| Channel | Publish Date | Thumbnail & View Count | Download Video |
|---|---|---|---|
 Paddy Maddy | 2020-12-29 16:29:54 |  8,500 Views |
Configure Azure AD Multi-Factor Authentication DEMO step by step
To customize the end-user experience for Azure AD Multi-Factor Authentication, you can configure options for settings such as account lockout thresholds or fraud alerts and notifications. Some settings are located directly in the Azure portal for Azure Active Directory (Azure AD), and others are located in a separate Azure AD Multi-Factor Authentication portal.
Account blocking
To prevent repeated MFA attempts as part of an attack, the account lockout settings allow you to specify how many failed attempts are allowed before the account is locked for a certain period of time. The account lockout settings are only applied when a PIN code is entered for the MFA prompt.
The following settings are available:
Number of MFA rejections that trigger an account lock
Minutes until account lockout counter reset
Minutes until the account is automatically unlocked
Lock and unlock users
If a user's device is lost or stolen, you can block Azure AD Multi-Factor Authentication attempts for the associated account. All Azure AD Multi-Factor Authentication attempts for blocked users are automatically rejected. Users remain blocked for 90 days from the time of blocking.
Fraud warning
The fraud alerts feature allows users to report fraudulent attempts to access their resources. When an unknown and suspicious MFA request is received, users can report the fraud attempt using the Microsoft Authenticator app or from their phone.
The following fraud alert configuration options are available:
Automatically lock users who report fraud: When a user reports fraud, Azure AD MFA authentication attempts are locked for the user account for 90 days or until an administrator unlocks the account. An administrator can review sign-ins against the sign-in report and take appropriate action to prevent future fraud. After that, an administrator can unlock the user account.
Code to report fraud during the first greeting: When users receive a phone call to perform multi-factor authentication, they usually press # to confirm their login. To report fraud, the user enters a code before pressing #. This code defaults to 0, but you can customize it.
Notifications
You can configure email notifications when users report fraud alerts. These notifications are typically sent to identity administrators because the user's account credentials are likely compromised.
OATH token
Azure AD supports the use of OATH-TOTP SHA-1 tokens that refresh codes every 30 or 60 seconds. Customers can purchase these tokens from the provider of their choice.
OATH TOTP hardware tokens typically have a secret key or seed pre-programmed into the token. These keys must be entered into Azure AD as described in the following steps. Secret keys are limited to 128 characters and therefore may not be compatible with all tokens. The secret key can only contain the characters az or AZ and the digits 1-7 and must be encoded in Base32.
Programmable OATH TOTP hardware tokens that can be reset can also be set up with Azure AD in the software token setup flow.
Phone call settings
When users receive phone calls for MFA prompts, you can configure their experience, such as the caller ID or voice greeting they hear.
Custom voice messages
The custom voice messages feature allows you to use your own recordings or greetings for Azure AD Multi-Factor Authentication. These messages can be used in addition to or in place of the standard Microsoft recordings.
Trusted IPs
The Trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor authentication prompts for users who sign in from a defined IP address range. You can set trusted IP ranges for your on-premises environments so that you don't see an Azure AD Multi-Factor Authentication prompt when users are located in one of these locations.
End user experience within the corporate network
When the Trusted IPs feature is disabled, browser flows require multi-factor authentication and legacy rich client applications require app passwords.
End user experience outside the corporate network
Regardless of whether trusted IP addresses are defined, browser flows require multi-factor authentication. Legacy rich client applications require app passwords.
Verification methods
You can select the verification methods available to your users in the service settings portal. When your users sign up their accounts for Azure AD Multi-Factor Authentication, they select their preferred verification method from the options you enabled.
The Remember Multi-Factor Authentication feature allows users to bypass subsequent verifications for a specified number of days after they successfully log in to a device using multi-factor authentication. To improve the user experience and minimize the number of times a user must perform MFA on the same device, choose a duration of 90 days or more.
Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.
