the days before a device must re-authenticate to 30 days i feel like that's kind of the sweet spot between convenience and security so so once you have that ready let's go ahead and move on i'm going to close this window because i don't have any settings to apply right now but back in our azure ad window let's go back into the root of azure ad and then scroll down a little bit on the left side and click on security and then from there we're going to go ahead and click on conditional access and this is where we're going to create our new policy all right so as you would expect we'll go ahead and click on the new policy and then here we're just going to call this policy common policy dash require mfa for all users and then right below that under users and groups we'll go ahead and select all users um it's going to spit out a warning saying don't lock yourself out so because of that we're going to exclude the users that we want and in our case we're going to exclude the global admin account which is our break class account so i'll go ahead and add that first second we're going to exclude our um mfa exclusions group this could be service accounts or any type of accounts that you do not want added and then finally we're going to exclude our azure adsync account so we'll go ahead and add that as well and once all that is done we'll go ahead and click ok to accept this portion of the policy all right next up is our cloud apps we're going to select all cloud apps because we want to mfa to everything in the cloud um i particularly don't have any need to exclude anything but if you wanted to you can go ahead and enter in that there alright so once that is done we'll go ahead and click on conditions and then client apps and the default here is to prompt for mfa for both legacy and modern authentication legacy authentication includes exchange activesync imap and pop protocols in the future we'll actually be going over best practices for setting up conditional access policies and one of those best practice policies is to block all legacy off so we'll be blocking it but for this policy we'll go ahead and leave the default and move on alright so and next up we'll go ahead and select grand under the access control and then we want to make sure that we require multi-factor authentication for anyone that's in scope of this policy so once that is done we'll go ahead and click on the select button to move on and here you get a big bright red warning saying hey don't lock yourself out and it gives you the option of excluding your account or not uh prior to enabling this account i would suggest you send out communications to your users letting them know what to expect uh if you already have mfa rolled out and you want to apply this as a catch-all setting then it would be a good idea to set it as report only to see which users actually fall under this policy um i'll also show you where we can find this later on in the video in my case though since i'm using this in my lab and it's only me we'll go ahead and enable this policy and select the bottom radio button to proceed anyway all right with that policy now created let's go ahead and open up an incognito mode and navigate to portal.office.com and it should prompt us for our username and password so i'll go ahead and do that now and here we're prompted with the more information required message box and this is letting us know that we are in scope of our newly created mfa policy and now it's requiring us to go through the steps through the setup process so we'll go ahead and click next from here and if you remember earlier in the video we went over the methods of how they should contact you this is where this applies here so i've only set up a mobile app and i'm going to select receive notifications for verifications and if we click on setup here this is the qr code that we need to scan with our mobile app um so you would need microsoft authenticator to continue um so in the background uh you can't see this but i'm actually scanning the code now and then once that is done i'll go ahead and click on next and it should prompt me to verify on my phone as well so i'll go ahead and click next again and unfortunately i don't have a screen capture of my phone but here um i am getting prompted to approve this request and you can see here that the verification was successful all right guys this is paul with the sysadmin channel signing out

Info

Channel: the Sysadmin Channel

Views: 1,327

Rating: 4.8400002 out of 5

Keywords: azure active directory, multi-factor authentication, azure mfa, azure mfa conditional access, azure mfa registration, multi-factor authentication (mfa), conditional access, conditional access with azure mfa, most common azure ad conditional access policies, azure ad conditional access policies, Deploy MFA Using Azure Conditional Access Policies

Id: q8rLQpOxDqI

Channel Id: undefined

Length: 4min 57sec (297 seconds)

Published: Sun Nov 15 2020