WEBVTT 0:00:03.240000 --> 0:00:11.140000 In this video, we're going to take a look at Azure MFA in practice. 0:00:11.140000 --> 0:00:15.880000 The topics that we're going to take and look at are really complex. 0:00:15.880000 --> 0:00:21.760000 It's simply a demonstration of working with Azure Multi-Factor Authentication. 0:00:21.760000 --> 0:00:28.060000 So let's go ahead and let's just jump right into that. 0:00:28.060000 --> 0:00:33.180000 I've got a set of users and some of these users are actually synchronized 0:00:33.180000 --> 0:00:36.960000 from an on-premises active directory domain. 0:00:36.960000 --> 0:00:41.780000 And simply put, I'm going to go ahead and configure Multi-Factor Authentication. 0:00:41.780000 --> 0:00:46.200000 The easiest way to get to overall Multi -Factor Authentication Configuration 0:00:46.200000 --> 0:00:53.620000 is to actually start from the users window of the Azure AD Blades. 0:00:53.620000 --> 0:00:56.780000 I've got my Azure Active Directory Blade. 0:00:56.780000 --> 0:01:01.940000 I'm in the users window and I've got this link over to Multi-Factor Authentication. 0:01:01.940000 --> 0:01:05.580000 And what that's going to do is open up another window. 0:01:05.580000 --> 0:01:11.080000 It's actually going to open up another dashboard for my Multi-Factor Authentication. 0:01:11.080000 --> 0:01:16.440000 Now what's interesting with this is that there's actually two different 0:01:16.440000 --> 0:01:20.980000 interfaces for direct multi -factor authentication. 0:01:20.980000 --> 0:01:24.620000 One is kind of the general settings, which is where I am right now. 0:01:24.620000 --> 0:01:27.420000 And then I'm going to show you another one, which is the detailed settings. 0:01:27.420000 --> 0:01:32.600000 Now interestingly enough, for the detailed settings, you go back to the 0:01:32.600000 --> 0:01:34.640000 standard Azure portal. 0:01:34.640000 --> 0:01:37.480000 I'm hoping one day all of this is going to be there. 0:01:37.480000 --> 0:01:40.920000 It used to be actually three different locations, so we're getting better. 0:01:40.920000 --> 0:01:44.800000 But just be aware, you are going to jump around a little bit when you 0:01:44.800000 --> 0:01:47.520000 are implementing MFA. 0:01:47.520000 --> 0:01:51.680000 The first thing that I can do here is I can actually activate MFA for 0:01:51.680000 --> 0:01:52.660000 one or more users. 0:01:52.660000 --> 0:01:55.700000 And I can just multi-select users, select them all. 0:01:55.700000 --> 0:02:00.280000 I've got bulk update if I want to set a number of users. 0:02:00.280000 --> 0:02:02.380000 All I'm going to do is set it for one user. 0:02:02.380000 --> 0:02:07.200000 So I'm going to go ahead and enable MFA for Bob. 0:02:07.200000 --> 0:02:12.360000 That was easy. So now Bob has MFA. 0:02:12.360000 --> 0:02:17.280000 I am also going to take a look at some of my other settings for multi 0:02:17.280000 --> 0:02:18.960000 -factor authentication. 0:02:18.960000 --> 0:02:24.080000 So if I go to service settings, this is giving me my general settings 0:02:24.080000 --> 0:02:26.700000 for multi-factor authentication. 0:02:26.700000 --> 0:02:29.660000 The first is whether or not I want to use app passwords. 0:02:29.660000 --> 0:02:34.760000 And remember, these are for applications that I can't use the cloud-based 0:02:34.760000 --> 0:02:39.140000 MFA. Then these are for Microsoft 365. 0:02:39.140000 --> 0:02:43.180000 And the one example that's always brought up is Outlook. 0:02:43.180000 --> 0:02:45.280000 I have a couple of other interesting things here. 0:02:45.280000 --> 0:02:49.900000 First of all, I can skip multi-factor authentication if I've got federated 0:02:49.900000 --> 0:02:51.220000 users on my internet. 0:02:51.220000 --> 0:02:56.060000 So if I'm using a federation server and it recognizes that it's local, 0:02:56.060000 --> 0:02:58.140000 then I don't need MFA. 0:02:58.140000 --> 0:03:03.220000 I can also set up ranges of IP addresses where I won't need MFA. 0:03:03.220000 --> 0:03:07.080000 Let's say for example, I have a very secure area within my organization. 0:03:07.080000 --> 0:03:10.540000 If anybody's in that secure area, they are fine. 0:03:10.540000 --> 0:03:16.400000 They've already basically presented some kind of authentication beyond 0:03:16.400000 --> 0:03:18.480000 the computer. So we're fine. 0:03:18.480000 --> 0:03:20.140000 Anyways, we have that. 0:03:20.140000 --> 0:03:22.780000 I also have verification options. 0:03:22.780000 --> 0:03:24.740000 And notice call to phone is grayed out. 0:03:24.740000 --> 0:03:31.440000 That's because I'm actually running the trial right now for Azure AD Premium 0:03:31.440000 --> 0:03:34.100000 P2. But I can receive text messages. 0:03:34.100000 --> 0:03:36.220000 I can use a mobile app. 0:03:36.220000 --> 0:03:39.940000 And I can also get a verification code from mobile app or from a hardware 0:03:39.940000 --> 0:03:42.980000 token. That of course would have to be set up. 0:03:42.980000 --> 0:03:49.300000 I can also allow users to remember MFA on devices they trust for a certain 0:03:49.300000 --> 0:03:53.640000 number of days. In this case 14 if I wanted to allow it, but I don't. 0:03:53.640000 --> 0:03:56.980000 So I actually haven't made any changes so I don't need to save. 0:03:56.980000 --> 0:04:00.120000 And what I am going to do though is pop in to the details. 0:04:00.120000 --> 0:04:01.880000 And I'm going to go to portal. 0:04:01.880000 --> 0:04:05.420000 And this is going to bring me right back to the standard Azure portal 0:04:05.420000 --> 0:04:09.120000 with the multi-factor authentication blade. 0:04:09.120000 --> 0:04:12.340000 I'm actually going to move up from where it currently is. 0:04:12.340000 --> 0:04:14.820000 I'm just going to move down through the options and show you what you 0:04:14.820000 --> 0:04:18.460000 have. First of all, account lockout. 0:04:18.460000 --> 0:04:24.240000 I can set up the rules for locking out based on failure at MFA attempts. 0:04:24.240000 --> 0:04:27.700000 The first is how many failures would trigger a lockout. 0:04:27.700000 --> 0:04:32.700000 So for example, I could say if you have three failures, it's going to 0:04:32.700000 --> 0:04:34.120000 lock your account. 0:04:34.120000 --> 0:04:38.020000 And I could say that it's going, you have 60 minutes. 0:04:38.020000 --> 0:04:42.200000 So if I try twice and I don't lock my account, I'm at the wait 60 minutes 0:04:42.200000 --> 0:04:44.100000 before that resets. 0:04:44.100000 --> 0:04:47.620000 And then if it does get locked, I can set how long I want to lock it. 0:04:47.620000 --> 0:04:52.140000 So I could say 180 minutes and then save that. 0:04:52.140000 --> 0:04:58.160000 And hopefully I won't forget to do this correctly. 0:04:58.160000 --> 0:05:03.620000 Next, I have the ability to block or unblock users, which is exactly what 0:05:03.620000 --> 0:05:09.400000 it sounds like. Block user will not receive MFA requests and authentication 0:05:09.400000 --> 0:05:12.360000 attempts are automatically denied. 0:05:12.360000 --> 0:05:16.660000 User remains blocked for 90 days from the time they are blocked. 0:05:16.660000 --> 0:05:25.260000 I can add. I can block a user and I can define why that user is blocked. 0:05:25.260000 --> 0:05:28.520000 Fraud alerts. I can turn on fraud alerts. 0:05:28.520000 --> 0:05:31.800000 That's going to allow users to submit fraud alerts. 0:05:31.800000 --> 0:05:35.940000 And if a user submits a fraud alert, I can automatically block them. 0:05:35.940000 --> 0:05:38.700000 If they're receiving a phone call, I can give them the number. 0:05:38.700000 --> 0:05:40.900000 So if they get a phone call at 3 a.m. 0:05:40.900000 --> 0:05:44.960000 and they hear the start of the process that somebody's trying to log in 0:05:44.960000 --> 0:05:47.100000 and they know they're not trying to log in at 3 a.m. 0:05:47.100000 --> 0:05:50.960000 they can just hit the zero and be done with it. 0:05:50.960000 --> 0:05:53.240000 Go ahead and turn that on. 0:05:53.240000 --> 0:05:54.940000 That updated quickly. 0:05:54.940000 --> 0:05:59.120000 Notifications, I can set up who's going to get notifications of things 0:05:59.120000 --> 0:06:00.840000 like fraud alerts. 0:06:00.840000 --> 0:06:09.700000 If I have other systems that I am integrating, I can upload CSV files 0:06:09.700000 --> 0:06:16.200000 with OS tokens. If I have phone calls, I can set as you can see caller 0:06:16.200000 --> 0:06:20.840000 ID. I can allow for extension transfers. 0:06:20.840000 --> 0:06:23.100000 And also, I can add greetings. 0:06:23.100000 --> 0:06:27.040000 Again, this is all grayed out because I'm in the trial version of Azure 0:06:27.040000 --> 0:06:33.140000 AD Premium P2. Providers no longer apply, so it won't go there. 0:06:33.140000 --> 0:06:35.600000 Now, the next settings are MFA server. 0:06:35.600000 --> 0:06:39.620000 This is if you install the on-premises server. 0:06:39.620000 --> 0:06:43.320000 First is two-way text message, timeout for the server. 0:06:43.320000 --> 0:06:46.160000 I can also use one-time bypass for the server. 0:06:46.160000 --> 0:06:48.760000 So if I've got somebody who needs to authenticate for whatever reason, 0:06:48.760000 --> 0:06:50.440000 they forgot their phone. 0:06:50.440000 --> 0:06:53.220000 They come to me at my office and say, hey, I really need to get in. 0:06:53.220000 --> 0:06:54.600000 Can you let me in? 0:06:54.600000 --> 0:06:59.260000 I could set up a one-time bypass for them, specify the user, how long 0:06:59.260000 --> 0:07:02.600000 I'm going to allow it, five minutes by default, and I have to specify 0:07:02.600000 --> 0:07:06.120000 a reason for it. 0:07:06.120000 --> 0:07:10.500000 If I'm using an MFA server, I can also set up caching rules. 0:07:10.500000 --> 0:07:15.360000 The purpose of caching rules is to minimize the number of times that somebody 0:07:15.360000 --> 0:07:21.140000 is going to be prompted or challenged for their second form of identification. 0:07:21.140000 --> 0:07:24.120000 In some cases, there may be time delay because you're going through the 0:07:24.120000 --> 0:07:31.120000 on-prem server and into the actual cloud-based MFA that you might have 0:07:31.120000 --> 0:07:33.180000 an app that's going to request multiple times. 0:07:33.180000 --> 0:07:36.300000 What this would do is just cache and say, okay, we're really just waiting 0:07:36.300000 --> 0:07:37.880000 for the first one to go through. 0:07:37.880000 --> 0:07:40.360000 Once that goes through, it'll ignore the others. 0:07:40.360000 --> 0:07:42.600000 And you can view the server status. 0:07:42.600000 --> 0:07:45.140000 The only other thing we have here is activity report, which right now 0:07:45.140000 --> 0:07:49.300000 is going to be empty because, well, I haven't used this. 0:07:49.300000 --> 0:07:53.120000 All right, now let's take a look at the user experience and then we can 0:07:53.120000 --> 0:07:56.860000 wrap this up. I'm going to go ahead and open up another window. 0:07:56.860000 --> 0:08:05.040000 And I am going to log in to myappstopmarself.com. 0:08:05.040000 --> 0:08:08.120000 I'm going to log in as Bob. 0:08:08.120000 --> 0:08:21.920000 And put in Bob's password. 0:08:21.920000 --> 0:08:27.900000 And now, because Bob is at this point under multi-factor authentication, 0:08:27.900000 --> 0:08:33.400000 he is being prompted for more information because it's not been set. 0:08:33.400000 --> 0:08:36.080000 So I'm going to go ahead and go next. 0:08:36.080000 --> 0:08:41.080000 And I'm going to get a text message. 0:08:41.080000 --> 0:08:42.240000 I'm going to send it to my phone. 0:08:42.240000 --> 0:08:46.760000 I could also choose a mobile app, which I do have, but we'll just send 0:08:46.760000 --> 0:08:48.500000 this to my phone. 0:08:48.500000 --> 0:08:53.980000 And next. And now I wait for that code to come through and hopefully it'll 0:08:53.980000 --> 0:09:04.860000 come up and pop up on my watch because I love technology. 0:09:04.860000 --> 0:09:13.920000 And there we go. 0:09:13.920000 --> 0:09:16.640000 And verify that. 0:09:16.640000 --> 0:09:24.260000 And we're done. Now, if I've got apps like Outlook, Apple Mail, my child's 0:09:24.260000 --> 0:09:28.560000 office, and I need an app password, I would copy this and configure that 0:09:28.560000 --> 0:09:30.700000 application with that password. 0:09:30.700000 --> 0:09:35.020000 But as it is, I'm just going to go ahead and log in and I'm now logged 0:09:35.020000 --> 0:09:39.940000 in as Bob. And I pass my MFA. 0:09:39.940000 --> 0:09:45.020000 And that's really it in terms of user experience right now because I don't 0:09:45.020000 --> 0:09:45.940000 have any caching. 0:09:45.940000 --> 0:09:51.760000 Every time Bob logs in, Bob is going to be prompted for his second form 0:09:51.760000 --> 0:09:56.460000 of authentication, which in this case is a text to something he has, which