Protecting user identity by using MFA in Microsoft 365
Modern systems require modern solutions. Our environments have grown so much, that protection of the identity becomes crucial. We need to protect it as a castle. Multi-Factor Authentication, aka. MFA is one of the best ways to protect users identity. Today let’s take a look, what MFA is and how we can prepare to implement it in our Tenant.
What is MFA?
MFA is a piece of technology, allowing users to verify identity in more than one way. Traditional authentication using only username and passwords. Hackers over the years learned, using sociotechnics, how to steal user credentials. If we won’t take actions and implement additional precautions, our company can be at risk. Implementing another way to confirm identity greatly helps increase user security.
The main aspect of using MFA is to use more than one way to confirm your identity. In most cases, it consists of:
- something you know – your password/PIN code/Picture you recognize and point specified elements
- something you have – your mobile phone/USB token/a smart-card
- somewhere you are – your IP address/browser/location/operating system/screen resolution
- something you are – your iris/face/fingerprint/tone of your voice or even speed you’re typing on the keyboard
The factors depend on the design of the application and security requirements. Systems more and more often are basing on the Machine Learning to calculate the risk and decide, which elements of identity need to be matched before the user will be allowed to access resources.
How often you are using the same password to different services? I am pretty sure you do so more often than you should! How often do you use Multi-factor Authentication? Probably more than you can imagine, without even noticing it! Most of the banking companies require you to confirm via phone call or text message that you’re the person who wants to transfer money. MFA for Microsoft 365 can work in the same way, with a small addition – we can use a great application called Microsoft Authenticator, which also supports external services to confirm your identity, like Facebook or even your Raspberry PI!
Multi-Factor Authentication options for Microsoft 365 tenant
To enable MFA in your tenant, consideration and planning should be taken. It’s very important, as the process is pretty complex and a lot of checks needs to be made. MFA is a key part of the verifying user identity not only within Microsoft 365 but also in all connected applications.
Microsoft 365 is offering 3 different ways of implementing Multi-Factor Authentication – conveniently dividing them via organization size and needs:
- Activate MFA per user – not recommended, however, can be used as a pilot for larger deployment.
- Security Defaults – dedicated to small organizations, requires MFA for every user in the organization.
- Conditional Access policies – Triggers MFA in case of sign-in risk criteria, based on multiple factors
Each of the options, from the User perspective, looks the same. When trying to login to protected resources, Azure Active Directory will check, if sign-in criteria are met. After the assessment, if login requires approval, MFA will be triggered.
Comparing available options
In the case of Per-User and Security Defaults, depending on the settings configured for the user, will allow for sign-in or ask for MFA challenge to be performed. Configuration allows for having saved credentials with password applications for legacy applications. Also via configuration setup, Administrator can decide if MFA challenge may be saved as “trusted” on the device, where initial login was performed and configure the time, for which the trust will be valid.
Conditional access is a more comprehensive solution, basing on more aspects. During login, there is an investigation within system performed, to assess, if access can be granted at all. Azure collects information about the user, location, application, device and other factors, like group membership. After data are collected, Conditional Access decides if access should be granted or blocked. If access should be granted, check on MFA is performed.
So that post is just the beginning of the series, where I will show how to implement MFA using all 3 mentioned methods and how your organization can benefit from it! I will also write about the Azure AD Identity Protection. Great too, that protect the identity of your users even further.
Stay tuned 😉