TagMFA

How do I know all my users are enabled for and using MFA?

More and more organizations is taking advantage of using MFA for their users and there is no reason for them not to since it`s free for all Office 365 users and also for all Azure AD users if you are not using the Office 365 services. But after you enable it for your users, are you sure everyone is enabled?

You may have seen at the Secure Score that not all users are registred for MFA, and if you do so you have users with no MFA! So these users may be victims for bruteforce attacks so it`s super important to remediate all users to see how everything is configured! Some of the users with no MFA maybe legit and should not have it.

So let`s dig into the materials for a second or two.

First thing is that there is a “Secure Score” check for MFA registered users that will show you how many of your users which are not registered (if any)

If you have any users in that list it would not show who the users are so we need to go deeper in the material to retreive this status.

So to get the list of users who don`t have setup MFA you need to run this PowerShell command with the AzureAD PowerShell module loaded.

Connect-MsolService

Get-MSOLUser -all | where {$_.StrongAuthenticationMethods.methodtype -eq $null} | Select Displayname,UserPrincipalName,BlockCredential,LastPasswordChangeTimestamp,UserType |Out-GridView

And now that we have found all users we can check them out why they don`t use MFA and make sure that they use it 🙂

Further on we can check what method users are using when authenticating with MFA. For this I use this script located in Technet PowerShell archives HERE

If you have deployed MFA the Conditional Access way (recommended) you will see that the MFA status on all user are set to “Disabled” but the method is set to what the user are using.

Have checking status on your users! 🙂

Get started with MFA – part one

You problably heard about multifactor authentication by now, but have you enabled it in your environment?  

If not! Please do so at once! I will in this short blogpost give you the direction to get started with MFA in Azure AD. 

So let`s just jump right into it.  

First things first – protect your admin accounts!  

With admin accounts i mean a account who has a additional role assigned other then beeing a regular user and to mitigate these users we will enable a Conditional Access who is requires MFA for all administrator accounts 

So navigate to Azure Active Directory in portal.azure.com 

Dive into “Security” -> “Conditional Access”  

Click the “Baseline policy: Require MFA for Admins (Preview) and choose to use it immidiatly 

So now you have successfully enabled MFA for all your admins! Great work 😊 

To make it easier for yourself you can now change the MFA verification from the default SMS to Authenticator app by visiting https://aka.ms/mfasetup and add the Authenticator app as a preffered method. 

Next up is to enable it for all your users and that i will cover in the next blog post – Stay tuned for “Get started with MFA – Part two” 🙂

© 2019 IdefixWiki

Theme by Anders NorénUp ↑