End users setting up MFA for the first time. Experience and security?

%3CLINGO-SUB%20id%3D%22lingo-sub-1096763%22%20slang%3D%22en-US%22%3EEnd%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096763%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20working%20on%20a%20plan%20to%20force%20MFA%20for%20none%20trusted%20IPs.%20But%20most%20of%20our%20users%20have%20not%20setup%20MFA%20yet.%20I'm%20concerned%20the%20setup%20process%20isn't%20simple%20enough%20and%20thinking%20about%20risk.%20How%20do%20you%20allow%20users%20to%20setup%20MFA%20securely.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20mean%20if%20they%20don't%20have%20MFA%20setup%20yet%2C%20how%20do%20you%20verify%20its%20them%20setting%20up%20MFA%3F%20All%20they%20would%20need%20to%20setup%20MFA%20is%20the%20username%2Fpassword.%26nbsp%3B%3C%2FP%3E%3CP%3Ejb%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1096763%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096773%22%20slang%3D%22en-US%22%3ERe%3A%20End%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096773%22%20slang%3D%22en-US%22%3EThere%20are%20a%20few%20ways%20to%20manage%20this%3A%3CBR%20%2F%3E%3CBR%20%2F%3E-%20Some%20just%20use%20user%20communication%20and%20request%20the%20users%20to%20setup%20MFA%20preemptively%3CBR%20%2F%3E-%20Others%20use%20Identity%20Protection%2C%20there%20is%20a%20policy%20to%20require%20MFA%20setup.%3CBR%20%2F%3E-%20Some%20use%20scripts%20to%20check%20which%20users%20haven't%20set-up%20MFA%20(%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory%2Freport-on-users-with-mfa-enabled%2Fm-p%2F165807%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory%2Freport-on-users-with-mfa-enabled%2Fm-p%2F165807%3C%2FA%3E)%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1096913%22%20slang%3D%22en-US%22%3ERe%3A%20End%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1096913%22%20slang%3D%22en-US%22%3ESorry%20I%20wasn't%20clear.%3CBR%20%2F%3E%3CBR%20%2F%3EOur%20concern%20it%20when%20I%20user%20is%20going%20to%20setup%20MFA%20for%20the%20first%20time%2C%20if%20they%20do%20it%20themselves.%20How%20do%20you%20know%20its%20them%20setting%20it%20up%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20seems%20like%20a%20risk.%20Your%20enabling%20MFA%20to%20reduce%20risk%20and%20add%20security%20but%20you%20only%20have%20username%2Fpassword%20when%20your%20first%20setting%20up%20MFA%20to%20confirm%20its%20them.%3CBR%20%2F%3E%3CBR%20%2F%3Eit%20would%20be%20better%20if%20I%20could%20use%20CA%20when%20setting%20the%20user%20sets%20up%20MFA%20to%20require%20the%20user%20to%20be%20on%20a%20trusted%20network%20or%20on%20a%20managed%20device.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097015%22%20slang%3D%22en-US%22%3ERe%3A%20End%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097015%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20can%20already%20do%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-registration-mfa-sspr-combined%23create-a-policy-to-require-registration-from-a-trusted-location%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-registration-mfa-sspr-combined%23create-a-policy-to-require-registration-from-a-trusted-location%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097589%22%20slang%3D%22en-US%22%3ERe%3A%20End%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097589%22%20slang%3D%22en-US%22%3EThis%20is%20also%20usually%20how%20we%20set%20it%20up%2C%20only%20allow%20MFA%20Registration%20from%20our%20own%20IPs%20or%20at%20least%20the%20countries%20we%20are%20active%20in.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1097843%22%20slang%3D%22en-US%22%3ERe%3A%20End%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1097843%22%20slang%3D%22en-US%22%3EHi%20Jason%2C%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Simplicity%3A%20Microsoft%20has%20released%20some%20cool%20MFA%20enhancements%20to%20make%20it%20easy%20for%20the%20user%20to%20adopt%20it%20without%20IT%20help.%20Please%20go%20ahead%20and%20try%20it.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fcool-enhancements-to-the-azure-ad-combined-mfa-and-password%2Fba-p%2F354271%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fcool-enhancements-to-the-azure-ad-combined-mfa-and-password%2Fba-p%2F354271%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Risk%3A%20Enable%20Users%20risky%20reports%2C%20which%20will%20notify%20you%20if%20anyone%20logged%20from%20unfamiliar%20IP%20address%2C%20it%20works%20very%20well.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%20and%20hope%20it%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1098788%22%20slang%3D%22en-US%22%3ERe%3A%20End%20users%20setting%20up%20MFA%20for%20the%20first%20time.%20Experience%20and%20security%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1098788%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461012%22%20target%3D%22_blank%22%3E%40Jason_Benway%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20has%20been%20mentioned%20a%20couple%20of%20times%20above%2C%20you%20can%20secure%20the%20MFA%20registration%20process%20using%20Conditional%20Access%20policies%20-%20I%20wrote%20about%20this%20a%20while%20ago%20(when%20it%20entered%20preview)%20if%20you%20wanted%20some%20more%20context%20%2F%20background.%20See%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.kelvinpapp.com%2Fsecurity-registration-ca%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Information%20Registration%20%26amp%3B%20Conditional%20Access.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20short%2C%20CA%20allows%20you%20to%20determine%20the%20conditions%20under%20which%20Security%20Information%20can%20be%20registered%2C%20trusted%20location%2C%20compliant%20device%2C%20specific%20restrictions%20for%20high%20profile%20users%20etc.%20It's%20a%20highly%20flexible%20way%20of%20controlling%20registration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGood%20luck!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKelvin%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We are working on a plan to force MFA for none trusted IPs. But most of our users have not setup MFA yet. I'm concerned the setup process isn't simple enough and thinking about risk. How do you allow users to setup MFA securely. 

I mean if they don't have MFA setup yet, how do you verify its them setting up MFA? All they would need to setup MFA is the username/password. 

jb

6 Replies
Highlighted
There are a few ways to manage this:

- Some just use user communication and request the users to setup MFA preemptively
- Others use Identity Protection, there is a policy to require MFA setup.
- Some use scripts to check which users haven't set-up MFA (https://techcommunity.microsoft.com/t5/azure-active-directory/report-on-users-with-mfa-enabled/m-p/1...)
Highlighted
Sorry I wasn't clear.

Our concern it when I user is going to setup MFA for the first time, if they do it themselves. How do you know its them setting it up?

That seems like a risk. Your enabling MFA to reduce risk and add security but you only have username/password when your first setting up MFA to confirm its them.

it would be better if I could use CA when setting the user sets up MFA to require the user to be on a trusted network or on a managed device.
Highlighted
This is also usually how we set it up, only allow MFA Registration from our own IPs or at least the countries we are active in.
Highlighted
Hi Jason,

1. Simplicity: Microsoft has released some cool MFA enhancements to make it easy for the user to adopt it without IT help. Please go ahead and try it.


https://techcommunity.microsoft.com/t5/azure-active-directory-identity/cool-enhancements-to-the-azur...

2. Risk: Enable Users risky reports, which will notify you if anyone logged from unfamiliar IP address, it works very well.

Thank you and hope it helps!
Moe
Highlighted

Hi @Jason_Benway,

 

As has been mentioned a couple of times above, you can secure the MFA registration process using Conditional Access policies - I wrote about this a while ago (when it entered preview) if you wanted some more context / background. See here: Security Information Registration & Conditional Access.

 

In short, CA allows you to determine the conditions under which Security Information can be registered, trusted location, compliant device, specific restrictions for high profile users etc. It's a highly flexible way of controlling registration.

 

Good luck! :)

 

Kelvin