%3CLINGO-SUB%20id%3D%22lingo-sub-1497414%22%20slang%3D%22en-US%22%3EProtect%20and%20Secure%20Cloud-based%20Applications%20using%20Azure%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1497414%22%20slang%3D%22en-US%22%3E%3CH3%20id%3D%22toc-hId-1175961177%22%20id%3D%22toc-hId-1175961177%22%3EIntroduction%3C%2FH3%3E%0A%3CP%3EIn%20this%20article%2C%20we're%20going%20to%20talk%20about%20enabling%20MFA%20for%20applications%20that%20are%20accessed%20over%20the%20internet.%20This%20will%20force%20users%20accessing%20the%20application%20from%20the%20internet%20to%20authenticate%20with%20their%20primary%20credentials%20as%20well%20as%20a%20secondary%20using%20Azure%20MFA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--631493286%22%20id%3D%22toc-hId--631493286%22%3EEnabling%20App%20Service%20Authentication%20for%20a%20Web%20App%3C%2FH3%3E%0A%3CP%3EIn%20this%20guide%20step%20by%20step%2C%20I'm%20going%20to%20show%20you%20how%20to%20enable%20MFA%20for%20an%20Azure%20App%20Service%20web%20app%20so%20authentication%20is%20taken%20care%20of%20by%20Azure%20Active%20Directory%2C%20and%20users%20accessing%20the%20app%20are%20forced%20to%20perform%20multifactor%20authentication%20using%20conditional%20access%20policy%20that%20Azure%20AD%20will%20enforce.%20To%20set%20up%20the%20environment%2C%20We%20will%20assume%20there%20is%20an%20Azure%20web%20app%20that%20is%20deployed%20to%20Azure%20Portal%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202048iACCAA441798516A2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%221.png%22%20alt%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOpen%20up%20the%20management%20blade%20for%20this%20app%20service%2C%20and%20let's%20scroll%20down%20to%20Authentication%2FAuthorization.%20This%20allows%20us%20to%20add%20authentication%20for%20users%20accessing%20the%20app%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222.png%22%20style%3D%22width%3A%20416px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202049iADBDD6378C2D8894%2Fimage-dimensions%2F416x414%3Fv%3D1.0%22%20width%3D%22416%22%20height%3D%22414%22%20title%3D%222.png%22%20alt%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnable%20the%20App%20Service%20Authentication%20and%20Action%20to%20login%20with%20Active%20directory%20and%20then%20click%20Activity%20Directory%20option%20to%20configure%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223.png%22%20style%3D%22width%3A%20485px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202050iCF06CE88D777E74C%2Fimage-dimensions%2F485x358%3Fv%3D1.0%22%20width%3D%22485%22%20height%3D%22358%22%20title%3D%223.png%22%20alt%3D%223.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESelect%20the%20express%20settings%2C%20and%20this%20will%20create%20an%20app%20registration%20in%20Azure%20Active%20Directory.%20The%20registration%20creates%20a%20service%20principle%20that%20represent%20the%20application%20and%20enables%20the%20functionality%20to%20grant%20it%20access%20to%20other%20Azure%20resources%20this%20will%20%26nbsp%3Bbe%20using%20the%20app%20registration%20later%20when%20we%20create%20a%20conditional%20access%20policy%20to%20enforce%20Azure%20MFA.%20Click%20OK%20to%20enable%20this%20and%20save%20the%20changes.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%224.png%22%20style%3D%22width%3A%20476px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202051i58DAA7ADB55C24CB%2Fimage-dimensions%2F476x502%3Fv%3D1.0%22%20width%3D%22476%22%20height%3D%22502%22%20title%3D%224.png%22%20alt%3D%224.png%22%20%2F%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%225.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202034i545C218DA07558F6%2Fimage-dimensions%2F475x485%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22485%22%20title%3D%225.png%22%20alt%3D%225.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETesting%20the%20app.%20Open%20a%20new%20browser%20and%20browse%20to%20the%20application%20address.%20You%20should%20be%20redirected%20to%20the%20Azure%20AD%20Login%20page%20to%20sign-in%20using%20your%20Azure%20AD%20credentials%20due%20enabling%20App%20Service%20Authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%227.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202036iFE7BCB4D35887227%2Fimage-dimensions%2F475x368%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22368%22%20title%3D%227.png%22%20alt%3D%227.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%228.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202037i94E4D7CE7D4A9302%2Fimage-dimensions%2F475x487%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22487%22%20title%3D%228.png%22%20alt%3D%228.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1856019547%22%20id%3D%22toc-hId-1856019547%22%3EConfiguring%20MFA%20for%20an%20App%20Service%20Web%20App%3C%2FH3%3E%0A%3CP%3EWe've%20got%20a%20working%20App%20Service%20web%20app%20with%20authentication%20set%20to%20redirect%20the%20user%20to%20log%20in%20with%20their%20Azure%20Active%20Directory%20credentials.%20Now%20let's%20create%20a%20conditional%20access%20policy%20that%20forces%20the%20user%20to%20use%20Azure%20MFA%20for%20this%20particular%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20the%20Active%20Directory%20blade%2C%20Scroll%20down%20to%20the%20Conditional%20Access%20menu%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%229.png%22%20style%3D%22width%3A%20444px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202038i92B2E50A7EC139ED%2Fimage-dimensions%2F444x334%3Fv%3D1.0%22%20width%3D%22444%22%20height%3D%22334%22%20title%3D%229.png%22%20alt%3D%229.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGive%20the%20%26nbsp%3Bpolicy%20a%20name%20for%20the%20interface%20and%20select%20Users%20and%20groups%2C%20and%20I%20want%20this%20policy%20to%20apply%20to%20anyone%20accessing%20the%20application%2C%20but%20you%20could%20scope%20it%20to%20a%20particular%20Azure%20AD%20group%2C%20user%2C%20or%20a%20directory%20role.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESelect%20the%20app%20that%20this%20policy%20will%20apply%20to%2C%20and%20we%20want%20to%20choose%20the%20app%20registration%20that%20was%20created%20for%20our%20App%20Service%20web%20app%20when%20we%20enabled%20authentication%20and%20authorization.%20So%20that's%20called%20appformfa.%20Click%20Done.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2212.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202040i810E2A85C9955D53%2Fimage-dimensions%2F475x290%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22290%22%20title%3D%2212.png%22%20alt%3D%2212.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2213.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202041i52CFBCB3975A4A12%2Fimage-dimensions%2F475x432%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22432%22%20title%3D%2213.png%22%20alt%3D%2213.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EGo%20to%20Access%20controls%2C%20and%20it's%20set%20to%20grand%20access.%20Select%20require%20multifactor%20authentication%2C%20that.%20And%20don't%20forget%20to%20enable%20the%20policy%20and%20click%20Create.%20The%20policy%20is%20now%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3Eenabled%20for%20the%20App%20Service.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2214.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202042i6E8A41B9CF91997F%2Fimage-dimensions%2F475x448%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22448%22%20title%3D%2214.png%22%20alt%3D%2214.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2215.png%22%20style%3D%22width%3A%20360px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202043iB2FEA4EAC40A6826%2Fimage-dimensions%2F360x615%3Fv%3D1.0%22%20width%3D%22360%22%20height%3D%22615%22%20title%3D%2215.png%22%20alt%3D%2215.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOpen%20up%20a%20new%20browser%20window%2C%20and%26nbsp%3B%20navigate%20to%20the%20App%20Service%20web%20app%20URL%2C%20Log%20in%20with%20the%20same%20user%20as%20before.%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%227.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202036iFE7BCB4D35887227%2Fimage-dimensions%2F475x368%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22368%22%20title%3D%227.png%22%20alt%3D%227.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2216.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202044iAFE8FB1838C36D1A%2Fimage-dimensions%2F475x364%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22364%22%20title%3D%2216.png%22%20alt%3D%2216.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2218.png%22%20style%3D%22width%3A%20477px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202045i26A199F7CB18790A%2Fimage-dimensions%2F477x406%3Fv%3D1.0%22%20width%3D%22477%22%20height%3D%22406%22%20title%3D%2218.png%22%20alt%3D%2218.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20this%20user%20wasn't%20set%20up%2C%20they'd%20be%20prompted%20to%20set%20up%20MFA.%20The%20conditional%20access%20policy%20for%20the%20app%20is%20now%20requiring%20that%20the%20user%20log%20in%20with%20Azure%20MFA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnter%20the%20one-time%20passcode%20into%20the%20browser%2C%20and%20you%20will%20be%20brought%20into%20the%20app.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2219.png%22%20style%3D%22width%3A%20475px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202046i4DC9A3A118A2507A%2Fimage-dimensions%2F475x457%3Fv%3D1.0%22%20width%3D%22475%22%20height%3D%22457%22%20title%3D%2219.png%22%20alt%3D%2219.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%2220.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F202047iC349D0E9D884AD97%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%2220.png%22%20alt%3D%2220.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20is%2C%20we%20successfully%20enabled%20MFA%20for%20Azure%20web%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%3C%2FP%3E%0A%3CP%3EMagdy%20Salem%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECredit%3A%20The%20blog%20was%20inspired%20by%20Pluralsight%20course%20%3CA%20href%3D%22https%3A%2F%2Fapp.pluralsight.com%2Flibrary%2Fcourses%2Fmicrosoft-azure-multi-factor-authentication-implementing-managing%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20MFA%20Implementation%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1497414%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20going%20to%20talk%20about%20enabling%20MFA%20for%20applications%20that%20are%20accessed%20over%20the%20internet.%20This%20will%20force%20users%20accessing%20the%20application%20from%20the%20internet%20to%20authenticate%20with%20their%20primary%20credentials%20as%20well%20as%20a%20secondary%20using%20Azure%20MFA.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1497414%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMagdySalem%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Introduction

In this article, we're going to talk about enabling MFA for applications that are accessed over the internet. This will force users accessing the application from the internet to authenticate with their primary credentials as well as a secondary using Azure MFA.

 

Enabling App Service Authentication for a Web App

In this guide step by step, I'm going to show you how to enable MFA for an Azure App Service web app so authentication is taken care of by Azure Active Directory, and users accessing the app are forced to perform multifactor authentication using conditional access policy that Azure AD will enforce. To set up the environment, We will assume there is an Azure web app that is deployed to Azure Portal

1.png

Open up the management blade for this app service, and let's scroll down to Authentication/Authorization. This allows us to add authentication for users accessing the app

 

2.png

 

Enable the App Service Authentication and Action to login with Active directory and then click Activity Directory option to configure

 

3.png

 

Select the express settings, and this will create an app registration in Azure Active Directory. The registration creates a service principle that represent the application and enables the functionality to grant it access to other Azure resources this will  be using the app registration later when we create a conditional access policy to enforce Azure MFA. Click OK to enable this and save the changes.

 

4.png 

 

5.png

 

Testing the app. Open a new browser and browse to the application address. You should be redirected to the Azure AD Login page to sign-in using your Azure AD credentials due enabling App Service Authentication.

 

7.png

 

8.png

 

Configuring MFA for an App Service Web App

We've got a working App Service web app with authentication set to redirect the user to log in with their Azure Active Directory credentials. Now let's create a conditional access policy that forces the user to use Azure MFA for this particular app.

 

From the Active Directory blade, Scroll down to the Conditional Access menu

 

9.png

 

Give the  policy a name for the interface and select Users and groups, and I want this policy to apply to anyone accessing the application, but you could scope it to a particular Azure AD group, user, or a directory role.

 

Select the app that this policy will apply to, and we want to choose the app registration that was created for our App Service web app when we enabled authentication and authorization. So that's called appformfa. Click Done.

12.png

 

13.png

Go to Access controls, and it's set to grand access. Select require multifactor authentication, that. And don't forget to enable the policy and click Create. The policy is now enabled for the App Service.

14.png

 

15.png

 

Open up a new browser window, and  navigate to the App Service web app URL, Log in with the same user as before.     

 

7.png

 

16.png

 

18.png

 

If this user wasn't set up, they'd be prompted to set up MFA. The conditional access policy for the app is now requiring that the user log in with Azure MFA.

 

Enter the one-time passcode into the browser, and you will be brought into the app. 

19.png

 

20.png

 

 

That is, we successfully enabled MFA for Azure web app.

 

Thank you

Magdy Salem

 

Credit: The blog was inspired by Pluralsight course Azure MFA Implementation