This post is part of a series, for the series contents see: Azure MFA
The first step for setting up Azure MFA is to create a multi-factor auth provider; essentially the cloud app that will deal with your authentication requests.
There are two slightly annoying things about setting this up (and I really do mean “slightly”):
- I can’t find a PowerShell way to script it.
- This seems to be the case with a lot of Azure AD things. My assumption is that since AAD is a giant SaaS app, Microsoft have locked down some programmatic access as an errant script could DoS the system and impact multiple customers. Well that’s my theory, anyway.
- You have to create it in the old portal.
- I really don’t think there is an excuse for this. The new portal has been around for ages so it does annoy me that everything hasn’t been migrated across to it yet, especially since it makes applying a consistent RBAC policy a right pain. Although, to be fair, I’m sure there’s probably a good reason why hasn’t gone yet.
Anyway, moaning aside, here’s the very simple steps to create an MFA auth provider:
- Login to the classic portal: https://manage.windowsazure.com
- From the left-hand menu select “Active Directory” and then “Multi-factor Auth Providers”:
- Click to create a new provider:
- Then, when filling in the options the key one is the usage model because you can’t change it later without deleting and recreating the whole thing. The options available are:
- Per Authentication
- Per Enabled User
- I went for the per authentication option as I don’t have any licenses (an Office 365 EMS or E5 license would do the job) and I’m just setting this up for a lab. I could always do a trial with some licenses but then I’d have to recreate the whole thing when that ended. There’s some details about the two options here but in reality most businesses are going to be using the per enabled user option or bypassing the auth provider altogether and just applying individual licenses to user.
And that’s the first part complete!