Enable free Azure MFA for Global administrators

Using any kind of administrative account without multi-factor authentication (MFA) today presents high level of risk. With today's sophisticated attacks on your credentials (like phishing attacks) using just password it not secure enough, especially if we know that many people use simple passwords, or they are re-using same password for different services, even for administrative accounts.

If you have accounts that belong to Global administrator role in Azure Active Directory you can easily enable Azure MFA for free. Important to note is that Azure MFA is free only if account is Work or School account (i.e. Azure AD account like [email protected]), at the moment it cannot be enabled for Microsoft Accounts (MSA, accounts with @hotmail or @outlook domain).

To get a list of all Global administrators in the Azure AD tenant we can use following PowerShell commandlets:

Connect-AzureAD
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId | Get-AzureADUser

These commandlets are part of Azure AD V2 PowerShell. Azure AD role with display name "Company Administrator" is basically Global administrator. Output of Get-AzureADDirectoryRoleMember will give us a list of all Global administrator users:

AzureADDirectoryRoleMember

To enable Azure MFA for an administrative account open the Azure Portal (https://portal.azure.com), open the Azure AD tile, click Users and Groups, All Users and then Multi-Factor Authentication:

MFAAzure-1

New tab will open in the browser, here we can see all users from our Azure AD tenant. Select a Global administrator account you want MFA enabled and click Enable:

MFAAzure2

Confirm by clicking "enable multi-factor auth" and "close".

We are back on the user's list, we can see that for our Global administrator account Multi-factor auth status is now Enabled:

MFAAzure3

First time our administrative user logs in to Azure Portal she will be asked to complete additional security verification, to proceed click on "Set it up now":

MFAAzure4

User can choose between different additional security verification methods:

  • Call or text on mobile phone
  • Call on the office phone
  • Using mobile application (Microsoft Authenticator) to receive notification for verification or generate a verification code

In this post we'll show how to configure additional security verification methods using mobile app.

Under "How should we contact you?" choose "Mobile app" and click "Set up":

MFAAzure5

Azure MFA will generate QR code that we need to scan with Microsoft Authenticator app installed on the mobile phone. Scanning the QR code will configure the app, click Next after that.

We'll return back to "Additional security verification" page which will say that mobile app has been configured:

MFAAzure6

Select "Receive notification for verification" or "Use verification code" and click Next. Azure MFA can send either a notification message to the mobile phone or Microsoft Authenticator app will generate a one-time code that must be entered on "Additional security verification" page. In our example we have chosen notification message:

MFAAzure7

Once previous step is completed Azure MFA will ask you for mobile phone number in case you lose access to mobile app:

MFAAzure8

In the last step Azure MFA will generate app password. App password is not used in this scenario, Global administrator is accessing Azure Portal or Azure PowerShell so it's not relevant for us:

MFAAzure9

Next time our Global administrator user logs to Azure Portal she will be asked to complete multi-factor authentication using the method configured in the previous steps:

MFAAzure10

If we now open list of our users we'll see Multi-factor auth status for administrative user now says "Enforced":

MFAAzure11

It's that easy to enable MFA, don't wait and enable it for all your Global administrator accounts today!