Export (0) Print
Expand All

Adding Multi-Factor Authentication to Azure Active Directory

Published: May 20, 2013

Updated: May 1, 2015

To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

For a video on this topic, see the Adding Multi-Factor Authentication to Azure AD Video on Channel 9.

Azure Multi-Factor Authentication can be used to provide multi-factor capabilities to all of your cloud applications and services hosted in Azure. Using a variety of authentication options, you can secure Microsoft and 3rd party applications hosted in Azure.

Connecting to AAD

With multiple out-of-band methods and a one-time passcode option, Azure Multi-Factor Authentication provides flexibility for users and backup options in the event the user is not able to authenticate using their preferred method.

  • Multi-Factor Authentication apps are available for Windows Phone, Android , and IOS devices.

    The Multi-Factor Authentication app functionality has now been added to the Azure Authenticator app for Android devices. The old MFA app will still work for Android devices but going forward Azure Authenticator will replace this app. The Windows Phone and IOS versions are still in development and will be released shortly.

    Users can download the free app from the device store and activate it using a code provided during set up. When the user signs-in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cellular or Wi-Fi access is required for installing and setting up the app. Once the app is installed it can operate in 2 different modes to provide the additional security that a multi-factor authentication service can provide. These are the following:

    1. Notification - In this mode, the Azure Multi-Factor Authentication app prevents unauthorized access to accounts and stops fraudulent transactions. This is done using a push notification to your phone or registered device. Simply view the notification and if it is legitimate select Authenticate. Otherwise you may choose Deny or choose to deny and report the fraudulent notification. For information on reporting fraudulent notifications see How to use the Deny and Report Fraud Feature for Multi-Factor Authentication.

    2. One-Time Passcode - In this mode, the Azure Multi-Factor Authentication app can be used as software token to generate an OATH passcode. This passcode can then be entered along with the username and password to provide the second form of authentication. This option is great in instances of spotty phone coverage.

  • Automated phone calls can be placed by the Multi-Factor Authentication service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in.

  • Text messages can be sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.Only phone call and text message options are currently available for the Multi-Factor Authentication SDK.

Multi-factor authentication is available for Office 365 SKUs and administrators of a Azure subscription. The following lists the various versions of multi-factor authentication available and the resources that can be secured with them.

  • Multi-Factor Authentication for Office 365 – allows you to secure Office 365 resources for users licensed for Office 365.

  • Multi-Factor Authentication for Azure Administrators – allows you to secure Azure resources for administrators.

  • Azure Multi-Factor Authentication – allows you to secure all Microsoft Online Services, multiple SaaS app resources, resources that span on-premises and cloud including VPN and LOB apps.

The first two steps are optional and are only required if you are using Azure Multi-Factor Authentication. If you are using Multi-Factor Authentication for Office 365 or Multi-Factor Authentication for Azure Administrators you can skip to step 3.





1. Sign-up for an Azure subscription.

The first step is to sign-up for an Azure subscription. If you already have an Azure subscription, skip to the next step.

To sign-up for a Azure Subscription see Azure Free Trial.

2. Create a Multi-Factor Auth Provider or assign an Azure AD Premium or Enterprise Mobility Suite license to users.

Do one of the following depending upon which one is applicable:

  • In the Azure Management Portal create a Multi-Factor Auth Provider.

  • Azure Multi Factor Authentication is included in Azure Active Directory Premium and as a result it is also included with the Enterprise Mobility Suite. If you have Azure AD Premium or EMS you do not need to create a Multi-Factor Auth Provider, rather to enable MFA for an Azure AD Premium or EMS user, an Azure AD Premium or EMS license needs to be assigned to that user and then an Administrator can assign MFA to the user through the management portal.

To create a Multi-Factor Auth Provider see Creating a Multi-Factor Auth Provider.

The following steps to get going with multi-factor authentication for all versions.





3. Enable Multi-Factor Authentication on your users

Next, you need to enable multi-factor authentication on your Office 365 users.

To enable Multi-Factor Authentication on your Office 365 users see Enable multi-factor authentication for a user account

4. Send email to end users to notify them about MFA.

Next, send your users an email that notifies them about multi-factor authentication and how to continue using their non-browser apps.

For an example email template see Email Template for Enabled Users.

5. Have a user sign-in and complete the registration process.

Once you have enabled the account for multi-factor authentication, your Office 365 users can sign-in and complete the registration process.

To sign-in the first time and complete the registration process see Signing in for the first time using Azure Multi-Factor Authentication

6. Configure app passwords for non-browser apps (such as …Outlook etc.).

After the registration process has been completed, users can setup application passwords for non-browser apps (such as …Outlook etc.). This is required because the non-browser apps (such as …Outlook etc.) do not support multi-factor authentication and you will be unable to use them unless an app password is configured.

To configure app passwords see App Passwords with Azure Multi-Factor Authentication

For advanced settings such as fraud alert, one-time bypass, and configuring your own customized voice messages see Configuring Advanced Multi-Factor Authentication Settings.

See the following sections for additional information on securing cloud services using Azure Multi-Factor Authentication.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft