Hey everyone, I just wanted to remind you that Microsoft is implementing a phased approach to enforce mandatory multi-factor authentication for all Azure users. In this blog post, I will discuss various methods to identify accounts that are not secured with MFA.
Commencing October 15th, Microsoft's security initiative mandates Multi-Factor Authentication (MFA) for users logging into the Azure portal, Microsoft Entra administration center, and Intune admin center. Nevertheless, an extension can be availed if you can't enable MFA within the deadline.
Microsoft's upcoming phase for Azure Command Line Interface (CLI), PowerShell, Azure mobile app, and Infrastructure as Code (IaC) is set to kick off "in early 2025."
All users must use MFA for admin portals and Azure clients listed in the applications table.
Application Name | App ID | Enforcement phase |
c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Second half of 2024 | |
c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Second half of 2024 | |
c44b4083-3bb0-49c1-b47d-974e53cbdf3c | Second half of 2024 | |
04b07795-8ddb-461a-bbee-02f9e1bf7b46 | Early 2025 | |
1950a258-227b-4e31-a9cf-717495945fc2 | Early 2025 | |
0c1307d4-29d6-4389-a11c-5cbe7f65d7fa | Early 2025 | |
Use Azure CLI or Azure PowerShell IDs | Early 2025 |
This change was communicated by Microsoft via email, service health notification, Portal notification, and the Microsoft 365 message center. You can login to Message center using the Link and search with the Message ID : MC862873
Notifications can be viewed in your tenant.
What is Multi-factor Authentication?
Multi-factor authentication (MFA) is a security method that requires users to provide two or more pieces of evidence to verify their identity before accessing a service or a resource. The evidence can be something the user knows (such as a password or a PIN), something the user has (such as a phone or a token), or something the user is (such as a fingerprint or a face scan).
How MFA Works?
Multi-factor authentication requires users to provide several forms of identification during the account registration process. This information is stored by the system and used to authenticate the user during subsequent logins. The login process involves multiple steps to confirm the user's identity using the provided identification and password.
For Example: When a user logging into an account on a new device or application, Multi-Factor Authentication (MFA) may require user to input their username and password, as well as a unique code generated by an app or by provide extra authentication factors to verify their identity.
If you are interested in learning more about how to activate Multi-factor Authentication, please consult the guide Enable Multi-factor Authentication
Accounts get affected by this change
All users logging in to the Azure portal, Azure CLI, Azure PowerShell, and Infrastructure as Code (IaC) tools like Azure Developer CLI, Bicep, Terraform, and Ansible to carry out any CRUD (Create, Read, Update, Delete) actions will need to use Multi-Factor Authentication (MFA) once the enforcement is in place.
Once enforcement begins, Multi-Factor Authentication (MFA) will be required for all user identities utilized as service accounts for executing automation, such as scripts or other automated tasks. Microsoft advises against using user identities for automation and recommends transitioning from user identities to workload identities.
Accounts that are out of Scope
End users accessing apps, websites, or services hosted on Azure without signing into the Azure portal, CLI, or PowerShell are exempt from this Microsoft requirement. The authentication criteria for end users will continue to be managed by the owners of the respective app, website, or service.
Workload Identities like managed identities and service principals will remain unaffected by this enforcement
How you can identify the Impacted users in your tenant and get ready for the Change
Below are the resources that can assist you in determining the users who are logging into Azure with and without MFA
Sign-in logs from Microsoft Entra ID
Use this PowerShell command to export a list of users and their auth methods
Use this Multifactor Authentication Gaps workbook
Use these App IDs in your queries
Azure portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2
Using Microsoft Entra ID Sign-in Logs
Please log in to https://entra.microsoft.com/ and go to Sign-in Logs in the Monitor & Health section. You have the option to adjust the date range to suit your needs, choosing from 1 Month, 7 Days, 24 Hours, or a custom interval. Apply filters and enter the App IDs from the list above into the Application Contain field. Finally, select Single Factor Authentication.
Multi-factor Authentication is enabled for all users in my case, which is why you can see it listed under Authentication Requirements.
Using PowerShell command to get user's MFA Status
If you want to check the MFA Status of users, you can either use the provided PowerShell commands or download the PowerShell script Generate-MFA Report, Make sure to update the export path and the default script will cover 30 days, but you can adjust it to 7 or 15 days as needed. Authenticate using an account that has the required privileges.
Install-Module MsIdentityTools -Scope CurrentUser
Connect-MgGraph -Scopes Directory.Read.All, AuditLog.Read.All, UserAuthenticationMethod.Read.All
Export-MsIdAzureMfaReport .\report.xlsx
Prerequisites
PowerShell 7
Required Microsoft Entra role: Global Reader
Required permission scopes: Directory.Read.All, AuditLog.Read.All UserAuthenticationMethod.Read.All
After finishing the script, you will be able to locate the file, check the MFA status, and identify the portal and authentication method used.
Details of MFA Status in Report
MFA Capable + Signed in with MFA: The user has registered MFA authentication methods and has logged in to Azure successfully with MFA at least once.
MFA Capable: The user has registered MFA authentication methods but consistently signed into Azure using single-factor authentication.
Non-MFA Ready: The user has not set up a multi-factor authentication method or logged into Azure with MFA yet. Please note that this information may not be precise if your tenant utilizes identity federation or a third-party MFA service. Refer to MFA Status when using identity federation for more details.
Using Multifactor Authentication Gaps Workbook
The Multifactor Authentication Gaps workbook assists in pinpointing user logins and applications lacking protection from multifactor authentication (MFA) requirements. This workbook: Identifies user logins without MFA protection. Offers additional detailed views through different perspectives like applications, operating systems, and location. Includes various filters like trusted locations and device states to refine the search for users/applications. It contains filters to customize the workbook for a specific group of users and applications.
Prerequisites
An Entra tenant under Microsoft with a Premium P1 license
Both a Log Analytics workspace and access to it
The suitable functions for Azure Monitor and Microsoft Entra ID
Create a Log Analytics workspace using the below steps
Step 1: Log in to the Azure portal using https://portal.azure.com/ and search for "Log Analytics" in the search box and select Log Analytics workspaces
Step 2: Click Create
Step 3: Choose a subscription from the drop-down list Select an existing resource group or create a new one Provide a unique name for the workspace within the resource group Pick a region Proceed by clicking on Review + Create
Now Let's import the WorkBook
The MFA Gaps workbook is not accessible as a template; however, you can import it from the Microsoft Entra workbooks GitHub repository, Using the Direct link to the Multifactor Authentication Gaps JSON file
Or
Click on the link in the JSON editor, then choose the Application-Insights-Workbooks option from the top of the page. Navigate to the Workbooks folder, then to the Azure Active Directory folder, and finally to the MultiFactorAuthenticationGaps folder. Open the .workbook file.
Step 1: Access the Microsoft Entra admin https://entra.microsoft.com/ center by signing in with the correct roles. Navigate to identity ->Monitor & Health -> Workbooks and tap on New
Step 2: Utilize the Advance option and paste the JSON file copied from the GitHub Repository link. Then, click on Apply -> Save As, specify a name for the workbook, choose the subscription, Resource Group, and location, and finally click Apply to finish creating the workbook.
Once the workbook is saved, it will run and fetch the account information. In my case, a particular account is notable for lacking MFA protection and will be impacted by the forthcoming alteration. The summary widget offers an in-depth view of sign-ins associated with multifactor authentication.
Postponement of the enforcement date
In case you are unable to configure MFA before the specified date, you have the option to request a postponement of the enforcement date using the below steps
Click on the link select Postpone Enforcement and tap on Postpone
If you are getting the below error
Check if you possess elevated access to all Azure subscriptions and management groups within your directory.
If you have configured any of the Multi-factor Authentication settings listed below Users will not notice any changes
Suppose your organization has chosen to maintain Microsoft's security defaults and has them activated. In that case, your users will not notice any change in behavior as Multi-Factor Authentication (MFA) is already required for Azure management.
If your tenant uses Conditional Access policies in Microsoft Entra and you have a policy that requires users to sign into Azure with MFA, then your users will not experience any differences.
Similarly, if you have stricter Conditional Access policies in place specifically for Azure that require stronger authentication, like phishing-resistant MFA, these policies will continue to be enforced, and your users will not see any adjustments.
Reference
Conclusion
This blog will help you identify users not using multi-factor authentication, using the methods explained. You can then enable or make necessary changes to the accounts before the Microsoft deadline.
Comments