Increase security with multi-factor authentication in Azure Active Directory
Today, security is not so easy as having your assets in a bank lockbox. With passwords required for almost all online accounts and most accounts being online nowadays, it’s hard to remember account usernames and passwords. It’s tempting to reuse them. But with over 300 million fraudulent sign-in attempts to just Microsoft’s cloud services each day (not to mention all other attempts), no one can afford to play fast and loose with their online security. Multi-factor authentication (MFA) is the standard of online security, and accounts that use MFA are 99.9% more protected from account compromise attacks than using a password alone.
What is Azure Active Directory?
Azure Active Directory (Azure AD) is a service providing single sign-on and multi-factor authentication. Azure AD supports thousands of pre-integrated software as a service (SaaS) applications, so it simplifies access to applications from anywhere. Essentially, a user enters a single username and password to sign in to many applications with just one sign-in event. For instance, a user can sign into Microsoft Outlook, Dynamics 365 Marketing, and Dynamics 365 Business Central all at the same time.
Not only does this save time and streamline a more complex sign-in experience, but only one password is needed for many apps.
What is MFA and why should an organization use it?
Multi-factor authentication (MFA) combines something the user knows, like a password, with something they have or something they are. These new authentication methods that complement the password may include:
Biometrics, such as Windows Hello (fingerprint matching and facial recognition).
Phone Authentication Apps, such as the Microsoft Authenticator app.
Hardware keys, like the FIDO2.
These authentication methods need to be approved by a business’ administration and set up by the individual user.
MFA is a further barrier beyond passwords to prevent an attacker from actually being able to get into an account if they ever do get a password. They fill the security gaps a password leaves behind. The reality is that most people use poor passwords (from a security standpoint), and/or they reuse passwords; in fact, at least 65% of people reuse passwords across multiple sites.
This is human nature—it’s difficult to remember a lot of passwords, not to mention those passwords that require 8-12 characters, one special character, one number, one capital letter…and whatever else. So the average person will reuse passwords, changing them slightly whenever they need to create a new password, or have simpler ones that are easier for algorithms to guess.
The focus of online security for so long has been building better passwords and having fresh ones for all accounts. But this works against human nature and ignores the fact that passwords, despite all these precautions, are still responsible for 81% of hacking-related breaches. Plus, if someone falls for a phishing attack, it doesn’t matter how great their password is—they give it right to the attacker.
Enabling and using MFA in Azure
Enabling and using multi-factor authentication in Azure AD is easy and there are no actual changes to any services or applications. The recommended way to enable and use Azure AD Multi-Factor Authentication is with Conditional Access, which allows administrators to define policies that react to sign-in events and request additional actions before a user is granted access to an application or service.
Signals that are considered in policies include the user logging in, the location the user is logging in from, the device being logged in on, the application being used, and the real-time risk of the login. An example of a Conditional Access policy is if a user logged into the Azure AD portal and is attempting to enter a finance application. In this Conditional Access policy, the company may require a user to reenter a password and use some other form of authentication the user has registered, like the Microsoft Authenticator app.
Multi-factor authentication is easy for the administrator to set up through an Azure AD tenant and to customize for the business’ needs. For users, after they set up their modes of authentication, the only thing that changes is how they sign in. Rather than using a username and password alone, they enter their username, password, and (depending on what the business has approved/required) enter another form of authentication. They then have access to all the apps and services connected via Azure AD.
Azure Active Directory Password Protection
Another security measure for passwords is Azure AD Password Protection. Essentially, Password Protection default global banned password lists are automatically applied to all users in an Azure AD tenant. This means that those terribly simple passwords, like Password123 are unable to be set as passwords. Further, a company can create a custom list of banned passwords, which is usually based on brand names product names, locations (like headquarters), company-specific internal terms, and abbreviations with company-specific meanings.
For instance, Syvantis would likely ban their name within any password, as well as any password including the word “Microsoft,” since we are a Microsoft Partner. The global banned password list and a custom list protects against password spray attacks.
Azure AD Password Protection used in tandem with Azure AD Multi-Factor Authentication can greatly increase a company’s online security. Phishing and other security attacks are not going away, and humans being humans (aka not remembering passwords, reusing them, or falling for the occasional phishing scam) shouldn’t be the difference between a safe online work environment and a compromised one. Instead, utilizing other methods of authenticating an identity and embracing the humanity in every employee is the way forward.