Category Archives: MFA

Enforce Azure Multi-Factor Authentication for external access

I have seen many that are confused about MFA and Conditional Access and how they work together, so the purpose of this guide is to require Azure Multi-Factor Authentication for Office 365 webmail and SharePoint from external networks (all other networks than corporate network) with Conditional Access:

Create a conditional access policy that requires MFA

  • Sign-in to the Azure portal and browse to Azure Active Directory -> Conditional access
  • On the Conditional Access page, select New policy
  • Type a name for the policy ex. “Require MFA for external mail and file access
  • In the Assignments section:
    • Choose Users and groups -> select Users and groups -> Users and groups, find and select a group of users for testing purpose -> Done
    • Choose Cloud apps -> Select apps -> Find and select Office 365 Exchange Online and Office 365 SharePoint Online in the list -> Done
    • Choose Conditions -> Device platform -> Set configure to Yes -> Select All platforms (including unsupported) in ‘Include’ -> Done
    • Choose Conditions -> Locations -> Set configure to Yes -> Select Any location in ‘Include’ and All trusted locations in ‘Exclude’ -> Done
    • Choose Conditions -> Client apps (preview) -> Set configure to Yes -> Done
    • Click Done
  • In the Access controls section:
    • Choose Grant -> Select Grant access -> Select Require multi-factor authentication -> Select
  • Set Enable policy to On
  • Click Create


Create trusted locations

As we only want to enforce MFA for only external access, we need to create some trusted locations. Trusted locations can either be IP ranges or Countries and/or Regions. In this guide I will choose IP ranges for testing purpose.

  • In to the Azure portal browse to Azure Active Directory -> Conditional access
  • On the Conditional Access page, select Named locations
  • Click on New location
  • Type a Name and IP ranges for your offices
  • Select Mark as trusted location
  • Click Create

All done – next time you’re trying to access SharePoint from an untrusted location, you’ll be prompted for MFA.

Conditional Access – baseline protection

Microsoft is helping us protecting our global admins in the organizations with a new set of baseline protection policies.

Baseline protection is a set of predefined conditional access policies. The goal of these policies is to ensure that you have at least the baseline level of security enabled in all editions of Azure AD.

The first baseline protection policy that Microsoft has release is “Baseline policy: Require MFA for admins (Preview)”, which in the near future will enforce MFA on services admins in your tenant.

Users with access to privileged accounts have unrestricted access to your environment. Due to the power these accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification when they are used to sign-in. In Azure Active Directory, you can get a stronger account verification by requiring multi-factor authentication (MFA).

Require MFA for admins is a baseline policy that requires MFA for the following directory roles:

  • Global administrator 
  • SharePoint administrator 
  • Exchange administrator 
  • Conditional access administrator 
  • Security administrator 

This baseline policy provides you with the option to exclude users and groups. You might want to exclude one emergency-access administrative account to ensure you are not locked out of the tenant.

Right now the policy isn’t enforce and it will automatically be enabled in the future, but you can change the setting and start using the policy right now.


Enforce MFA for users

When you create your administrators, including your global administrator account, it is essential that you use very strong authentication methods.

To check who in your organization has administrative privileges you can verify by using the following Microsoft Azure AD PowerShell command

Get-AzureADDirectoryRole | Where { $_.DisplayName -eq “Company Administrator” } | Get-AzureADDirectoryRoleMember | Ft DisplayName

As long as your users have licenses that include Azure Multi-Factor Authentication, there’s nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis.

The licenses that enable Azure MFA are

  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security

How to enable MFA

Sign in to the Azure portal as an Global Admin

Go to Azure Active Directory -> Users and groups -> All users

Select Multi-Factor Authentication

Find the user you want to enable for Azure MFA.

Check the box next to their name.

On the right, under quick steps, choose Enable or Disable