In AWS I was able to set up MFA so that when I log into the console I have to enter an MFA code from my phone in addition to a password?
Is there a way to set MFA for https://portal.azure.com?
Per my understanding, you are looking for Azure Multi-Factor Authentication.
Add protection for Azure administrator accounts
Multi-Factor Authentication adds a layer of security to your Azure administrator account at no additional cost. When it's turned on, you need to confirm your identity to spin up a virtual machine, manage storage, or use other Azure services.
Azure Multi-Factor Authentication is Microsoft's two-step verification solution.
It helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers authentication via a range of verification methods, including phone call, text message, or mobile app verification.
Azure Multi-Factor Authentication in the cloud
Enable Azure Multi-Factor Authentication
Turn on two-step verification for users
You could get start with it in the cloud by this article.
Related
Azure/Intune newbie here.
We are planning to implement Intune in our org, and I have a question regarding user device log-in to Windows devices if Azure AD is Okta federated.
From the log-in/lock screen, do users use their Okta credentials to log in to their devices instantly without taking them to the company okta portal?
We are an Okta shop and wanted to use a single set of credentials for device logins and Okta SSO.
This is not yet implemented, so I am unsure how the device log in works.
If your organization is planning to use Intune for managing Windows devices and you have federated your Azure Active Directory tenant with Okta, it is possible to allow users to sign in to their Windows devices using their Okta credentials.
When users sign in to their Windows device, they will be presented with the Windows sign-in screen, which will prompt them to enter their credentials. If your organization has configured Windows Hello for Business or multi-factor authentication, users will be prompted to provide additional verification.
If you have set up federation between Azure AD and Okta using the Security Assertion Markup Language (SAML) protocol, the Okta sign-in page will not be shown to the user during the Windows sign-in process. Instead, the user's credentials will be validated by Okta behind the scenes, and the user will be signed in to their device directly. Which of course will take more effort to implement SAML (As I have experienced)
To enable this sign-in experience, you need to configure the Windows 10 device to use Azure AD for authentication. You can do this by joining the Windows device to Azure AD during the device setup process or by using the Azure AD join feature to join the device to Azure AD.
Once the device is joined to Azure AD, you can then deploy Intune policies to the device to manage its settings and applications. Additionally, you can also use Azure AD Conditional Access policies to control access to company resources based on factors such as the user's location, device compliance status, and authentication context.
Keep in mind that to use this sign-in experience, your users will need to have their Okta credentials synchronized to Azure AD using Azure AD Connect or another supported method. Additionally, you may need to configure the Azure AD and Okta federation settings to ensure that the authentication flow works correctly.
In my project, this a fundamental part of project. Windows Hello for Bussiness and MS Authenticator is secure and easily to use, the goal here is enable this in Azure B2C SUSI to increment safety and provide a fast way to SignIn for user.
The point is, has a way to do that in B2C? Replace normal password to a paswordless way authentiation
There is a possibility to achieve Multi factor authentication using Authenticator app. It is documented and a sample is provider here: Azure AD B2C: TOTP multi-factor authentication
With Azure Active Directory (Azure AD) B2C, you can integrate TOTP-based Multi-Factor Authentication so that you can add a second layer of security to sign-up and sign-in experiences in your consumer-facing applications. This requires using custom policy and custom REST API endpoint. If you already created sign-up and sign-in policies, you can still enable Multi-Factor Authentication.
Below is the user auth flow using TOTP:
At this time, MS does not support primary Auth using Authenticator for B2C. You can request this via the Azure AD B2C forum in feedback.azure.com
SMS and Phone verification are the options available as of now.
I have configured Virtual network gateway with Azure AD authentication OpenVPN SSL tunnel. While connecting via AzureVPN application using my office mail ID i'm not asked for MFA even though it is enforced by Administrator to ask MFA when ever a user logs in, plus i'm not even prompted for my password also. Why is this happening is it by design like this?
So If a User(AD Member) login from Azure AD registered, Azure AD joined, Hybrid Azure AD joined device they'll not be prompted for MFA since MFA token is already claimed(they'll be asked if token not claimed) if MFA is still needed then conditional access needs to be applied.
or Click on use different account so that new token is needed to be claimed and MFA is prompted.
Security reader role should be enough to access almost all the part of the this application.
We are leveraging Azure AD B2C Custom policies with our web application. When we do an important transaction on the app, even if the user is logged in, we would like to be able to verify that this is the correct user before committing the transaction. For instance, we could send a code to the user's phone and ask him to enter the code in the app (on the form he is executing the transaction).
Is this something achievable thru Azure AD B2C Custom policies ? MFA phone factor extension?
Yes, the Azure Multi-Factor Authentication Software Development Kit (SDK) can let you build two-step verification directly into transaction processes of applications in your Azure AD tenant.
For the details about the code sample, you could refer to here.
Note: This feature will no longer be supported until November 14, 2018.
I have used Azure AD B2C sign-in and sign-up policy for user login and signup process with Multi factor Authentication. Also set password resetting policy.
Everything is working fine with Phone factor (MFA).
Now client wants to add security questions while signing up a user and password resetting.
I have enabled security question and selected 5 questions; however, it's not visible while signing up a user and password resetting.
I am not able to understand what is the exact problem.
Based on the official documentation, Azure AD B2C only supports using a verified email address as a recovery method.
Currently, we only support using a verified email address as a
recovery method. We will add additional recovery methods (verified
phone number, security questions, etc.) in the future.
In addition, Azure AD B2C only supports phone call and text message verification for Multi-Factor Authentication(MFA).
Azure Active Directory (Azure AD) B2C integrates directly with Azure
Multi-Factor Authentication so that you can add a second layer of
security to sign-up and sign-in experiences in your consumer-facing
applications. And you can do this without writing a single line of
code. Currently we support phone call and text message verification.
More information about MFA and password reset for Azure AD B2C, please refer to the following links.
Azure Active Directory B2C: Set up self-service password reset for
your consumers
Azure Active Directory B2C: Enable Multi-Factor
Authentication in your consumer-facing applications