This practice lab is focusing on how to enable MFA for a particular subscription and how to implement and customize it with conditional policy. Multi Factor Authentication is a way to authenticate user with more than just a password
Before proceeding further, it is advisable that you set your phone or any other secondary authentication method by clicking on following link.
To check that MFA is enable in your Active directory or not please click on Azure Active Directory and then click on Security tab on left sidebar
When you click on this if MFA is not available in your AD then you have to activate Azure AD premium P2 trial as suggested in previous lecture or optionally you can choose Enterprise mobility trial also which also includes premium Azure AD.
Choose one of the following and try to activate trial
Once it is activated you will get following options if you click on MFA. Please wait for few minutes of you are not getting same screen as activation of Azure AD P2 trial will take some time.
Click on above link which will help you to configure MFA relates settings and also you can enable MFA for one or more users.
As you can see we have 2 tabs on this page users and service settings where service settings is having configurable options for app passwords and trusted ips which are self explanatory. If you scroll down further then you will have options for verification methods available for users and below that you can set the duration after which device will again ask for multifactor authentication to user.
Now if you click on users tab on the top then it will load list of all the users which are either part of this AD or connected to this AD.
If you have multiple AD users in this then you can select a particular user and enable MFA for that user permanently. Remember you can not use MFA for guest users of this AD.
Configuring MFA for users and when to ask for additional way of authentication depends on company security policy and if you want to further customize this based on condition then you have to use conditional access.
Click on conditional access on the Security section of Azure AD.
Once you go inside this you will find some pre-defined policies which are configured in this but as you can see status of all these policies are off so none of them are enabled right now,
Now it’s a time to configure conditional access for this and we will create our own new policy but before we do that let’s add some Named locations.
So, on the above section in the left side column bar please click on Named locations and add New Location
Now add new location with following details and make sure you check this as trusted location
Once you get your new location same way you can add multiple locations and mark few of them as a trusted location.
Now it’s a time to create a policy.
In this new policy blade provide name like work from home policy and then select this will be applicable on which users.
Make sure you do not select all users because there are chances that you can lock yourself out. And sometimes if you have to select all users then don’t forget to exclude yourself or your administrator from that policy rule.
Now in conditions we can create condition by any of the given options in that. As we know we have some trusted locations we are selecting like this.
We are applying this policy on all those locations which are not trusted and that’s why this will apply to all locations but exclude only all trusted locations.
Same way you can may be chose device state or device platform as a part of this condition.
Next in Access Control click on Grant and mark radio button which is asking for Multi factor authentication for all the users who are affected by this policy.
Finally click on select and make sure Enable policy is on before you click on create button.
At the end of this your new policy will be listed in that and it will have status On in that.
So basically, we have created conditional access policy which is associated with multi factor authentication and when user is trying to access from any location other than trusted locations then it will ask for additional way of authentication.