Getting Started with Azure Multi-Factor Authentication for Cloud Solution Providers

Introduction

The Microsoft Cloud Solution Provider (CSP) program was released in July 2014 to provide a scalable, flexible partner program. Designed to deepen customer relationships and expand business opportunities, the CSP program allows partners to:

Own and control billing
Sell combined offers and services
Deliver direct provisioning, management, and support

To achieve those capabilities, CSP partners need to integrate their backend systems and business processes with various Microsoft cloud services and processes. Once integration has taken place, CSP partners then have the ability to directly provision, manage and support clients within the Microsoft Office 365, Microsoft Azure, Dynamics CRM, and Enterprise Mobility Suite (EMS) product offerings.

The goal of this document is to help CSP organizations to quickly implement Azure Multi-Factor Authentication, part of the Enterprise Mobility Suite (EMS), as a solution for their clients.

This document provides guidance to support the setup and implementation Azure Multi-Factor Authentication (MFA) with Microsoft Online Services.

Scope

The scope of this document is the implementation guidelines for implementing Azure Active Directory Premium features and services, such as:

Configuring Azure Multi-Factor Authentication service settings
Enable Azure Multi-Factor Authentication for Azure Active Directory and Office 365 o Individual users via the console o Individual users via PowerShell o Bulk user management via the console o Bulk user management via PowerShell

Terminology

Term	Description
CSP	Cloud Solution Provider
EMS	Enterprise Mobility Suite
AAD	Azure Active Directory
MFA	Azure Multi-Factor Authentication
Partner Center	Portal for CSP Partners to administer their CSP offerings http://partnercenter.microsoft.com
End Customer	Organization that is managed by the CSP Partner
Azure Co-Administrator	Represents an administrator who can log in to the Azure Portal and deploy or create new resources against a subscription
SaaS	Software-as-a-Service

Before you start

This document assumes that the following conditions have been met:

The steps in the document, "Getting Started with the Office 365 and EMS for Microsoft Cloud Solution Providers", have been completed
The steps in the document, "Getting Started with Azure Active Directory Premium for Microsoft Cloud Solution Providers", have been completed
The end customer has EMS or Azure Multi-Factor Authentication licenses assigned to their subscription via the CSP Portal
The administrator completing these steps has co-administrator access to the Azure subscription
Windows Azure Active Directory Module for Windows PowerShell is installed and available for use

Configuring Azure Multi-Factor Authentication service settings

To provide the best user experience for their organization, there are number of elements to MFA that need to be agreed upon with the end customer.

The following table outlines those features and functions that will need the end customer's agreement. This will allow the CSP Partner to proceed with the configuration of MFA.

CSP Partners can leverage this table to provide the end customer with best practices for their managed service.

For more information, refer to the document Configuring Azure Multi-Factor Authenticationto fit the organization's needs.

MFA Service Setting	Description	End Customer Setting
App Passwords	In some apps, like Office 2010 or older and Apple Mail, you can't use Multi-Factor Authentication. To use these apps, you'll need to use "app passwords" in place of your traditional password. The app password allows the application to bypass MultiFactor Authentication and continue working.	Enable/Disabled
Trusted IPs	Trusted IPs is a feature of MultiFactor Authentication that allows administrators of a managed or federated tenant the ability to bypass MFA for users who are signing in from the company's local intranet. The features are available for Azure AD tenants who have Azure AD Premium, Enterprise Mobility Suite, or Azure Multi-Factor Authentication licenses.	Yes/No
Skip Multi-Factor Authentication for requests from federated users on my intranet	All federated users: All federated users who are signing in from inside the organization will bypass multi-factor authentication using a claim issued by AD FS.	Unselect/Select
Specific IP address ranges	Administrators can specify a range of IP addresses that can bypass MFA for users who are signing in from the company's intranet.	IP ranges:
Verification options	It is now possible to choose the authentication methods that are available to your users when using Azure Multi-Factor Authentication.	Methods available to users: Call to phone Text message to phone Notification through mobile app Verification code from mobile app
Remember Multi-Factor Authentication	Remember Multi-Factor Authentication is a feature that allows you to give users the option to suspend MFA for a set number of days after performing a successful sign-in using MFA.
Allow users to remember Multi-Factor Authentication on devices they trust		Unselect/Select
Days before a device must re authenticate (160):		Default: 14 days

When the above information has been gathered, sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
Select the Azure Active Directory (AAD) tenant for the end customer:

Select the USERS tab.
At the bottom of the page, select MANAGE MULTI-FACTOR AUTH:

The Multi-Factor Authentication portal will be presented.
Select the service settings tab:

Configure the MFA Service Settings according to the end customer requirements.
Once complete, select save.

Enable Azure Multi-Factor Authentication for Azure Active Directory and Office 365

The following sections provide example scenarios for the enablement of MFA for end customer users.

The following table outlines the various statuses seen when using MFA.

Multi-Factor Authentication Status	Description	Non-browser apps affected (App Passwords will be required)
Disabled	This is the default state for a new user not enrolled or using multi-factor authentication.	No
Enabled	The user has been enrolled in multifactor authentication but has not completed the registration process. They will be prompted to complete the process at next sign-in.	No
Enforced	The user has been enrolled in multifactor authentication and completed the registration process.	Yes

Enable individual user via the console

In this example, an individual user account in the end customer AAD tenant requires MFA enabled via the Azure management portal.

Sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
Select the AAD tenant for the end customer:

Select the USERS tab.
Select the MANAGE MULTI-FACTOR AUTH link at the bottom:

Select the check box next to the user account requiring MFA, and select Enable:

Select enable multi-factor auth when prompted:

Select close once MFA has been enabled for this user account:

The end customer's user will be prompted to complete the MFA registration process the next time they sign in to a Microsoft cloud service. Refer to section Appendix A – End
User MFA Registration Process for an example of the user experience.

Enable individual user via PowerShell

In this example, an individual user account
in the end customer AAD tenant requires MFA enabled via PowerShell.

Open Windows Azure Active Directory Module for Windows PowerShell.
Enter the following command:

$UserCredential = Get-Credential
When prompted, enter the credentials with Office 365 Global Administrator permissions to the end customer's subscription:

Select OK.
Enter the following command:

Connect-MsolService -Credential $UserCredential
PowerShell will now initiate a connection to the Office 365 subscription:

Run the following commands:

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"

$st.State = "Enabled"
$sta = @($st)
Run the following command to enable MFA for the user:

Set-MsolUser -UserPrincipalName <UPN> -StrongAuthenticationRequirements $sta

Example:

Set-MsolUser -UserPrincipalName john.doe@contoso.com -StrongAuthenticationRequirements $sta

Using the example above, the Windows Azure Active Directory Module for Windows PowerShell window will display:

Multi-Factor Authentication bulk update requirements

When there is a requirement to enable MFA for multiple users within the end customer organization, a CSV file is utilized to perform the bulk update process.

This CSV file is only used for enabling and disabling Multi-Factor Authentication based on the end customer usernames present in the file.

The column headings within the CSV file must match the column headings as shown in the sample file below:

Username
MFA Status

A sample CSV file can be downloaded and used for MFA bulk updates following these steps:

Sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
Select the AAD tenant for the end customer:

Select the USERS tab.
Select the MANAGE MULTI-FACTOR AUTH link at the bottom:

Select bulk update:

Select Download a sample file:

Save the sample CSV file and edit with Microsoft Excel.

The Username column will need to be modified in order to add all of the end customer usernames that require MFA. Verify that the MFA Status column is set to Enabled.

Enable bulk users via the console

In this example, bulk users in the end customer AAD tenant requiring MFA enablement will be completed via the Azure management portal.

Sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
Select the AAD tenant for the end customer:

Select the USERS tab.
Select the MANAGE MULTI-FACTOR AUTH link at the bottom:

Select bulk update:

Select BROWSE FOR FILE…:

Select the formatted CSV file containing the end customer usernames.
Select Open.
Select the right arrow once the CSV file has uploaded:

The CSV file will then be verified.
Once verified, select the right arrow:

When the bulk update has been completed, select the tick mark:

The MFA user portal will now update to display the users enabled via bulk upload:

Enable bulk users via PowerShell

In this example, bulk users in the end customer AAD tenant who require MFA enablement will be completed via PowerShell.

Edit the Bulk Update CSV file and verify that the end customer usernames requiring MFA enablement are present and correct in the Username column.
Open Windows Azure Active Directory Module for Windows PowerShell.
Enter the following command:

$UserCredential = Get-Credential
When prompted, enter the credentials with Office 365 Global Administrator permissions to the end customer's subscription:

Select OK.
Enter the following command:

Connect-MsolService -Credential $UserCredential
PowerShell will now initiate a connection to the Office 365 subscription:

Run the following commands to automatically enable MFA for all end customer usernames listed in Username column in the Bulk Update CSV file.
Modify the $csvpath path to match the location of the Bulk Upload CSV file.

$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$st.RelyingParty = "*"
$st.State = "Enabled"
$sta = @($st)
$csvpath = "C:\cspdemoems MFA Users.csv"
$MFAUsers = Import-csv $csvpath
ForEach ($user in $MFAUsers.username) {
Set-MsolUser -UserPrincipalName $User -StrongAuthenticationRequirements $sta
}
Using this example CSV bulk update file, the Windows Azure Active Directory Module for Windows PowerShell window will look like this:

Configure Azure Conditional Access for SaaS Apps

Azure conditional access for SaaS apps allows the end customer to configure per-application MFA access rules, as well as the ability to block access for users not on a trusted network.

There are a number of elements to Azure conditional access that need to be agreed upon with the end customer to provide the best user experience for their organization.

The following table outlines the features and functions that need to be agreed upon with the end customer to allow the CSP Partner to proceed with the configuration of Azure conditional access to SaaS apps.

CSP Partners can leverage this table to provide the end customer with best practices for their managed service.

Azure Conditional Access for SaaS Apps Service Setting	Description	End Customer Setting
Enable access rules	Preview Feature Enables access rules for this SaaS application.	Off/On
Apply to	Select which users the rules apply to. Rules can be applied to all the users assigned to the application, or only to the users in specified security groups. 'Except' allows you to exempt users from the rules.	All Users/Groups
All Users	Defines the access rules are applied to all users assigned to the application.
All Users - Except	Defines the access rules are applied to all users assigned to the application, except for the group defined.	Enter AD Group Name:
Groups	Defines the group of users who have the access rules applied.	Enter AD Group Name:
Rules	Select one of the following rules to require Multi-Factor Authentication or restrict access when a user is not at work.
Require Multi-Factor Authentication	With this option, the users to whom the access rules apply will be required to complete MultiFactor Authentication before accessing the application the policy applies to.	Unselect/Select
Require Multi-Factor Authentication when not at work	With this option, a user who is coming from a trusted IP will not be required to perform MultiFactor Authentication. The trusted IP ranges are configured on the Multi-Factor Authentication settings page.	Unselect/Select
Block access when not at work	With this option, a user who is not coming from a trusted IP will be blocked. The trusted IP ranges are configured on the Multi-Factor Authentication settings page.	Unselect/Select

Adding Azure access control to Azure SaaS application

In this example, the following instructions will add Azure access control to the SaaS application,

Twitter for Marketing, created in the "Getting Started with Azure Active Directory Premium for Microsoft Cloud Solution Providers" document.

Sign in to the Azure Management Portal as a co-administrator for the end customer tenant.
Select the AAD tenant for the end customer:

Select the APPLICATIONS tab.
Select the SaaS application Twitter for Marketing:

Select CONFIGURE:

Select ON to ENABLE ACCESS RULES:

Leave APPLY TO set to ALL USERS.
Leave RULES configured as Require multi-factor authentication:

Select SAVE.

This process can be repeated for any other SaaS applications that are to be integrated with AAD for the end customer. This Azure access control will add the requirement that all end users assigned to the SaaS application are required to be registered for MFA before access is granted to the application.

Appendix A – End customer MFA registration process

The following steps are provided to CSP Partners for informational purposes only. These steps are the required actions that an end customer completes in order to register the authentication methods they configured for themselves. In this example, only the mobile phone used for authentication will be required.

Once MFA has been enabled, the end user will be presented with the MFA Set it up now prompt the next time they log in to a Microsoft cloud service. In this example, the AAD MyApps site https://myapps.microsoft.com is used to access the organization's SaaS applications:

Select Set it up now.
Select your country or region from the drop-down menu, and enter the mobile number:

Select Contact me. This will generate a phone call to the defined mobile number, and the end user will be required to press the pound (#) key on their mobile to verify their identity:

Once the mobile number has been verified, an app password is provided for use with non-browser applications. Refer to What are App Passwords in Azure Multi-Factor Authentication? for more information.
1. Select Done.
2. The end customer's user is now logged in to the Microsoft My Apps site:
  
  All future logins to Microsoft cloud services will now require Multi-Factor Authentication with either a phone call or text message sent to the registered mobile number.
Reference links