Monday, June 23, 2014

Azure and Multi Factor Authentication

In light of recent management console attacks (ie: codespaces) I wanted to detail out some steps to enable two factor authentication on the azure management portal.

First off all, there are 2 types of accounts @ Microsoft.  Organizational ones, and personal ones.  For example, my MSDN account is registered under an email address that actually belongs to the "personal" side, even though it is a corporate account.

In order to enable two factor authentication on a personal account, visit this link and sign in. Under the Security & Password tab, you will see the following section:


As you can tell from the screenshot above, I have already enabled two factor authentication.  You will see a message in that space that asks you to enable two factor authentication.  Follow the steps.  On Andriod devices (or "other" in Microsoft vernacular) it ties in with the authenticator app which is the same app used for google services.

Organizational accounts are different beasts, and tied to the Windows Azure Active Directory (WAAD).  Inside my MSDN account, I have setup a default WAAD.  I have also tied that to my personal domain (shamirc.com).  I can now create users inside that WAAD instance and assign them different roles for the AD.  I can also add them as an administrator on my subscription.  Pretty neat!

The first thing you need to do for organizational accounts such as the one described above is setup a multi-factor authentication provider.  Details can be found here.  After this is complete, you need to enable multi-factor authentication for a particular user inside the directory.


As you can see on the waaaay bottom of this screenshot, after I've entered my directory, there is a "manage multi-factor authentication" button.  Click on that an you will be taken to a screen where you can enable MFA for selected users.  Find the user(s) that you want, and click enable.

The next time the user logs into any Microsoft site, they will see the following after they type in their password.

Follow the instructions and you are now all setup! 

For reference, the official MS docs can be found here.