iCompaas Support

Description:

Enabling Multi-Factor Authentication (MFA) for all users ensures that users must provide two or more verification factors when logging in, which significantly improves security by preventing unauthorized access. MFA adds an additional layer of security on top of passwords, protecting against phishing, password theft, and brute force attacks.

Rationale:

MFA is a critical security feature that reduces the risk of unauthorized access to organizational resources by requiring additional verification, such as a phone number, email, or app-based code. Enabling MFA for all users ensures that sensitive data and resources are protected even if a user's password is compromised. This is especially important for organizations handling sensitive data or needing to comply with regulatory standards like HIPAA, GDPR, or SOC 2.

Impact:

Enabling MFA significantly enhances the security of user accounts and organizational resources. However, it may require users to go through the MFA registration process and can introduce slight delays in login due to the additional verification step. Organizations should ensure proper support is in place for users during the registration process.

Default Value:

By default, MFA is not enabled for all users in Microsoft Entra ID. It must be manually configured for all users.

Pre-requisites:

• Azure Active Directory (Azure AD) subscription.
  

• Global Administrator or Privileged Authentication Administrator role permissions.
  

• Users must be assigned to Azure AD and have valid accounts.
  

Audit:

1. Sign in to the Azure portal as a Global Administrator or Privileged Authentication Administrator.
   

2. Navigate to Azure Active Directory > Security > Multi-Factor Authentication.
   

3. Verify that MFA is enabled for all users or specific groups that require it.
   

Implementation Steps (Manual):

1. Sign in to Microsoft Entra ID:
   

   • Use an account with Global Administrator or Privileged Authentication Administrator privileges.
     

2. Navigate to Multi-Factor Authentication Settings:
   

   • In the Azure portal, go to Azure Active Directory > Security > Multi-Factor Authentication.
     

3. Configure MFA for All Users:
   

   • Click on Multi-Factor Authentication to open the MFA settings page.
     

   • Under Users, select All Users (or any specific group that you wish to enable MFA for).
     

   • Click on Enable to turn on MFA for all selected users.
     

4. Review MFA Settings:
   

   • Review the MFA policies to ensure they align with your organization's security requirements.
     

   • Optionally, you can enable conditional access policies to enforce MFA under specific conditions, such as when users sign in from untrusted locations or devices.
     

5. Test MFA Setup:
   

   • Test by logging in with a user account to verify that MFA is triggered.
     

   • Users will be prompted to register for MFA the first time they log in. They can choose between several verification methods, including phone numbers (SMS or voice call), Microsoft Authenticator app, or email.
     

6. Communicate MFA Registration Process to Users:
   

   • Notify users about the MFA registration process and the verification methods available to them.
     

   • Provide instructions and support for any users who may encounter issues during the registration process.
     

7. Monitor MFA Enrollment:
   

   • Monitor the progress of MFA registration by going to Azure Active Directory > Security > Multi-Factor Authentication > Usage & Insights.
     

   • Review any failed registrations and help users complete their registration process.
     

8. Enforce MFA for All Users:
   

   • Once the majority of users are registered for MFA, you can enforce MFA in Conditional Access policies to ensure that MFA is required during every login attempt:
     

     • Navigate to Azure AD > Security > Conditional Access.
       

     • Create a new policy with the condition to Require MFA for all users during sign-in.
       

Backout Plan (Manual):

1. Sign in to the Azure portal as a Global Administrator or Privileged Authentication Administrator.
   

2. Navigate to Multi-Factor Authentication Settings:
   

   • Go to Azure Active Directory > Security > Multi-Factor Authentication.
     

3. Disable MFA for All Users:
   

   • Under the Users section, select All Users (or any specific group that MFA was enabled for).
     

   • Click Disable to turn off MFA for the selected users.
     

4. Test Reverted Access:
   

   • Test a login for users to ensure MFA is no longer required and verify that the previous security posture is restored.
     

5. Review and Update Security Policies:
   

   • After disabling MFA, review your organization’s security policies and determine if additional measures are needed to secure user access (e.g., alternative access control measures).
     

References:

Microsoft Entra ID - Multi-Factor Authentication
Enable or Disable Multi-Factor Authentication in Azure AD