How to setup multiple authentication methods in Azure MFA

Table of Contents

Case #

A common situation which cloud administrators find themselves in, is the need for setting up MFA access to an Azure or Microsoft 365 admin or user account for more than one users, each one using their own second factor authentication method. This is generally not a good security practice, but the need to use more than one second factor authentication methods to a single Azure or Microsoft 365 arises as a fail-safe mechanism which allows access to an account in case the primary authentication method cannot be used for any reason.

This article provides guidance on how to setup multiple authentication methods in Azure MFA.

Solution #

First off, the Azure AD admin needs to configure which authentication methods will be available to Azure MFA. The available Azure AD authentication methods are documented at: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods. Configuring the available authentication methods is accomplished by navigating to the Azure AD management portal at https://aad.portal.azure.com and navigate to Security – Authentication methods.

The authentication methods policies page shows the available authentication methods.

The following authentication methods are generally available in Azure AD.

Be aware that Microsoft now applies the combined MFA and SSPR registration policy, as described at: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined. This means that Azure AD users can now do a single registration of their authentication methods and utilize this registration for both MFA and SSPR, as opposed to two registrations required previously, one for each method. There are two modes of combined registration: interrupt and manage.

  • Interrupt mode is a wizard-like experience, presented to users when they register or refresh their security info at sign-in.
  • Manage mode is part of the user profile and allows users to manage their security info.

After the proper authentication methods have been configured, Azure AD admin needs to configure MFA for administrators and end users. Microsoft Security Defaults is highly recommended and Microsoft is making Security Defaults the mandatory option for secure authentication. Details on how to initially enable MFA for a user or admin in Azure AD can be found in the following article: https://stefanos.cloud/kb/how-to-configure-multi-factor-authentication-in-microsoft-365/.

After MFA has been enabled for a user or admin by the Azure administrator, the user or admin should navigate to https://mysignins.microsoft.com, to setup additional authentication options.

On this page you can change an existing authentication method or add a new one.

References #

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

Powered by BetterDocs