Implement MFA
Start course
1h 1m

This course has been designed to teach you how to manage access and authentication in Azure Active Directory. 

The topics covered within this course include:

  • Managing Authentication
  • Implementing Multi-Factor Authentication
  • Configuring Application Access
  • Implementing Access for External Users of Microsoft 365 Workloads

Learning Objectives

  • To learn how to configure and monitor authentication
  • To learn how to administer MFA and report on its utilization
  • To learn how to configure application registration and use Azure AD Application Proxy
  • To learn how to use Azure Active Directory B2B to add and manage external users

Intended Audience

  • Those looking to learn more about access and authentication


To get the most from this course, you should at least be familiar with Azure AD and have a general understanding of its features.


In this lesson we're going to walk through the configuration of a conditional access policy that enables Azure Multi-Factor Authentication when a user logs in to the Azure Portal. We'll deploy the policy to a specific group of users. Deploying MFA using conditional access policies like we're doing here provides improved flexibility for organizations when compared to the traditional enforce method. What we're going to do is enable Azure Multi-Factor Authentication and then test it. For this exercise I've created a non-admin user account named MikeMcDermott and placed the account in a group called MFAPilot. We'll use this test account and this pilot group to test our MFA rollout. To get started, I've logged in to my Azure Portal as a global administrator. What I'm going to do here is browse to Azure Active Directory and then click on Conditional Access. From here I'll create a new policy by selecting New policy. I'll call the new policy MFA Deployment. To deploy this new policy to just my pilot group what I need to do is click on the Select users and groups radio button which is located under Users and groups. What this does is allow me to select my pilot group. After selecting my pilot group I can click Done to move on to the next step. Under Cloud apps I need to click the Select apps radio button and then select Microsoft Azure Management which is the cloud app for the Azure Portal. After clicking Select I can click Done. What we're doing here is enforcing MFA whenever someone in our pilot group logs in to the Azure Portal itself. I don't need to set any special conditions for this exercise so I'm going to skip the conditions section. But under Grant in this next section I need to make sure that the Grant access radio button is selected. To require MFA I need to check the box next to Require multi-factor authentication. After checking the box I can click Select. We'll skip the Session section and then set the Enable policy option to On. Quicken Create creates the new policy that will enforce MFA for our pilot group. With our MFA policy provisioned we can test it by logging in to a resource that wouldn't normally require MFA and then in to the Azure Portal which does require MFA based on our new policy. To perform our test we'll open an incognito tab and browse to Notice that when we log in with the MikeMcDermott account we're not asked to complete MFA. This makes sense because we enforced MFA on the Azure Portal itself, not the AD account page. Now let's close the browser window and open a new incognito tab and browse to the Azure Portal itself. When we log in to the Azure Portal with Mike McDermott's account we're required to register for and use Azure Multi-Factor Authentication. This is our MFA policy doing it's thing. That said, we've confirmed that our policy works. To wrap up we can just close out of the browser. As you've seen, deploying and enforcing MFA is a rather painless undertaking.


LECTURES: Course Introduction - What is Authentication - Designing an Authentication Method - Configuring Multi-Factor Authentication - Accessing MFA Service Settings - Enable SSPR - Sign-in Activity Reports in the Azure Active Directory Portal - Using Sign-in Activity Reports in the Azure Active Directory Portal - Azure Active Directory Monitoring - Implement MFA - Manage User Settings with Azure Multi-Factor Authentication in the Cloud - Manage MFA for Users - Reports in Azure Multi-Factor Authentication - Configure Application Registration in Azure AD - How to Configure Application Registration in Azure AD - What is Azure AD Application Proxy - Configure Azure AD Application Proxy - Azure Active Directory B2B - Add Guest Users to Your Directory in the Azure Portal - Conclusion

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.