Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication

Multifactor authentication is a process in which a user is prompted for additional forms of identification during a sign-in event. For example, the prompt could be to enter a code on their cellphone or to provide a fingerprint scan. When you require a second form of identification, security is increased because this additional factor isn't easy for an attacker to obtain or duplicate.

Microsoft Entra multifactor authentication and Conditional Access policies give you the flexibility to require MFA from users for specific sign-in events. For an overview of MFA, we recommend watching this video: How to configure and enforce multifactor authentication in your tenant.

Important

This tutorial shows an administrator how to enable Microsoft Entra multifactor authentication. To step through the multifactor authentication as a user, see Sign in to your work or school account using your two-step verification method.

If your IT team hasn't enabled the ability to use Microsoft Entra multifactor authentication, or if you have problems during sign-in, reach out to your Help desk for additional assistance.

In this tutorial you learn how to:

  • Create a Conditional Access policy to enable Microsoft Entra multifactor authentication for a group of users.
  • Configure the policy conditions that prompt for MFA.
  • Test configuring and using multifactor authentication as a user.

Prerequisites

To complete this tutorial, you need the following resources and privileges:

  • A working Microsoft Entra tenant with Microsoft Entra ID P1 or trial licenses enabled.

  • An account with Conditional Access Administrator, Security Administrator, or Global Administrator privileges. Some MFA settings can also be managed by an Authentication Policy Administrator. For more information, see Authentication Policy Administrator.

  • A non-administrator account with a password that you know. For this tutorial, we created such an account, named testuser. In this tutorial, you test the end-user experience of configuring and using Microsoft Entra multifactor authentication.

  • A group that the non-administrator user is a member of. For this tutorial, we created such a group, named MFA-Test-Group. In this tutorial, you enable Microsoft Entra multifactor authentication for this group.

Create a Conditional Access policy

Tip

Steps in this article might vary slightly based on the portal you start from.

The recommended way to enable and use Microsoft Entra multifactor authentication is with Conditional Access policies. Conditional Access lets you create and define policies that react to sign-in events and that request additional actions before a user is granted access to an application or service.

Overview diagram of how Conditional Access works to secure the sign-in process

Conditional Access policies can be applied to specific users, groups, and apps. The goal is to protect your organization while also providing the right levels of access to the users who need it.

In this tutorial, we create a basic Conditional Access policy to prompt for MFA when a user signs in. In a later tutorial in this series, we configure Microsoft Entra multifactor authentication by using a risk-based Conditional Access policy.

First, create a Conditional Access policy and assign your test group of users as follows:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Protection > Conditional Access, select + New policy, and then select Create new policy.

    A screenshot of the Conditional Access page, where you select 'New policy' and then select 'Create new policy'.

  3. Enter a name for the policy, such as MFA Pilot.

  4. Under Assignments, select the current value under Users or workload identities.

    A screenshot of the Conditional Access page, where you select the current value under 'Users or workload identities'.

  5. Under What does this policy apply to?, verify that Users and groups is selected.

  6. Under Include, choose Select users and groups, and then select Users and groups.

    A screenshot of the page for creating a new policy, where you select options to specify users and groups.

    Since no one is assigned yet, the list of users and groups (shown in the next step) opens automatically.

  7. Browse for and select your Microsoft Entra group, such as MFA-Test-Group, then choose Select.

    A screenshot of the list of users and groups, with results filtered by the letters M F A, and 'MFA-Test-Group' selected.

We've selected the group to apply the policy to. In the next section, we configure the conditions under which to apply the policy.

Configure the conditions for multifactor authentication

Now that the Conditional Access policy is created and a test group of users is assigned, define the cloud apps or actions that trigger the policy. These cloud apps or actions are the scenarios that you decide require additional processing, such as prompting for multifactor authentication. For example, you could decide that access to a financial application or use of management tools require an additional prompt for authentication.

Configure which apps require multifactor authentication

For this tutorial, configure the Conditional Access policy to require multifactor authentication when a user signs in.

  1. Select the current value under Cloud apps or actions, and then under Select what this policy applies to, verify that Cloud apps is selected.

  2. Under Include, choose Select apps.

    Since no apps are yet selected, the list of apps (shown in the next step) opens automatically.

    Tip

    You can choose to apply the Conditional Access policy to All cloud apps or Select apps. To provide flexibility, you can also exclude certain apps from the policy.

  3. Browse the list of available sign-in events that can be used. For this tutorial, select Windows Azure Service Management API so that the policy applies to sign-in events. Then choose Select.

    A screenshot of the Conditional Access page, where you select the app, Windows Azure Service Management API, to which the new policy will apply.

Configure multifactor authentication for access

Next, we configure access controls. Access controls let you define the requirements for a user to be granted access. They might be required to use an approved client app or a device that's hybrid-joined to Microsoft Entra ID.

In this tutorial, configure the access controls to require multifactor authentication during a sign-in event.

  1. Under Access controls, select the current value under Grant, and then select Grant access.

    A screenshot of the Conditional Access page, where you select 'Grant' and then select 'Grant access'.

  2. Select Require multifactor authentication, and then choose Select.

    A screenshot of the options for granting access, where you select 'Require multi-factor authentication'.

Activate the policy

Conditional Access policies can be set to Report-only if you want to see how the configuration would affect users, or Off if you don't want to the use policy right now. Because a test group of users is targeted for this tutorial, let's enable the policy, and then test Microsoft Entra multifactor authentication.

  1. Under Enable policy, select On.

    A screenshot of the control that's near the bottom of the web page where you specify whether the policy is enabled.

  2. To apply the Conditional Access policy, select Create.

Test Microsoft Entra multifactor authentication

Let's see your Conditional Access policy and Microsoft Entra multifactor authentication in action.

First, sign in to a resource that doesn't require MFA:

  1. Open a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com.

    Using a private mode for your browser prevents any existing credentials from affecting this sign-in event.

  2. Sign in with your non-administrator test user, such as testuser. Be sure to include @ and the domain name for the user account.

    If this is the first instance of signing in with this account, you're prompted to change the password. However, there's no prompt for you to configure or use multifactor authentication.

  3. Close the browser window.

You configured the Conditional Access policy to require additional authentication for sign in. Because of that configuration, you're prompted to use Microsoft Entra multifactor authentication or to configure a method if you haven't yet done so. Test this new requirement by signing in to the Microsoft Entra admin center:

  1. Open a new browser window in InPrivate or incognito mode and sign in to the Microsoft Entra admin center.

  2. Sign in with your non-administrator test user, such as testuser. Be sure to include @ and the domain name for the user account.

    You're required to register for and use Microsoft Entra multifactor authentication.

    A prompt that says 'More information required.' This is a prompt to configure a method of multi-factor authentication for this user.

  3. Select Next to begin the process.

    You can choose to configure an authentication phone, an office phone, or a mobile app for authentication. Authentication phone supports text messages and phone calls, office phone supports calls to numbers that have an extension, and mobile app supports using a mobile app to receive notifications for authentication or to generate authentication codes.

    A prompt that says, 'Additional security verification.' This is a prompt to configure a method of multi-factor authentication for this user. You can choose as the method an authentication phone, an office phone, or a mobile app.

  4. Complete the instructions on the screen to configure the method of multifactor authentication that you've selected.

  5. Close the browser window, and sign in to the Microsoft Entra admin center again to test the authentication method that you configured. For example, if you configured a mobile app for authentication, you should see a prompt like the following.

    To sign in, follow the prompts in your browser and then the prompt on the device that you registered for multifactor authentication.

  6. Close the browser window.

Clean up resources

If you no longer want to use the Conditional Access policy that you configured as part of this tutorial, delete the policy by using the following steps:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Protection > Conditional Access, and then select the policy that you created, such as MFA Pilot.

  3. select Delete, and then confirm that you want to delete the policy.

    To delete the Conditional Access policy that you've opened, select Delete which is located under the name of the policy.

Next steps

In this tutorial, you enabled Microsoft Entra multifactor authentication by using Conditional Access policies for a selected group of users. You learned how to:

  • Create a Conditional Access policy to enable Microsoft Entra multifactor authentication for a group of Microsoft Entra users.
  • Configure the policy conditions that prompt for multifactor authentication.
  • Test configuring and using multifactor authentication as a user.