Azure AD MFA

Microsoft will soon enable multi-factor authentication (MFA) for all high-privileged Azure AD accounts, the company said on Friday.

The MFA feature will be part of Microsoft Azure AD's "baseline policy," a set of security features that are enabled for accounts to support a minimum of security measures.

The "MFA-by-default for admin accounts" baseline policy is currently in a public preview phase, and any Azure AD customer can enable it by following the steps described here.

Microsoft says that once the feature goes out of "public preview" and into "general availability," the following Azure AD account types will be prompted to configure multi-factor authentication settings to access their accounts.

Global administrator
SharePoint administrator
Exchange administrator
Conditional access administrator
Security administrator

Azure AD multi-factor authentication options include:

Call to phone
SMS security code
Notification through mobile app
OATH  verification code from mobile app

Azure AD tenants can opt out if it's an inconvenience

Azure AD tenants can opt out of using this baseline policy for their organization, if they wish to, albeit security researchers advise against it.

"Attackers who get control of privileged accounts can do tremendous damage, so it’s critical to protect these accounts first," said Alex Simons, Director of Program Management, Microsoft Identity Division.

Third Azure AD feature launched last week

Last week, Microsoft also announced the public preview of two other Azure AD tools. The first is named Azure AD Password Protection and was designed to help customers eliminate easily guessable passwords from their setups.

The second is named Azure AD Smart Lockout and is a tool that detects brute-force attacks and temporarily locks access to the targeted accounts.

In 2016, Microsoft decided to ban users from using passwords that had been included in leaked lists of passwords that originated from data breaches at other companies.

At the time, Microsoft said its infrastructure handled over 13 billion authentications per day, of which 1.3 billion were for Azure AD accounts. Of these 13 billion, Microsoft said over 10 million authentication requests were malicious in nature.

Related Articles:

New Azure AD B2B Google Feature Lets You Share Resources with Gmail Users

Microsoft's Background Blur for Microsoft Teams is now Generally Available

Microsoft's New Threat Protection Service Gives Security Overview for Orgs

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug