Multi-Factor Authentication (MFA) is one of the best ways to secure your and your client’s tenants. But are you using the feature to its best potential?
Before you start making any changes to the tenant security, you need to ensure that you have an emergency access account setup. This is documented on the Microsoft website here if needed. If you have any rules already configured, exclude this account from all of them.
The first thing you should do is brand the login experience.
This not only provides reassurance to the end user that they are logging in to a trusted environment, but it can also prompt the end user to question why the prompt has come up. It’s worth entering contact details for your helpdesk on the prompt, which shows the user how to get assistance immediately. We recommend including a phone number, not an email address.
Full details are on the Microsoft docs site here.
One of the most common MFA deployments is the prompt method – where the end user gets a prompt and accepts or denies it. The problem with this method is that an attacker will simply spam the end user until they get fed up and accept the prompt, assuming it is an application authentication error. Therefore, consider enabling number matching. This creates a prompt with a number that the user needs to enter into the authentication screen. This will cause the end user to think about the prompt and, if unexpected, call to report it.
For more information on MFA Number Matching, click here
The next thing you should enable is the Additional Information prompt. This provides a GUI with location information of where the MFA prompt was generated. Alas, in the UK, the location is usually inaccurate, but it will tell you the country. That can quickly show you if someone is from outside the UK. Please find more information here.
Finally, if you have a user who will not be enrolled in MFA because they don’t access any company resources from a mobile device or outside of the office network, then use Conditional Access to restrict the sign-up to trusted locations. Ensuring that an end user cannot be phished for their password, and the bad actor promptly enrol them in MFA using their own device, giving them free rein through the tenant. This makes an excellent user case for conditional access, so we’ll cover it in more detail next time.
If you want to check out our Podcast, which covers this topic and many like it in the future, click the button below.