Securing Azure Active Directory Administrators with Multi-Factor Authentication

According to Centrify, in 2016 more than one billion credential records were stolen. Enabling Multi-Factor Authentication (MFA) is one of the best ways to prevent unauthorized users access to data

.MFA in Azure is free for your global administrators and is included with the following licensing options:

• Azure Multi-Factor Authentication (MFA)
• Azure Active Directory (AD) Premium
• Enterprise Mobility & Security

Review licensing options here.

Anyone looking to implement MFA should take into consideration recommendations and guidance from organizations such asThe National Institute of Standards and Technology’sand thePCI Standards Council.

Something to note is The National Institute of Standards and Technology’s stance discouraging the use of two-factor authentication systems that use SMS. NIST brings attention to “risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN (Public Switched Telephone Network) to deliver an out-of-band authentication secret.”

While we regularly utilize Azure MFA, there was a recent scenario in which we worked with a client to enable MFA for users with administrative access to production resources. To name a few, but not limited to, resources such as Azure subscriptions, SQL databases and Azure AD admins such as global (company), service, user account, device and helpdesk administrators.

Using Powershell and theAzure AD modulewe were able to quickly identify these administrators.

To identify the various Azure AD admins run,Get-AzureADDirectoryRole. The following is what is returned.

With the exception of "Directory Readers" passing the ObjectId’s into theGet-AzureADDirectoryRoleMembercmdlet we were able to identify users with the respective admin role.Get-AzureADDirectoryRoleMember-ObjectId**OBJECT ID**

Once we’ve identified the administrators from the various corners of the production Azure subscription enabling MFA is a straight forward process. Microsoft outlines that process nicely here.

Administrator accounts in the wrong hands will have access to everything. Enabling Multi-Factor Authentication in Azure requires little effort. It is important to identify and secure these accounts with MFA.

Resources / additional reading:

MFA licensing options:
‍https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-cloud

‍MFA SMS Security:
‍https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdfhttps://pages.nist.gov/800-63-3/sp800-63b.html#pstnOOB

‍Powershell Azure AD Module:
‍https://docs.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

‍Enabling MFA:
‍https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states