Tutorial / Cram Notes
Multi-factor authentication (MFA) is a critical component of securing Microsoft 365 environments as it adds an additional layer of protection beyond just username and password. It requires users to provide two or more verification factors to gain access to resources such as apps, online accounts, or VPNs. In the scope of the MS-100 Microsoft 365 Identity and Services exam, IT professionals need to understand how to properly configure and manage MFA settings within the Microsoft 365 ecosystem.
Understanding Multi-factor Authentication (MFA)
Before diving into the configuration, it is essential to understand the components of MFA:
- Something you know: This could be a password or PIN.
- Something you have: This includes a smartphone with an authentication app, a token, or a smart card.
- Something you are: Biometric verification such as fingerprint or facial recognition falls into this category.
Setting Up MFA in Microsoft 365
To set up MFA, administrators follow these steps in the Microsoft 365 admin center:
- Navigate to the Microsoft 365 Admin Center.
- Go to Users > Active users.
- Select Multi-factor authentication.
This will open the multi-factor authentication settings page where an admin can see the users’ state and can enforce or enable MFA.
Configuring MFA
For Individual Users:
- Check the box next to the user’s name.
- Click on Enable under quick steps to enable MFA for the selected users.
For Multiple Users or at an Organizational Level:
- Use conditional access policies to enforce MFA under certain conditions.
- Go to Azure Active Directory > Security > Conditional Access.
- Create a new policy and set the assignments and access controls, including the requirement for MFA.
Managing User Settings and Verification Methods
It’s important to configure which verification methods are available to users:
- From the MFA page, click on service settings.
- Under verification options, check or uncheck the methods you want to allow or disallow.
Common verification methods are:
- Call to phone
- Text message to phone
- Notification through mobile app
- Verification code from mobile app or hardware token
User Experience during MFA
First Sign-In: Upon first login after MFA is enabled, the user will be prompted to set up additional security verification. They will choose their preferred method (phone call, text message, or app) and follow the instructions to set it up.
Subsequent Sign-In: On subsequent sign-ins from untrusted or new devices, the user will be prompted for their second factor of authentication, in line with the method they initially configured.
Additional Considerations
- App Passwords: For older apps that don’t support MFA, users may need to create and use app passwords.
- MFA for Admin Accounts: It’s critical to enforce MFA for accounts with elevated privileges.
- Remember Multi-Factor Authentication: Users can choose to not be prompted for MFA for a certain number of days on trusted devices.
Reports and Monitoring
Microsoft 365 provides reports to monitor MFA utilization:
- Navigate to the Azure AD admin center.
- Select Sign-ins to view the sign-in activity and verify if MFA was prompted and completed.
Best Practices
- Enable MFA for all users, not just administrators.
- Utilize Conditional Access for more granular control.
- Educate users on MFA processes and importance.
By appropriately configuring and managing MFA in the Microsoft 365 environment, organizations can significantly increase their security posture and protect their data and resources from unauthorized access. It’s a key topic for IT professionals aiming to pass the MS-100 Microsoft 365 Identity and Services exam as it demonstrates proficiency in one of the foundational security configurations within modern IT environments.
Practice Test with Explanation
1) True or False: MFA can only be enforced on a per-user basis in Microsoft
- Answer: False
MFA can be enforced on a per-user basis, but policies can also be applied to groups of users or at the tenant level depending on the administrative configuration and security requirements.
2) Which of the following methods can be used for MFA in Microsoft 365? (Select all that apply)
- A) Authentication app
- B) SMS text message
- C) Biometric authentication
- D) Security questions
Answer: A, B, C
Microsoft 365 supports various MFA methods including an authentication app (like Microsoft Authenticator), SMS text messages, and biometric authentication. Security questions are not typically used as a method for MFA in Microsoft
3) True or False: Once MFA is enabled, app passwords can be used to bypass MFA prompts for non-browser applications.
- Answer: True
App passwords are single-use, long, complex passwords that a user can use with older non-browser applications that don’t support MFA, allowing them to authenticate without receiving an MFA prompt.
4) MFA can be configured with which of the following policies in Microsoft 365?
- A) Conditional Access
- B) Password Expiration Policy
- C) Self-Service Password Reset Policy
- D) Retention Policy
Answer: A
Conditional Access policies in Microsoft 365 are used to configure MFA requirements under specific conditions, such as sign-in risk, location, device compliance, and application sensitivity.
5) True or False: Global administrators in Microsoft 365 are automatically required to enroll in MFA.
- Answer: True
By default, Microsoft 365 security defaults require all global administrators to set up MFA to help protect and secure the environment.
6) What is the purpose of Azure AD Identity Protection in the context of MFA?
- A) To provide detailed reporting on user sign-ins and risk detection
- B) To sync user directories
- C) To enforce storage encryption
- D) To perform MFA troubleshooting for users
Answer: A
Azure AD Identity Protection provides a consolidated view of risk events and potential vulnerabilities affecting the organization’s identities, enabling administrative actions such as enforcing MFA on sign-ins with detected risks.
7) True or False: Legacy authentication protocols can be blocked in Conditional Access policies to enforce MFA.
- Answer: True
Blocking legacy authentication protocols using Conditional Access policies can help enforce MFA since these older protocols do not support it.
8) What is the term for the feature that allows users to remember MFA on trusted devices, so they aren’t prompted for MFA every time they authenticate?
- A) MFA Trusted IPs
- B) Remember multi-factor authentication
- C) MFA Session Control
- D) MFA One-time Bypass
Answer: B
“Remember multi-factor authentication” is a feature that allows a user to not be prompted for MFA on trusted devices for a certain number of days after the first successful MFA challenge.
9) True or False: The Microsoft Authenticator app can only be used for MFA in Microsoft
- Answer: False
The Microsoft Authenticator app can be used for MFA in various services, not just Microsoft 365, as it supports standard TOTP-based MFA protocols.
10) When setting up MFA for a user, they must provide at least how many verification methods?
- A) One
- B) Two
- C) Three
- D) Zero, it’s optional
Answer: A
When setting up MFA, a user has to provide at least one verification method. However, it’s recommended to set up additional methods to ensure account access if one method is unavailable.
11) Which of the following can be an outcome of configuring MFA with Conditional Access based on sign-in risk?
- A) Required password change
- B) Automatically sign-out the user
- C) Block access
- D) Require MFA
Answer: D
When MFA is configured with Conditional Access based on sign-in risk, it can require users to perform MFA when the sign-in is deemed risky to verify their identity.
12) True or False: Only Microsoft 365 E5 licensed users can use MFA.
- Answer: False
MFA is available for all Microsoft 365 users, not only those with E5 licenses. Microsoft provides different MFA capabilities across several licensing levels.
Interview Questions
What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is a security system that requires more than one method of authentication from a user before granting access to a system or application.
What are some factors that can be used for MFA?
MFA factors can include something the user knows (e.g., a password), something the user has (e.g., a mobile device), or something the user is (e.g., a fingerprint or facial recognition).
What are some design considerations for implementing MFA in a hybrid identity environment?
Some design considerations for implementing MFA in a hybrid identity environment include determining which applications or systems require MFA, identifying the user populations that require MFA, and determining the types of MFA factors that will be used.
What is Azure AD MFA?
Azure AD MFA is a cloud-based MFA service that can be used to protect access to Azure AD and other cloud-based applications.
What are the two authentication modes available in Azure AD MFA?
The two authentication modes available in Azure AD MFA are “per-user MFA” and “conditional access MFA.”
What is per-user MFA?
Per-user MFA is a mode of Azure AD MFA in which MFA is required for all user sign-ins, regardless of other conditions.
What is conditional access MFA?
Conditional access MFA is a mode of Azure AD MFA in which MFA is required based on specific conditions, such as location, device type, or user group.
How can MFA be configured for Azure AD users?
MFA can be configured for Azure AD users through the Azure portal or through PowerShell commands.
What is a trusted IP address?
A trusted IP address is an IP address range that has been designated as safe for access to a system or application without requiring MFA.
What is a fraud alert?
A fraud alert is a notification that is generated when an MFA attempt is detected that appears to be fraudulent, such as a sign-in attempt from an unfamiliar location or device.
Great guide! I’ve successfully configured MFA for our organization.
Can anyone explain the difference between app passwords and traditional passwords?
Struggling with setting up MFA for a hybrid environment, any best practices?
How does Conditional Access work with MFA?
This blog post is really helpful, thanks!
Having an issue with SMS not being delivered. Any ideas?
The authenticator app is much more secure than SMS-based MFA. Highly recommended.
Appreciate the detailed instructions on configuring MFA.