Why multi-factor authentication? – Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Should the user lose the device, the person who finds it won’t be able to use it unless he or she also knows the user’s password.
Methods available for two-step verification on Azure
When a user signs in, an additional verification is sent to the user. The following are a list of methods that can be used for this second verification.
A call is placed to a user’s registered phone asking them to verify that they are signing in by pressing the # sign or entering a PIN.
A text message will be sent to a user’s mobile phone with a six-digit code. Enter this code in to complete the verification process.
Mobile App Notification
A verification request is sent to a user’s smart phone asking them complete the verification by selecting Verify from the mobile app. This will occur if you selected app notification as your primary verification method. If they receive this when they are not signing in, they can choose to report it as fraud.
Mobile app verification code
The mobile app, which is running on a user’s smart phone, displays a 6-digit verification code that changes every 30 seconds. The user finds the most recent code and enters it on the sign-in page to complete the verification process. This will occur if you selected a verification code as your primary verification method.
3rd party OATH tokens
Azure Multi-Factor Authentication can be configured to accept 3rd party verification methods.
Azure Multi-Factor Authentication provides selectable verification methods for both cloud and server. This means that you can choose which methods are available for your users: phone call, text, app notification, or app codes. For more information, see selectable verification methods.
How to Enable multi-factor authentication for Azure user
step 1 – Log in to azure portal and go to “Azure Active directory” -> click on “Users and Groups” -> “all users” (refer screenshot 1)
Step 2- Click on “multi-factor authentication” at top of right side pane and this will open new window/tab for further process (refer screenshot 1)
Step 3 – in new window, select user for which you want to enable multi-factor authentication -> then click on “enable” – >
To change the state using Azure AD PowerShell, you can use the following. You can change State to equal one of the following states:
[!IMPORTANT] We discourage against moving users directly from the Disable state to the Enforced state. Non-browser-based apps will stop working because the user has not gone through MFA registration and obtained an app password. If you have non-browser-based apps and require app passwords, we recommend that you go from a Disabled state to Enabled. This allows users to register and obtain their app passwords. After that, you can move them to Enforced.
The views have the following values based on the MFA state of the users:
This is the default state for a new user not enrolled in multi-factor authentication.
The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor authentication. Otherwise, the user will be prompted to completer the process at next sign-in
Step 4- click on “Enable Multi-factor Auth”
Done.. now you can ask user to login with his/her existing credentials, if user have not updated contact number for two-step verification then Azure will prompt user to setup the mobile number at first login.
OR may be you can force user to setup account at first login using “Manage User Setting” option as below