Multi Factor Authentication

Multifactor Authentication in Azure: 8 Factors & How to Setup

What Is Microsoft Entra Multi-Factor Authentication (Previously Azure AD MFA)? 

Microsoft Entra (formerly known as Azure AD) is Microsoft’s flagship identity management solution. One of its main functions is to authenticate credentials when a user signs in to a device, application, or service. 

Microsoft Entra provides an integrated multi-factor authentication solution, which grants access only after successfully presenting two or more pieces of evidence (factors) to an authentication mechanism. These factors are usually something you know (like a password), something you have (like a smart card), and something you are (like a fingerprint or facial recognition).

The primary objective of multi-factor authentication is to create a layered defense system. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Multi-factor authentication makes it harder for potential intruders to gain access and steal personal data or information. Entra provides multiple verification methods that can be used to carry out multi-factor authentication.

In this article:

Available Verification Methods in Entra MFA 

Here are some of the authentication mechanisms offered by Entra MFA.

1. Microsoft Authenticator

Microsoft Authenticator is a mobile app that helps users quickly and securely verify their identity. It uses push notifications, one-time passwords (OTP), or biometric verification to authenticate login attempts. Admins can approve or deny sign-in requests with a tap on a mobile device.

The app also supports fingerprint, face, or PIN identification, adding another layer of security. Microsoft Authenticator is easy to use, and it doesn’t require the user to remember multiple passwords or enter verification codes manually. 

2. Authenticator Lite (in Outlook)

Authenticator Lite is a lightweight version of the Microsoft Authenticator app that can be integrated with an Outlook account. Authenticator Lite uses OTPs sent to the user’s email to verify their identity.

Unlike Microsoft Authenticator, Authenticator Lite does not use push notifications or biometric verification. However, it is a convenient and secure option for those who prefer to use email-based authentication.

3. Windows Hello for Business

Windows Hello for Business is a biometric-based verification method that uses a scan of the user’s face, fingerprint, or PIN to authenticate their identity. It is a more personal, secure, and user-friendly way to access Windows devices.

Users can unlock devices, sign in to apps, and authenticate to online services without needing a password. It uses advanced biometric sensors and algorithms to verify the user’s identity, making it one of the most secure and convenient verification methods in Azure MFA.

4. FIDO2 Security Key

FIDO2 security keys are physical devices that can be used to authenticate identity. They are built on the FIDO (Fast IDentity Online) authentication standard, which is designed to eliminate the need for passwords.

To use a FIDO2 security key, users plug it into their device or connect it via Bluetooth or NFC. Then, they authenticate their identity using a PIN or biometric verification. FIDO2 security keys offer a high level of security and are resistant to phishing and man-in-the-middle attacks.

5. OATH Hardware Token (Preview)

OATH hardware tokens are small, portable devices that generate one-time passwords (OTPs). OATH stands for Open Authentication, an open standard for authentication. These tokens add an extra layer of security to your Azure MFA setup.

When users attempt to sign in, they use the OTP displayed on the OATH hardware token to verify their identity. Because the OTPs are generated randomly and expire after a short time, OATH hardware tokens are highly secure and resistant to hacking attempts.

6. OATH Software Token

Similar to OATH hardware tokens, OATH software tokens also generate OTPs. However, instead of a physical device, the OTP is generated by a software application on the user’s smartphone or computer.

OATH software tokens offer the same high level of security as hardware tokens, with the added convenience of not having to carry a separate device. They are a cost-effective solution for businesses and are easy to deploy and manage.

7. SMS

With SMS verification, an OTP is sent to the user’s mobile phone via SMS, which they then enter to verify their identity.

While not as secure as some of the other methods, SMS verification is simple, convenient, and does not require any additional hardware or software. It is a good option for users who do not have access to a smartphone or computer.

8. Voice Call

Voice call verification is similar to SMS verification. Instead of receiving an OTP via SMS, users receive a phone call and are asked to press the pound key to verify their identity.

Related content: Read our guide to multi-factor authentication types

Limitations of Microsoft Entra MFA

While Microsoft Entra provides powerful MFA capabilities, it has some limitations. The following issues were shared by users via the G2 platform.

Cost Concerns

One of the main limitations of Microsoft Entra’s Multi-Factor Authentication (MFA) is the cost associated with its more advanced features. These features require paid subscriptions which can be expensive, especially for larger organizations. This pricing structure may be prohibitive for smaller businesses or those operating under tighter budget constraints.

Ecosystem Compatibility

Microsoft Entra integrates well with Microsoft’s suite of products but may face challenges when used with non-Microsoft platforms. This limitation can be significant for organizations that rely on a diverse set of software solutions. It can hinder its effectiveness in environments that do not primarily use Microsoft products.

User Experience and Complexity

The setup and management of Microsoft Entra can be complex and may overwhelm users, especially those not familiar with Microsoft’s ecosystem. This complexity is exacerbated when integrating Entra with non-Microsoft applications, often requiring additional configurations or steps that can complicate the user experience.

Internet Dependency

As a cloud-based solution, Microsoft Entra requires a consistent and stable Internet connection to function effectively. This dependency can pose challenges in regions with unreliable Internet access, affecting the performance and reliability of its MFA features. Organizations in such areas might experience disruptions in service, which can compromise security measures.

License Management

Effective use of Microsoft Entra also involves careful license management. Access to specific features is contingent upon having the appropriate licenses, which requires meticulous planning and management to ensure compliance and operational efficiency. Organizations must ensure that they are compliant and optimize their license use without incurring unnecessary costs.

Tutorial: Setting Up Microsoft Entra Multi-Factor Authentication  

Before you can start setting up MFA in Azure, you need an Azure Active Directory (Azure AD) license that includes conditional access. This could be Azure AD Premium P1, Azure AD Premium P2, or Microsoft 365 Business.

You also need to have the necessary admin privileges. To configure conditional access policies, you need to be a Global Administrator, Security Administrator, or Conditional Access Administrator.

You should also have a good understanding of your organization’s sign-in activity. You need to know which applications are used most frequently, and which users have access to these applications. 

Create a Conditional Access Policy

The conditional access policy will govern which users or groups are required to provide a second form of authentication when accessing certain apps or data.

To create a conditional access policy, navigate to the Azure portal and select Azure Active Directory, then Protection, and finally Conditional Access. Here, you can click New Policy to create a new conditional access policy.

In the Assignments section, you can choose the users and groups that the policy applies to, and in the Cloud apps or actions section, you can specify which apps require MFA.

Configure Which Apps Require MFA

To configure which apps require MFA, go back to the Cloud apps or actions section of your conditional access policy. Here, you can select the apps that require MFA. You can choose to apply the policy to all cloud apps, or specify individual apps.

Choosing the apps that require MFA should be a strategic decision. Consider the sensitivity of the data that each app holds, and the potential impact if this data were to fall into the wrong hands.

Configure MFA for Access

The next step in setting up multi-factor Authentication in Azure is to configure MFA for access. This means setting up the additional authentication methods that users will need to provide when signing in.

To configure MFA for access, navigate to the Access controls section of your policy. Here, you can choose Grant and then Require multi-factor authentication. With this setting, users will need to provide a second form of authentication in addition to their password. This could be a fingerprint, a face scan, a mobile app notification, or a phone call.

Activate the Policy

The last step before testing your setup is to activate the policy, applying it to the users and apps specified in the policy.

To activate your conditional access policy, go back to your policy settings and select On under Enable policy. Then, click Save to apply the changes.

Test Your Microsoft Entra MFA Setup

Finally, it’s time to test out the MFA policy to ensure it’s working as expected. This is crucial for identifying any potential issues before they impact your users. To test your MFA setup, sign in to an app that requires MFA with a user account that the policy applies to. You should be prompted to provide a second form of authentication.

If the MFA prompt appears and you’re able to sign in successfully with the additional authentication method, then your MFA setup is working as expected. If not, you may need to revisit your policy settings or check the configuration of your additional authentication methods.

Advanced MFA with Frontegg

Frontegg is a user management platform that offers comprehensive MFA capabilities: 

Adaptive MFA

Frontegg’s Adaptive MFA assesses the risk level of each login attempt, using advanced security engines to monitor for suspicious activities such as bots, unusual travel patterns, new devices, and breached passwords. When a login attempt is flagged as risky, users enrolled in MFA must complete an additional authentication step, ensuring robust protection. For users not enrolled in MFA, a one-time code is sent to their email.

Step-Up Authentication

Step-Up Authentication targets security at the application resource level. Basic access requires standard credentials, but actions involving sensitive information—like altering payment details or primary account settings—trigger the need for an additional authentication factor. This approach minimizes user friction during regular use and applies stricter security measures only when accessing critical parts of the application. 

By combining these adaptive and resource-specific security methods, Frontegg ensures a flexible, user-friendly, and secure authentication experience.


Looking to take your User Management to the next level?

Sign up. It's free