How to Configure Multi-Factor Authentication (MFA) in Microsoft Entra ID

By /

Listen to this Post

Multi-Factor Authentication (MFA) is one of the most effective ways to protect corporate identities against phishing attacks, password theft, and unauthorized access. Microsoft Entra ID (formerly Azure AD) provides robust MFA capabilities to enhance security. Below is a detailed guide on setting up MFA in Microsoft Entra ID, along with essential commands and best practices.

You Should Know:

1. Enabling MFA in Microsoft Entra ID

To enforce MFA for users, follow these steps:

  1. Sign in to the Microsoft Entra Admin Center:

– Navigate to https://entra.microsoft.com.

2. Go to Security > MFA:

  • Select “Per-user MFA” or “Conditional Access policies” for granular control.

3. Enable MFA for Users:

  • Select users and click “Enable” under Multi-Factor Authentication.

2. PowerShell Commands for MFA Management

Use Microsoft Graph PowerShell to automate MFA configurations:

 Install the Microsoft Graph module (if not already installed)
Install-Module Microsoft.Graph -Force

Connect to Microsoft Graph with required permissions
Connect-MgGraph -Scopes "User.ReadWrite.All", "Policy.ReadWrite.ConditionalAccess"

Enable MFA for a specific user 
Set-MgUser -UserId "[email protected]" -StrongAuthenticationRequirements @{ 
"State" = "Enabled" 
}

Enforce MFA via Conditional Access (Requires Azure AD Premium P1/P2) 
New-MgIdentityConditionalAccessPolicy -DisplayName "Enforce MFA for All Users" -State "Enabled" -Conditions @{ 
Applications = @{IncludeApplications = "All"} 
Users = @{IncludeUsers = "All"} 
ClientAppTypes = @("Browser", "MobileAppsAndDesktopClients") 
} -GrantControls @{ 
BuiltInControls = @("mfa") 
Operator = "OR" 
}

3. Linux & Windows Security Best Practices

  • Linux: Use `google-authenticator` for CLI-based MFA: 
    sudo apt install libpam-google-authenticator 
google-authenticator

    Follow prompts to set up TOTP (Time-based One-Time Password).

  • Windows: Enforce MFA via Group Policy (GPO):

  • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  • Enable “Interactive logon: Require smart card” or “Network security: Configure encryption types allowed for Kerberos” for enhanced security.

4. Testing MFA Setup

  • Use Microsoft’s MFA Test Tool or simulate logins with: 
    Test-MgUserAuthenticationMethod -UserId "[email protected]"

What Undercode Say:

MFA is a critical security layer that significantly reduces the risk of unauthorized access. Combining MFA with strong password policies, conditional access, and regular audits ensures a robust security posture. For Linux admins, integrating PAM modules like `google-authenticator` adds an extra layer. Windows administrators should leverage GPOs and Azure AD Conditional Access for enterprise-grade protection.

Expected Output:

  • MFA enforced for all users via Microsoft Entra ID.
  • Conditional Access policies applied to restrict unauthorized logins.
  • Linux & Windows systems secured with additional MFA methods.

Reference:

References:

Reported By: Nielsenalmeida UgcPost – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: