{"id":24371,"date":"2023-04-28T17:53:26","date_gmt":"2023-04-28T21:53:26","guid":{"rendered":"https:\/\/www.sherweb.com\/blog\/?p=24371"},"modified":"2023-05-17T18:01:41","modified_gmt":"2023-05-17T22:01:41","slug":"multifactor-authentication-in-azure-active-directory","status":"publish","type":"post","link":"https:\/\/r-swca2-app15-sherwebbl-change-font-czgcf8cmcjh3asb3.canadacentral-01.azurewebsites.net\/blog\/cloud-server\/multifactor-authentication-in-azure-active-directory\/","title":{"rendered":"What MSPs should know about multifactor authentication in Azure Active Directory"},"content":{"rendered":"

Multifactor authentication (MFA) requires users to submit two or more forms of identification when signing into a service, for example, requiring a user to enter a password and then confirm their identity by entering a unique code sent to them via text or email.<\/p>\n

Password-based access control carries elevated risk if it\u2019s your only security measure protecting critical services, like an organization\u2019s Azure<\/a> tenant and their data. All it takes is time and easily available software for an attacker to compromise a weak password and gain access to anything managed by those Azure Active Directory<\/a> credentials. Adding even just one additional layer of authentication reduces risk significantly.<\/p>\n

That said, it\u2019s a good idea for managed service providers (MSPs) to have a solid understanding of how to deploy multifactor authentication<\/a> in Azure Active Directory. Here\u2019s how it works, why it matters and what best practices you should follow to get deployment right the first time.<\/p>\n

Core concepts of multifactor authentication in Azure AD<\/h2>\n

When enabled, multifactor authentication in Azure AD requires users<\/a> to authenticate themselves using two or more methods in three broad categories:<\/p>\n

Something a user knows<\/h3>\n

Most commonly passwords, but often also biographical information, like a mother\u2019s family name, a pet\u2019s name or a former address.<\/p>\n

Something they are<\/h3>\n

In other words, biometrics. Azure AD can accept many biometric credentials, including fingerprints and facial recognition scans.<\/p>\n

Something they have<\/h3>\n

Lastly, credentials can be external assets, like an authentication app on a smartphone or a hardware key.<\/p>\n

Users can also perform self-service password resets<\/a> without contacting their MSP for support when enrolled in multifactor authentication in Azure AD. Since they registered multiple ways to identify themselves, you can safely allow them to modify one set of credentials if they can authenticate using other methods.<\/p>\n

Multifactor authentication in Azure AD protects users, businesses and MSPs<\/h2>\n

Passwords are notoriously weak, and businesses that rely solely on passwords for security<\/a> are putting themselves at unnecessary risk. A study from Microsoft found that applying a second layer of authentication\u2014any layer\u2014reduced the risk that user credentials would be compromised<\/a> to 0.1 percent.<\/p>\n

Attackers use various mechanisms<\/a> to compromise credentials, from brute force password crackers to social engineering and more sophisticated man-in-the-middle network attacks. Each access control method is vulnerable to different attacks. When you combine two or more, the risk compromise plummets. The costs in time and money of breaking multifactor authentication are so high that most attackers simply choose to look for an easier target.<\/p>\n

Types of authentication available for MFA in Azure AD<\/h2>\n

Azure AD supports a variety of different authentication methods:<\/p>\n