What is Multi Factor Authentication (MFA)?
Multi Factor Authentication (MFA) is a process where a user is prompted during the sign in process for an additional form of identification, such as entering a code which is sent to a mobile phone.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or if has been exposed, how do you know that the person signing is really the user signing in with the username and password, or if it is an attacker? When a second form of authentication is required, security is increased as this additional factor isn’t something that’s easy for an attacker to obtain or duplicate. A password alone is of no use to them.
Security Defaults
Microsoft provide and Security Defaults to keep your accounts secure. When a user logs in they will see the screen below, allowing them to skip the setup of MFA for 14 days.
This blog post goes through the process of enforcing MFA so that it is mandatory for the user to setup MFA, and the option to skip for MFA setup for 14 days is no longer available.
- Access the Azure Portal portal.azure.com
2) Click Azure Active Directory
3) Click Users
4) Click Multi-Factor Authentication
5) For the purpose of this demo, I am selecting an existing user Cloud Build User 1
6) Click enable
7) Click enable multi-factor auth
And we’re done
Now, when the same user logs in, the option to skip MFA setup for 14 days is no longer visible.
The user will be prompted to go through the wizard and setup MFA
Azure AD free only offers MFA via the authenticator app for normal domain accounts. See comparison chart below
Source: Features and licenses for Azure Multi-Factor Authentication