MFA is a security feature that requires more than one method of authentication. You can use it to add an additional layer of security to the signing in of users. It enables two-step verification, where the user first signs in using something they know (such as a password), and then signs in with something they have (such as a smartphone), or some human characteristic (such as biometrics).
Azure MFA maintains simplicity for users, but also helps to keep data and applications safe by providing additional security and requiring a second form of authentication. It offers a variety of configuration methods set by an administrator that determines whether users are challenged for MFA or not.
Azure MFA is part of the following offerings:
- Azure Active Directory (AD) Premium license: With this license, you can use Azure MFA Service (cloud) and Azure MFA Server (on-premises). The latter is most suitable in scenarios where an organization has ADFS installed and needs to manage infrastructure components.
- Azure AD Global Administrators: A subset of the MFA features is available for administrator accounts in Azure.
- MFA for Office 365: A subset of the MFA features is available for Office 365 users.
With Azure MFA, you can use the following verification methods:
Verification method |
Description |
Voice call |
A call is made to the registered phone of the user. The user needs to enter a PIN for verification. |
Text message |
A text message is sent to the user's mobile phone containing a six-digit code. The user needs to fill in this code on the login page. |
Mobile app notification |
A request for verification is sent to the user's smartphone. When necessary, the user will enter a PIN and then select Verify. |
Mobile app verification code |
The mobile app on the user's smartphone will display a verification code, which will refresh every 30 seconds. The user will select the most recent code and will enter it on the login page. |
Third-party tokens |
Azure MFA Server can be configured to accept third-party security tokens. |
App passwords |
Only in certain cases. Certain non-browser apps do not support MFA; if a user has been enabled for MFA and attempts to use non-browser apps, they are unable to authenticate. An app password allows users to continue to authenticate. If MFA is enforced through Conditional Access policies and not through per-user MFA, you cannot create app passwords. Applications that use Conditional Access policies to control access do not need app passwords. |
In the upcoming sections, we will enable MFA for the Azure AD tenant, configure user accounts, configure fraud alerts, and configure bypass options.