- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
Microsoft's recent failures with their Azure Active Directory (AD) multi-factor authentication (MFA) service have led many IT administrators to rethink their MFA deployment. In a previous 4sysops tutorial, I taught you how to protect administrative access to your Azure AD tenant and resources. Today I will do the same thing but will focus on end-user access.
Let me give you the high-level overview of what we'll do, and then I'll explain step by step. Our solution involves:
- Creating an Azure AD group for emergency MFA override
- Deploying MFA policy with a conditional access policy
- Specifying our emergency access group as an exemption to that conditional access policy
- Populating the emergency group with user accounts in the event of an Azure MFA outage
Create an emergency access group
Create an Azure AD security group (I call mine MFA Emergency Access) in your Azure AD tenant that will serve as your initially empty MFA override group. If you have an Azure AD Premium P1 or P2 license, you can create a dynamic group and automatically populate its membership based on user property values.
Creating an MFA emergency access group in Azure AD
Note: Be careful with dynamic groups here. We need this group to contain only user accounts to exempt temporarily from our MFA policy. One idea is you can programmatically set a user property that triggers dynamic group auto-population. In the event of an MFA outage, you start an Azure Automation runbook that sets the user property change, which in turn populates your emergency access group. Of course, this assumes you have administrative access to your Azure AD tenant and Azure resources. See my previous post on this subject for further details.
Creating the Emergency MFA Access group is insufficient; we also need to add this group to any role-based access control (RBAC) access lists within our subscription. In the next screenshot, you see me adding the group as a Contributor to my production resource group.
Granting the emergency account resource access
Finally, you want to audit all usage of this group over time. Fortunately, you can do this directly from the Azure portal, as shown in the next image. If you have an Azure AD Premium P2 subscription, you can conduct periodic access reviews with your teammates through Azure AD Privileged Identity Management (PIM).
Auditing emergency group activity
Define a user MFA conditional access policy
Microsoft recommends using conditional access policy to deploy MFA to your users. Note that conditional access requires an Azure AD Premium P1 or Premium P2 license.
Conditional access policy is a tremendous feature that allows you to define the environment under which you allow authentication to your Azure AD-secured applications. Today, however, we concern ourselves only with a single setting—that of enforcing MFA.
Here's the long story short. Our MFA User Policy includes the following properties:
- Includes all of our relevant Azure AD users (putting them into groups and making assignments at the group level)
- Excludes our MFA Emergency Access group
- Enables the Require multi-factor authentication policy
I attempt to show you all of this in the following composite screenshot.
Our MFA User Policy conditional access policy
Makes sense, I hope?
Populate the group in an emergency
Let's say Microsoft experiences another MFA service outage. What do you do? Assuming you've configured emergency admin access to your Azure AD tenant and resources, your task is to populate the MFA Emergency Access group as quickly as possible.
As I mentioned earlier, your emergency group could be dynamic and auto-populate depending on a user account property. You may want to set a flag such that if you set a particular property to a particular value, that triggers group compilation.
Creating custom Azure AD attributes is far beyond the scope of this tutorial, but I wanted to mention it for completeness. One option for easing the group population may be to periodically generate comma-separated value (CSV) files containing your Azure AD user accounts and store the files in a team-shared Azure storage account.
You then can fire up Azure Cloud Shell and script out the emergency group population like so (code adapted from Stack Overflow, naturally…hehe). Cloud Shell is super convenient because (a) your session already has the AzureAD module loaded, and (b) you're already authenticated.
$adUsers = Import-Csv -Path .\adusers.csv |
ForEach-Object {Get-AzureADUser -ObjectId $_.Userprincipalname} |
Select-Object -Property ObjectId
$adUsers | ForEach-Object {Add-AzureADGroupMember -ObjectId '' -RefObjectId $_.ObjectId}For further learning
I will leave you with a couple more options to consider when planning how to protect Azure AD security principals in the event of an Azure MFA outage.
One idea is for you to create an Azure AD service principal (effectively the cloud equivalent to a service account in Windows Server) exempt from MFA policy and with a credential stored outside of Azure.
Subscribe to 4sysops newsletter!
A second option to ponder is password-less Azure AD sign-in with a Fast Identity Online (FIDO2) hardware security key. As of this writing in early December 2018, FIDO2 authentication is available for Microsoft accounts. In time, I imagine it will be available for native Azure AD accounts as well.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Hi Tim,
Nice article, and a must in these days of outages and DNS errors.
There's a screenshot missing at: Granting the emergency account resource access