Hey y'all, Mark back for another quick MFA (multi-factor authentication) mailbag. Now I know what you might be thinking: another MFA mailbag? Where are the others? Didn't you just start this up? Well, you might not know that we've done 20+ mailbag posts over the last few years that made it through various blog platform moves. You can find all of the previous ones here, and there is some really good stuff in there. Check out the back catalog. The topic we've covered most, however, is MFA--let's keep that train rolling.
Question: I’ve followed best practices and enabled MFA for all my admins but now we can’t login to anything via PowerShell. How do we leave Azure MFA enabled but still use PowerShell?
Answer: You have old PowerShell cmdlets that need some updating.
You’ll need to use the v1 MicrosoftOnline (MSOL) and v2 AzureAD PowerShell modules and, while you’re at it, you'll probably need the rest of O365 services such as using MFA with Exchange Online PowerShell. You'll know you are in business when you see the modern authentication/web flow. Then you’re good to go.
Question: I'm protecting access to my admin accounts by using MFA [good decision there! -editor], is there any guidance on how I should set up an admin account to be able to access my tenant in a break glass/disaster scenario?
Answer: Yes, and the key thing is to do it BEFORE you need it. See the guides on utilizing secure Break Glass accounts and a resilient access control management strategy to plan ahead of a disaster. If you haven't done this yet, do it ASAP!
Question: When I receive a verification code via text message/SMS on my mobile phone, how long is the code valid for?
Answer: The code is valid for 3 minutes.
Question: My company uses Azure MFA on-premises server with AD FS. How can we take advantage of this new "Conditional Access" with SaaS applications that I have configured in Azure AD?
Answer: By default, Azure AD will use Azure MFA in the cloud. However, you can configure Azure AD to use the MFA of the identity provider like AD FS with Azure MFA Server. You'll want to run
Set-MsolDomainFederationSettings -DomainName contoso.com -SupportsMFA $true
This tells Azure AD that the IDP (here, AD FS) is responsible for handling MFA. You can find more about this command here. We actually covered the flow of this in a previous post. See this mailbag, question 5. AD FS supports this natively, but if you’re using a non-Microsoft identity provider check with them to see if they also support it.
Question: I'm using Azure MFA Server. If we have to store username and password within the MFA user portal or mobile website web.config, is there any way to encrypt the credentials?
Answer: If you decide to configure username/password credentials in the web.config of the MFA user portal and MFA mobile web apps and don’t want to use certificate-based authentication, but you also want to encrypt the credentials being stored in the web.config, here’s how to do it:
- Back up the web.config of both your user portal and mobile web sites just in case
- From the web server that hosts your user portal and web mobile site, open up a command prompt with admin credentials
- From the command prompt, navigate to C:\Windows\Microsoft.NET\Framework64\v4.0.30319
- Then run the following command against both of the directories that host your user portal and mobile web sites:
Here you can see my web.config before I ran this with the username/password in clear text:
And then after running this command, voila, the credentials are now encrypted:
For any questions, you can reach us at AskAzureADBlog@microsoft.com, Tech Communities or on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons. You can also ask questions in the comments of this post. Check out our previous mailbag posts!
-Mark Morowczynski, David Gregory and Chad Hasbrook