In this lesson we're going to walk through the configuration of a conditional access policy that enables Azure Multi-Factor Authentication when a user logs in to the Azure Portal. We'll deploy the policy to a specific group of users. Deploying MFA using conditional access policies like we're doing here provides improved flexibility for organizations when compared to the traditional enforce method. What we're going to do is enable Azure Multi-Factor Authentication and then test it. For this exercise I've created a non-admin user account named MikeMcDermott and placed the account in a group called MFAPilot. We'll use this test account and this pilot group to test our MFA rollout. To get started, I've logged in to my Azure Portal as a global administrator. What I'm going to do here is browse to Azure Active Directory and then click on Conditional Access. From here I'll create a new policy by selecting New policy. I'll call the new policy MFA Deployment. To deploy this new policy to just my pilot group what I need to do is click on the Select users and groups radio button which is located under Users and groups. What this does is allow me to select my pilot group. After selecting my pilot group I can click Done to move on to the next step. Under Cloud apps I need to click the Select apps radio button and then select Microsoft Azure Management which is the cloud app for the Azure Portal. After clicking Select I can click Done. What we're doing here is enforcing MFA whenever someone in our pilot group logs in to the Azure Portal itself. I don't need to set any special conditions for this exercise so I'm going to skip the conditions section. But under Grant in this next section I need to make sure that the Grant access radio button is selected. To require MFA I need to check the box next to Require multi-factor authentication. After checking the box I can click Select. We'll skip the Session section and then set the Enable policy option to On. Quicken Create creates the new policy that will enforce MFA for our pilot group. With our MFA policy provisioned we can test it by logging in to a resource that wouldn't normally require MFA and then in to the Azure Portal which does require MFA based on our new policy. To perform our test we'll open an incognito tab and browse to account.activedirectory.windowsazure.com. Notice that when we log in with the MikeMcDermott account we're not asked to complete MFA. This makes sense because we enforced MFA on the Azure Portal itself, not the AD account page. Now let's close the browser window and open a new incognito tab and browse to the Azure Portal itself. When we log in to the Azure Portal with Mike McDermott's account we're required to register for and use Azure Multi-Factor Authentication. This is our MFA policy doing it's thing. That said, we've confirmed that our policy works. To wrap up we can just close out of the browser. As you've seen, deploying and enforcing MFA is a rather painless undertaking.

LECTURES: Course Introduction - What is Authentication - Designing an Authentication Method - Configuring Multi-Factor Authentication - Accessing MFA Service Settings - Enable SSPR - Sign-in Activity Reports in the Azure Active Directory Portal - Using Sign-in Activity Reports in the Azure Active Directory Portal - Azure Active Directory Monitoring - Implement MFA - Manage User Settings with Azure Multi-Factor Authentication in the Cloud - Manage MFA for Users - Reports in Azure Multi-Factor Authentication - Configure Application Registration in Azure AD - How to Configure Application Registration in Azure AD - What is Azure AD Application Proxy - Configure Azure AD Application Proxy - Azure Active Directory B2B - Add Guest Users to Your Directory in the Azure Portal - Conclusion