Prepopulate MFA phone authentication solution

iphase.dk Michael Mardahl, MVP

C:\IPHASE\POSTS\AZURE

Name Size Date

.. <UP--DIR> MANAGE~1.TXT 6,884 21-07-02 HYBRID~1.TXT 5,254 21-03-07 EXCHAN~1.TXT 6,589 20-10-29 PREPOP~1.TXT 8,058 20-10-23 ENABLI~1.TXT 5,562 18-07-17

5 files, 0 dirs

Prepopulate MFA phone authentication solution

>> Overview

Prepopulating MFA phone authentication (Multi-Factor Authentication) details on a user in Azure Active Directory means getting a known second factor added to a user's account details automatically. These details are also known as the user's "Strong Authentication Methods."

Normally MFA enrollment is a manual process done with the Microsoft Authenticator App during first sign-in. However, a more basic second factor, the user's cellular/mobile number, is usually known to IT in a corporate environment.

With a recent addition to the Microsoft Graph API, it is now possible to add or replace a user's strong authentication phone method programmatically. This enables you to register users automatically for MFA and SSPR at the same time.

>> The MFA Automation Solution

The solution uses the following Microsoft technologies:

* Azure Automation

* Microsoft Graph API (beta)

* PowerShell

* Azure AD (P1)

* Combined registration

* (Optionally) Azure Log Analytics

* An Azure Subscription

>> Required permissions

The solution requires delegated permissions with one of these roles:

* Global admin

* Privileged authentication admin

* Authentication admin

>> Use cases

* Have users registered for MFA and SSPR as part of account provisioning

* Lock down MFA registration completely

* Get to compliant Multi-Factor Authentication state in record time

* Have SSPR work from the user's first day

* Register users that never seem to get caught by registration prompts

>> Installation

>> Creating the Automation Account

Create a new Automation Account with a RunAs account. Configure the subscription, resource group, location, and leave "Create Azure Run As account" on "Yes".

>> Adding API permissions to the Service Principal

>> Delegated permissions

* USERAUTHENTICATIONMETHOD.READWRITE.ALL

>> Application permissions

* USER.READ.ALL

* REPORTS.READ.ALL

* GROUPMEMBER.READ.ALL

>> Default client type

Set the App registration to treat the application as a public client under AUTHENTICATION > DEFAULT CLIENT TYPE > YES.

>> Creating the service account

Assign the AUTHENTICATION ADMINISTRATOR role:

If using PIM, assign as ACTIVE and PERMANENTLY ASSIGNED:

>> Password policy

>> [powershell]

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile

$PasswordProfile.Password = "Verylongandhardpasswordtoguess1sttimearound"

$PasswordProfile.ForceChangePasswordNextLogin = $false

Set-AzureADUser -ObjectId "[email protected]" -PasswordPolicies DisablePasswordExpiration -PasswordProfile $PasswordProfile

>> Configuring the Automation Account

>> Credentials

Create a credential called DELEGATESERVICEACCOUNT with the service account username and password.

>> Variables

* ENABLESTAGINGGROUP - Boolean, set to True for piloting

* STAGINGGROUPNAME - String, the Azure AD security group name

>> Installing the MSAL.PS module

>> Importing the script

Download the script from GitHub: AzAutomationScript4MFAPrePopulate.ps1 (https://github.com/MSEndpointMgr/AzureAD/blob/master/AzureMFAProvisioning/AzAutomationScript4MFAPrePopulate.ps1)

Or use the automated deployment ARM template:

>> Log Analytics for enhanced monitoring

Example Kusto queries for monitoring:

>> [kusto]

AzureDiagnostics

| where RunbookName_s == "AzAutomationScript4MFAPrePopulate" and StreamType_s == "Output" and ResultDescription startswith "\"Status:"

| parse ResultDescription with * "Status: " Status "; User: " User "; Message:" Message

| project User, Status, Message, TimeGenerated

| summarize count() by Status

>> Authentication Methods Usage and Insights

Microsoft's preview dashboard for monitoring MFA/SSPR deployment:

>> Caveats

* EXECUTION LIMITS: Approximately 2000 users/hour processing speed

* FAIR SHARE: Azure Automation unloads runbooks after 3 hours (6000 user limit per run)

* GRAPH TOKEN EXPIRATION: Refresh token method included in the solution

* REPORT DELAYS: Audit/reporting data may not update immediately

* PHONE FORMAT: Numbers should be in format +AAA BBBBBBBBBBB

* BETA GRAPH API: The endpoints used are beta and subject to change

>> Final words

This was a collaboration between @michael_mardahl, @jankeskanke, and @sandy_tsang. The solution is provided freely to the community as inspiration.

185 lines

C:\IPHASE\POSTS\AZURE\PREPOP~1.TXT

1 Help 3 Home 5 About 7 Posts 8 Contact 10 LinkdIn