Microsoft 365 / Azure – Where to start with Security implementation for my Tenant – part 1 – Is MFA enabled?
Hi All,
Greetings for the day!!!
We always talk about SECURITY of our tenant and of course why not, since which is one of the most critical aspect for my organization. I observed / realised that it is always confusing point from where to start implementing SECURITY for my organization. What features should I look into so to make sure things are in place and my tenant is secured
Microsoft suggests following top 10 ways to secure our organization’s business data
First and simple step, I will go for MFA – one of the easiest option to secure my organization / company / tenant
Take away from this article
- Understand what is MFA
- Why MFA
- How to enable MFA for individual users from Microsoft 365 admin center
- How to enable MFA for bulk users from Microsoft 365 admin center
- Enabling MFA for individual users using PowerShell
- Detailed references related to MFA
MFA
- WHY MFA
- Identity-related attacks like password spray, replay, and phishing are common in today’s environment
- More than 99.9% of these identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication
- Ensuring that all organizations have at least a basic level of security enabled at no extra cost
- WHAT is MFA
- Additional level of SECURITY for users in my tenant
- Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan
- MFA uses
- Strong password authentication
- Additional verification methods – listed below
- We have very good article to start on MFA , to understand it and to know how to enable it from Microsoft 365 admin center, please have a look – Office 365: Cloud Identities – Managing multi-factor Authentication from Admin center site
- HOW to enable MFA
- To manage MFA we need “Global Administrator” role in our Tenant
- We can enable MFA by following ways
- With security defaults – To know more about Security Defaults – Azure – Preparing exam SC – 300 – Identity and Access Administrator – security defaults – Part 5
- We can use security defaults with any Microsoft 365 plan
- With conditional access policies
- We can use Conditional Access policies with:
- Microsoft 365 Business Premium
- Microsoft 365 E3 and E5
- Azure AD Premium P1 and Azure AD Premium P2 licenses
- We can use Conditional Access policies with:
- For each individual accounts
- With security defaults – To know more about Security Defaults – Azure – Preparing exam SC – 300 – Identity and Access Administrator – security defaults – Part 5
- From Microsoft 365 admin center – For individual users
- For bulk users from Microsoft 365 admin center – Cloud Security – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) – Bulk user update – Part 5
- From Azure AD
- MFA – PowerShell
- We have detailed article for enabling / disabling MFA from PowerShell for individual users – Azure Active Directory authentication – Configuring Multi-Factor Authentication (MFA) – PowerShell cmdlets – Part 6
NOTE :
Either we can use SECURITY DEFAULTS or CONDITIONAL ACCESS POLICIES to set up MFA. We can not use both the methods together
Available verification methods
- When we (users) sign in to an application or service and receive an MFA prompt, we can choose from one of registered forms of additional verification.
- Smart phone – Microsoft Authenticator smart phone app – Microsoft recommends this
- Fingerprint, face or other biometric attribute
- Windows Hello for Business
- FIDO2 security key
- OATH hardware token
- SMS
- Voice Calls
There is very good table provided by Microsoft (https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-worldwide ) – having details like Plan / Recommendation / Type of Customer as
| Plan | Recommendation | Type of customer |
| All Microsoft 365 plans | Use security defaults, which require MFA for all user accounts. You can also configure per-user MFA on individual user accounts, but this isn’t recommended. | Small business |
| Microsoft 365 Business Premium Microsoft 365 E3 | Use security defaults or Conditional Access policies to require MFA for user accounts based on group membership, apps, or other criteria. | Small business to enterprise |
| Azure Active Directory (Azure AD) Premium P1 licenses | ||
| Microsoft 365 E5 Azure AD Premium P2 licenses | Use Azure AD Identity Protection to require MFA based on sign-in risk criteria. | Enterprise |
REFERENCES
- Office 365: Cloud Identities – Managing multi-factor Authentication from Admin center site
- https://knowledge-junction.in/2020/07/05/cloud-security-azure-active-directory-authentication-configuring-multi-factor-authentication-mfa-part-3/
- Exchange Online : Major Update – Retirement of Exchange Online PowerShell with MFA module
- M365 – SharePoint online – Connecting to SharePoint online site using PowerShell when Multi-Factor Authentication (MFA) is enabled for the user
- Azure – Preparing exam SC – 300 – Identity and Access Administrator – security defaults – Part 5
- Power Platform – Power Automate changes / issues / errors after MFA enabled for the users
- PowerShell Script for Azure MFA authentication method analysis
Feel free to discuss about MFA with us or you want to implement MFA in your organization
Thanks for sharing valuable article
Thanks 🙂