In this article, we're going to talk about enabling MFA for applications that are accessed over the internet. This will force users accessing the application from the internet to authenticate with their primary credentials as well as a secondary using Azure MFA.
Enabling App Service Authentication for a Web App
In this guide step by step, I'm going to show you how to enable MFA for an Azure App Service web app so authentication is taken care of by Azure Active Directory, and users accessing the app are forced to perform multifactor authentication using conditional access policy that Azure AD will enforce. To set up the environment, We will assume there is an Azure web app that is deployed to Azure Portal
Open up the management blade for this app service, and let's scroll down to Authentication/Authorization. This allows us to add authentication for users accessing the app
Enable the App Service Authentication and Action to login with Active directory and then click Activity Directory option to configure
Select the express settings, and this will create an app registration in Azure Active Directory. The registration creates a service principle that represent the application and enables the functionality to grant it access to other Azure resources this will be using the app registration later when we create a conditional access policy to enforce Azure MFA. Click OK to enable this and save the changes.
Testing the app. Open a new browser and browse to the application address. You should be redirected to the Azure AD Login page to sign-in using your Azure AD credentials due enabling App Service Authentication.
Configuring MFA for an App Service Web App
We've got a working App Service web app with authentication set to redirect the user to log in with their Azure Active Directory credentials. Now let's create a conditional access policy that forces the user to use Azure MFA for this particular app.
From the Active Directory blade, Scroll down to the Conditional Access menu
Give the policy a name for the interface and select Users and groups, and I want this policy to apply to anyone accessing the application, but you could scope it to a particular Azure AD group, user, or a directory role.
Select the app that this policy will apply to, and we want to choose the app registration that was created for our App Service web app when we enabled authentication and authorization. So that's called appformfa. Click Done.
Go to Access controls, and it's set to grand access. Select require multifactor authentication, that. And don't forget to enable the policy and click Create. The policy is now enabled for the App Service.
Open up a new browser window, and navigate to the App Service web app URL, Log in with the same user as before.
If this user wasn't set up, they'd be prompted to set up MFA. The conditional access policy for the app is now requiring that the user log in with Azure MFA.
Enter the one-time passcode into the browser, and you will be brought into the app.
That is, we successfully enabled MFA for Azure web app.