{"id":93022,"date":"2021-12-27T18:00:46","date_gmt":"2021-12-27T18:00:46","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=93022"},"modified":"2021-12-27T17:33:00","modified_gmt":"2021-12-27T17:33:00","slug":"azure-and-mfa-secrets","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/blogs\/azure-and-mfa-secrets\/","title":{"rendered":"Azure and MFA Secrets"},"content":{"rendered":"

MFA and conditional access policies are powerful tools for our cloud security, but they are full of tricks.<\/p>\n

I don’t pretend to cover the basics here. You know you can create conditional access policies to request MFA authentication from the users. You also know the fact the default configuration (which you should avoid) will request MFA from everyone.<\/p>\n

However, for the user to fulfill the requirement, the user needs to be registered for the MFA. There are some different ways to control the user registration for MFA.<\/p>\n

It’s recommended to ensure the registration of the users for MFA before the conditional access policies jumps in and start requesting MFA from the users.<\/p>\n

\nDirect Registration Requirement<\/h2>\n

\nOn Active Directory -> Security -> Identity Protection -> MFA Registration Policy<\/strong> you can define the users who will be required to register a 2nd authentication method for MFA.<\/p>\n

\"\"<\/p>\n

MFA give the\u00a0 user 14 days for the registration before making it required. However, this will be a registrations of a single alternate method which by default is the Authenticator App.<\/p>\n

The user has the option to choose a different method instead of the authenticator app, but not many users do so. A request for a new registration will never appear for the user again, or that’s what most people believe.<\/p>\n

Self-Service Password Reset<\/h2>\n

\nIt’s undeniable that SSPR is a very interesting feature, but what’s its relation to MFA registration?<\/p>\n

SSPR requires MFA authentication methods. You can check the authentication methods required by SSPR on Active Directory -> Password Reset -> Authentication Methods<\/strong><\/p>\n

\"\"<\/p>\n

The enabled authenticator methods don’t includ the authenticator app\u00a0 by default. You can include it, but it’s not by default.<\/p>\n

On the item below, Active Directory -> Password Reset -> Registration<\/strong> the default configuration is to require every user registered for SSPR to register an MFA method on their next login and by default will be a different one than the default Authenticator App.<\/p>\n

\"\"<\/p>\n

This becomes the second option the user has to register a secondary MFA method.<\/p>\n

\nThe Problem<\/h2>\n

It’s not very good the idea to depend on SSPR for the registration of a secondary MFA method. What happens if the user is in the middle of a trip and don’t have access to the main MFA methods registered? How could the user authenticate with alternate methods?<\/p>\n

It’s not a good idea to have a single MFA method registered, how could you configure additional ones?<\/p>\n

The Solution<\/h2>\n

There are two addresses the user can access directly to register additional MFA methods:<\/p>\n