You may have seen in the recent tech news or unfortunately been affected by Microsoft's recent failures with their Azure Active Directory (AD) multi-factor authentication (MFA) service. Before this happens again (and it might), you need to protect both your administrative and user Azure ID identities.
Today I will teach you how to preserve emergency admin access to your Azure AD tenant and subscription resources. In a subsequent article, I will cover how to protect end-user Azure AD user accounts. Let's get to it!
First, stop using the old portal to assign MFA policy ^
The traditional path in Azure Resource Manager to configure MFA policies for your admins and users involves logging into the Azure portal, browsing to your Azure AD tenant, navigating to the Users blade, and clicking Multi-Factor Authentication. This click path takes you to an ancient MFA configuration portal, shown in the next figure.
You still need this portal to configure the global MFA settings (such as choosing which MFA methods you will allow). However, you should no longer use this interface to assign MFA policy to your administrative or end users. I suggest you instead deploy MFA policy by using a conditional access policy, which I'll discuss momentarily.
As it happens, any MFA assignments you make in the old portal override conflicting assignments via conditional access. Thus, if you plan to use conditional access policy to enforce MFA, you'll need to use this method exclusively.
Somewhat confusingly, the Azure portal also includes MFA policy settings, as shown in the next screenshot. To sum up, use the old MFA portal and Azure portal settings to define how the MFA service works, and use conditional access policies to assign MFA to your users.
Second, create a shared, dedicated emergency administrator account. ^
I suggest you create a new Azure AD user account with the following properties and permissions:
- A name that blends in with your end-user base; the idea is you never want this account to stand out to an attacker as an admin identity
- A strong passphrase (Microsoft has some guidance on this in their docs)—the basics are your passphrase not only should be long but should not be a word in any language's dictionary and should contain alphanumerics and non-alphanumerics in mixed case
- A policy in place that rotates the strong passphrase on a regular basis
- Assignment to the Global Administrators Azure AD role
- Assignment to the Owner role in relevant Azure subscriptions
- Strong auditing of all the account's sign-in and control plane activity
This emergency admin account is obviously a super-duper identity, and you and your team need to be on the same page regarding its ongoing protection. You will use this account only during an honest-to-goodness MFA outage on Microsoft's side.
What's key here is that we will exempt this emergency admin account from our yet-to-be-defined MFA conditional access policy.
Third, use conditional access policy to deploy MFA ^
Here we come to the heart of the matter. You need to know that conditional access policy requires that you have either Azure AD Premium P1 or Premium P2 licenses. In my opinion, this is a no-brainer for any business putting their proprietary data into the Azure cloud.
If you aren't yet aware, conditional access policies allow you to define the entire environment that allows or denies Azure AD authentication attempts to the Azure portal and your cloud-based applications. For instance, you can enforce logins from certain geographical areas, compliance with sign-in risk factors, and hardware platforms.
Microsoft plans to enable the Baseline policy: Require MFA for admins conditional access policy by default in the future, so we'll customize this one today for our purposes.
Modify the Exclude users property to include your previously created emergency access account; I show you this in the next screenshot.
If you've been dragging your feet a bit on enabling MFA, I strongly suggest you enforce for all of your Azure admins at least. As I said, Microsoft will gradually force you into this configuration anyway.
For example, MFA is required to use Azure AD Privileged Identity Management (PIM). Azure AD Identity Protection is based around assigning MFA to users with sign-ins deemed risky by the Microsoft Intelligent Security Graph (ISG).
The idea of configuring your emergency admin account as an eligible admin with Azure AD PIM is a compelling one; this way, the account remains a standard user unless and until you or a colleague requests administrative elevation. Sadly, however, PIM requires MFA for activation of the Global Administrator Azure AD role.
In my next tutorial, I will show you how to use conditional access policy to accomplish two goals:
- requiring MFA for selected user populations
- granting an emergency override to MFA to these users in the event of a Microsoft outage
See you then!