How do I enable MFA for a User
- One of the top ways Microsoft recommends to secure your Active Directory and Office 365 is by setting up multifactor authentication.
- Passwords remain the most popular form of verifying a user’s identity but are highly vulnerable to cyberattacks, like phishing and password spray.
- Enabling multi-factor authentication (MFA) ensures at least two verification factors are in place in order to block potential attackers from gaining access to systems where they could cause serious financial and operational damage.
In this article we will understand how can we enable MFA through Azure AD & using CoreView Portal.
A. Set up MFA using Azure AD
Multi-factor authentication can be enabled in Azure AD in a few different ways depending on the scenario and the type of Microsoft 365 license you currently have.
Enabling Azure Multi-Factor Authentication per User:
This is the traditional approach for requiring two-step verification. All users that you enable perform two-step verification each time they sign in. Enabling a user overrides any conditional access policies that might affect that user. While this method is preferred when making changes on an individual basis, it is now not recommended by Microsoft, as it can be time-consuming and error-prone to configure and manage for an entire organization.
Refer to this MSDN article for more information - Enable per-user Azure AD Multi-Factor Authentication
Enabling Azure Multi-Factor Authentication with Security Defaults:
Toward the end of 2019, Microsoft released security defaults to help protect organizations from identity-related attacks. These preconfigured security settings include enabling multi-factor authentication for all admin and user accounts. Microsoft is in the process of making these security defaults available to all license subscriptions. Depending on when your tenant was created, security defaults may already be enabled. If not, security defaults must be turned on in the Azure Portal.
- Go to the Microsoft 365 admin center at https://admin.microsoft.com.
- Select Show All, then choose the Azure Active Directory Admin Center.
- Select Azure Active Directory, Properties, Manage Security defaults.
- Under Enable Security defaults, select Yes and then Save.
Enabling Azure Multi-Factor Authentication with a Conditional Access Policy:
This is a more flexible approach for requiring two-step verification and is the method recommended by Microsoft. It only works for Azure MFA in the cloud, though, and Conditional Access is a paid feature of Azure Active Directory, specifically Premium P1 or P2 editions.
You can create Conditional Access policies that apply to groups as well as individual users. High-risk groups can be given more restrictions than low-risk groups, or two-step verification can be required only for high-risk cloud apps and skipped for low-risk ones. Azure AD Premium P2 licenses add risk-based Conditional Access that can adapt to user patterns, tracking normal behavior to minimize multi-factor authentication prompts that aren’t deemed necessary.
To learn more about conditional access policy and how to create one kindly refer Create Conditional Access Policy
B. Enabling MFA through CoreView:
- Login to CoreView
- Under Manage Tab select User and click on Manage MFA
3. On the next page select the user(s) for whom you want to enable MFA
4. Click on Continue and then Proceed
5. Under General Tab --> Choose 'Enabled' from the Type dropdown.
6. Click on the blue button on the top right to execute the management action.
7. Once the management action executes successfully, the MFA will be enabled for the selected users.
Please note enabling MFA for a user doesn't enforce MFA unless user completes the MFA process in his/her next sign in to O365 page/app.
There are three different states of MFA
Enabled: The user has been enrolled in MFA but has not completed the registration process. They will be prompted to complete the registration process the next time they sign in.
Enforced: The user has been enrolled and has completed the MFA registration process. Users are automatically switched from enabled to enforced when they register for Azure AD MFA.
Disabled: This is the default state for a new user that has not been enrolled in MFA.
Keep in mind, regarding the enforced MFA user status, some older non-browser apps, like Office 2010 or earlier, modern authentication protocols won’t work. In order to enable MFA for user accounts in these apps, with Azure AD multi-factor authentication still enabled, app passwords can be used instead of the user’s regular username and password
To verify if MFA is enabled for a user or not using Coreview kindly refer coreview KB article How to Check Multifactor Authentication of a User
Was this article helpful?
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
We appreciate your effort and will try to fix the article