Before Microsoft suffers another failure with their Azure multi-factor authentication (MFA) service, take these steps to ensure continued user access.

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

Microsoft's recent failures with their Azure Active Directory (AD) multi-factor authentication (MFA) service have led many IT administrators to rethink their MFA deployment. In a previous 4sysops tutorial, I taught you how to protect administrative access to your Azure AD tenant and resources. Today I will do the same thing but will focus on end-user access.

Let me give you the high-level overview of what we'll do, and then I'll explain step by step. Our solution involves:

  • Creating an Azure AD group for emergency MFA override
  • Deploying MFA policy with a conditional access policy
  • Specifying our emergency access group as an exemption to that conditional access policy
  • Populating the emergency group with user accounts in the event of an Azure MFA outage

Create an emergency access group ^

Create an Azure AD security group (I call mine MFA Emergency Access) in your Azure AD tenant that will serve as your initially empty MFA override group. If you have an Azure AD Premium P1 or P2 license, you can create a dynamic group and automatically populate its membership based on user property values.

Creating an MFA emergency access group in Azure AD

Creating an MFA emergency access group in Azure AD

Note: Be careful with dynamic groups here. We need this group to contain only user accounts to exempt temporarily from our MFA policy. One idea is you can programmatically set a user property that triggers dynamic group auto-population. In the event of an MFA outage, you start an Azure Automation runbook that sets the user property change, which in turn populates your emergency access group. Of course, this assumes you have administrative access to your Azure AD tenant and Azure resources. See my previous post on this subject for further details.

Creating the Emergency MFA Access group is insufficient; we also need to add this group to any role-based access control (RBAC) access lists within our subscription. In the next screenshot, you see me adding the group as a Contributor to my production resource group.

Granting the emergency account resource access

Finally, you want to audit all usage of this group over time. Fortunately, you can do this directly from the Azure portal, as shown in the next image. If you have an Azure AD Premium P2 subscription, you can conduct periodic access reviews with your teammates through Azure AD Privileged Identity Management (PIM).

Auditing emergency group activity

Auditing emergency group activity

Define a user MFA conditional access policy ^

Microsoft recommends using conditional access policy to deploy MFA to your users. Note that conditional access requires an Azure AD Premium P1 or Premium P2 license.

Conditional access policy is a tremendous feature that allows you to define the environment under which you allow authentication to your Azure AD-secured applications. Today, however, we concern ourselves only with a single setting—that of enforcing MFA.

Here's the long story short. Our MFA User Policy includes the following properties:

  • Includes all of our relevant Azure AD users (putting them into groups and making assignments at the group level)
  • Excludes our MFA Emergency Access group
  • Enables the Require multi-factor authentication policy

I attempt to show you all of this in the following composite screenshot.

Our MFA User Policy conditional access policy

Our MFA User Policy conditional access policy

Makes sense, I hope?

Populate the group in an emergency ^

Let's say Microsoft experiences another MFA service outage. What do you do? Assuming you've configured emergency admin access to your Azure AD tenant and resources, your task is to populate the MFA Emergency Access group as quickly as possible.

As I mentioned earlier, your emergency group could be dynamic and auto-populate depending on a user account property. You may want to set a flag such that if you set a particular property to a particular value, that triggers group compilation.

Creating custom Azure AD attributes is far beyond the scope of this tutorial, but I wanted to mention it for completeness. One option for easing the group population may be to periodically generate comma-separated value (CSV) files containing your Azure AD user accounts and store the files in a team-shared Azure storage account.

You then can fire up Azure Cloud Shell and script out the emergency group population like so (code adapted from Stack Overflow, naturally…hehe). Cloud Shell is super convenient because (a) your session already has the AzureAD module loaded, and (b) you're already authenticated.

For further learning ^

I will leave you with a couple more options to consider when planning how to protect Azure AD security principals in the event of an Azure MFA outage.

One idea is for you to create an Azure AD service principal (effectively the cloud equivalent to a service account in Windows Server) exempt from MFA policy and with a credential stored outside of Azure.

A second option to ponder is password-less Azure AD sign-in with a Fast Identity Online (FIDO2) hardware security key. As of this writing in early December 2018, FIDO2 authentication is available for Microsoft accounts. In time, I imagine it will be available for native Azure AD accounts as well.

Win the monthly 4sysops member prize for IT pros

1+

Users who have LIKED this post:

  • avatar
Share
1 Comment
  1. Edwin 4 months ago

    Hi Tim,

    Nice article, and a must in these days of outages and DNS errors.

    There's a screenshot missing at: Granting the emergency account resource access

     

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account