leowolfert - Fotolia
Multifactor authentication, in general, is a common way to protect enterprise workloads in the cloud. There are several factors to keep in mind to set up the Azure Multi-Factor Authentication service and to provide greater benefit in the long run.
To set up Multi-Factor Authentication for Azure Active Directory (AD), administrators first need to enable the Multi-Factor Authentication service for their accounts. There is no additional cost to secure an administrator account, and it's something admins should always do, as it provides an additional layer of protection. The cost model only kicks in when users need to authenticate. But be sure to choose your model carefully -- in general, the per-user cost model, rather than the per-authentication model, is more cost-effective.
Enable Azure Multi-Factor Authentication for Azure administrators
Admins need to enable Azure Multi-Factor Authentication for their accounts via the classic portal. Microsoft has not yet released this functionality for the current Azure Resource Manager portal.
Log into the classic Azure AD, and select multi-factor auth providers. This will show any current Azure Multi-Factor Authentication configurations, as shown in Figure 1 below.
To create a new configuration, click the New button at the bottom left-hand corner, and fill out the required fields in the screen that pops up, as shown in Figure 2 below.
In general, it's best not to use the master Azure account for day-to-day administration, as it acts as the root account and organizations should attempt to protect it as much as possible. Instead, create and enable subadministrator accounts.
Extend on-premises systems with Azure AD Connect
With Azure AD Connect, admins can link their on-premises user directories to Azure AD. Among other useful features, this provides users with a single sign-on experience across cloud and on-premises systems. Microsoft does, however, have a list of prerequisites for installation.
Aim to simplify the login scenarios for users. For example, it's easier to use your company's email domain to log in, rather than the default assigned domain, which can be more difficult to remember. Always try to implement these items from the start.
Azure Multi-Factor Authentication devices
Microsoft does not support what are considered "classic" hard tokens. Instead, the vendor supports Open Authorization integrated security, and has three key ways to provide authentication: calls, texts and applications.
Since phones get lost and other problems arise, administrators should enforce that users have two alternate ways to provide authentication, such as through an application and a separate work phone. That way, users should always be able to log on with one device, rather than having the administrator set up exceptions.
Understand role-based access controls
Administrators need to understand how to apply role-based access controls within Azure, as they also play an important part in security.
Also, use trusted IP addresses that allow for multifactor authentication bypass. For example, users are typically not required to use multifactor authentication when they are on a local network, since that network is considered trustworthy. The bypass process is fairly straightforward for admins to implement.
Detect risks and threats with Azure Security Center
Azure Management Console isn't enough for some admins
Manage apps and services with Azure Resource Manager