CyberSecurity // Azure // Frontend // Svelte // Cloud Native // Software // CyberSecurity // Azure // Frontend // Svelte // Cloud Native // Software

Enabling 2FA

Enabling 2FA for your Microsoft tenant!

Multi-factor authentication, or 2-factor authentication in this case, requires users to provide more than a single form of verification to access their accounts. In addition to entering a matching email and password combination, users must also present a mobile phone device or a biometric factor to gain entry into their environment. Common second factors are using a SMS text message, a mobile phone authenticator app, a fingerprint scan or a face scan using Windows Hello.

Image: Microsoft Multi Factor Authentication (MFA)

Adding an additional authentication factor is an important first step in creating a safe and secure working place. Below is a quick overview on how to enable MFA for your Microsoft 365 environment.

Enabling MFA

Login to the Azure Portal via portal.azure.com. We will be making changes to the security settings of our Microsoft tenant through the portal.

Search for Microsoft Entra ID

When logged in to the Azure Portal, search for the 'Microsoft Entra ID' service. Entra ID is the new name of Azure Active Directory. When found, click on the service to open up its dedicated page. s

Image: Search for Entra ID

On the left hand side there will be a blade menu, where we will select the 'Properties' menu item. Entra ID Properties

Image: Entra ID Properties

Open security defaults

On the bottom select 'Manage security defaults', and turn on the toggle button. This will enable a list of best practice security defaults for your Microsoft environment.

Enable security defaults

Image: Enable security defaults

What are the security defaults?

As of 2023, these security defaults include 5 topics that are relevant for most situations:

1: Requiring all users to register for multifactor authentication

All users are given a 14-day window to register through the Microsoft Authenticator app or any app supporting OATH TOTP. Once the 14-day period elapses, users will be unable to sign in until the registration process is finalized. The 14-day countdown for a user begins subsequent to their initial successful interactive sign-in after activating security defaults.

2: Requiring administrators to do multifactor authentication

Administrators have increased access to your environment. Because of the power these highly privileged accounts have, you should treat them with special care. One common method to improve the protection of privileged accounts is to require a stronger form of account verification for sign-in, like requiring multifactor authentication.

3: Requiring users to do multifactor authentication when necessary

We tend to think that administrator accounts are the only accounts that need extra layers of authentication. Administrators have broad access to sensitive information and can make changes to subscription-wide settings. But attackers frequently target end users.

4: Blocking legacy authentication protocols

To give your users easy access to your cloud apps, we support various authentication protocols, including legacy authentication. Legacy authentication is a term that refers to an authentication request made by:

Clients that don't use modern authentication (for example, an Office 2010 client)
Any client that uses older mail protocols such as IMAP, SMTP, or POP3

5: Protecting privileged activities like access to the Azure portal

After you enable security defaults in your tenant, any user accessing the following services must complete multifactor authentication:

Azure portal
Microsoft Entra admin center
Azure PowerShell
Azure CLI

Conclusion

Microsoft made it really easy to enable sensible defaults, that offer a great baseline protection to your Microsoft environment for all users. All we had to do was toggle a switch to enable these defaults for the entire organization.