Use Microsoft Entra ID Multifactor Authentication (MFA)
These instructions walk you through how to configure the Microsoft Entra ID integration allowing you to authenticate user accounts based on the information stored and managed there.
| Before using MFA you should consider the relevant MFA troubleshooting section first. |
| Due to limitations of Azure, changes may take up to 24 hours to settle in and take effect. |
Preflight (Checklist)
-
An installation of RADNAC with a working Microsoft Entra ID integration
-
Follow the Start using Microsoft Entra ID if you do not
-
-
A Microsoft Entra ID P1 (or higher) license
-
Also included with some Microsoft 365 subscriptions
-
-
Command line tools, either with Azure CLI or Azure PowerShell
For those unfamilar with the command line, you can use Azure Cloud Shell which provides all the tooling required from within your browser and without the need to install anything on your workstation. -
Your user account has access to manage existing an Enterprise Application (client ID ‘
981f26a1-7f43-403b-a875-f8b09b8cd720’) as well as assign to it Microsoft Graph API roles.-
Usually this means the role of ‘Global Administrator’ though your IT team may be able to determine a more restrictive combination of roles.
-
This level of access is only required to configure the integration, after which it can be revoked.
-
Command Line Tools
Login with your tool by running the following:
- Azure CLI
az login- Azure PowerShell
if ((Get-ExecutionPolicy) -ne 'Unrestricted') { `
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser `
}
if (!(Get-Module -ListAvailable -Name Az)) { `
Install-Module Az `
-Repository PSGallery `
-Scope CurrentUser `
-Force `
}
Connect-AzAccount -UseDeviceAuthentication| You should be able to use your clipboard to copy and paste this command into it. |
Azure Cloud Shell
To get started with Azure Cloud Shell, get started by:
-
Click on the command prompt icon (a square box surrounding a ‘>_’) in the top right
-
Select either ‘Bash’ (recommended) or ‘PowerShell’
-
Select ‘No storage account required’ and choose the subscription you are working in
-
Leave unchecked the option to ‘Use an existing private virtual network’</li>
-
Click on the Apply button
| You must run the login commands above even though it may seem unnecessary. This is because your Cloud Shell session does not initially start with access to Microsoft Graph which is needed to create an integration between RADNAC and Microsoft Entra ID. |
Steps
Start by going to the managed application page, browse on the menu to the left through and then check ‘Multifactor Authentication (MFA)’ and click on the Edit button at the top.
Setup
Use the parameter values provided from RADNAC listed here and then run the command provided below whilst substituting the all in capitals placeholders with the parameter values:
-
SUBSCRIPTION_ID -
LOCATION -
MANAGED_APPLICATION_RID
az deployment sub create \
--subscription SUBSCRIPTION_ID \
--location LOCATION \
--template-uri https://www.radnac.com/azuredeploy/msentraid-enrolment.json \
--parameters managedApplicationResourceId=MANAGED_APPLICATION_RID mfa=true \
--query properties.outputsSet-AzContext `
-Subscription SUBSCRIPTION_ID
New-AzSubscriptionDeployment `
-Location LOCATION `
-TemplateUri https://www.radnac.com/azuredeploy/msentraid-enrolment.json `
-managedApplicationResourceId MANAGED_APPLICATION_RID -mfa trueThis process has now updated the Enterprise Application used for MFA authentication so that RADNAC may use it.
You may now click the Next button at the bottom of this page to continue.
Application
Skip this step and click on the Next button, it only exists to workaround limitations of the Azure UI.
Policy
This works exactly in the same way as regular Microsoft Entra ID authentication policy but is used to determine which accounts are in scope for MFA.
Click the Next button at the bottom of this page to continue.