At Microsoft Ignite 2019, Microsoft announced free Azure Multi-factor Authentication for all through the new Security Defaults feature for Azure Active Directory: Enable multi-factor authentication for free.
Now, the official documentation shares more information on this feature and it implies that Azure Multi-factor Authentication (Azure MFA) is only free when it is enabled through the Security Defaults and when users in the Azure AD tenant use an Authenticator App as their multi-factor authentication method:
Security defaults allow registration and use of Azure Multi-Factor Authentication using only the Microsoft Authenticator app using notifications.
About Azure Multi-factor Authentication
Azure Multi-factor Authentication (Azure MFA) is a Microsoft service that offers additional verification mechanisms for sign-ins. This service is offered from within Microsoft’s datacenters around the globe through localized points of presence (PoPs).
Azure MFA can be leveraged as an additional verification mechanism through:
- Conditional Access policies
- Azure AD Identity Protection to mitigate risky sign-ins
- Step-up authentication mechanisms, like the OneDrive Personal Vault feature
- The Azure MFA NPS Extension
Azure MFA registration can be combined with the registration for Azure AD Self-service Password Reset, to make the registration for the one complete the registration for the other.
About Azure AD Security Defaults
Security Defaults is a new Azure AD feature. As noted in the Release Notes for Azure Active Directory for December 2019, Security Defaults replace the Baseline Policies in Azure AD’s Conditional Access.
Per February 2020, the free Baseline Policies are going away. After this time, Conditional Access policies are available to organizations with Azure AD Premium licenses, only. The granularity of the Conditional Access Baseline Policies is sacrificed to the Security Defaults, that enable all functionality of the Baseline Policies:
Today, if you enable Security Defaults, the Conditional Access Baseline Policies are removed and you cannot:
- Create any Conditional Access policies, in Azure AD tenants without Azure AD Premium licenses
- Enable any Conditional Access policies, in Azure AD tenants with Azure AD Premium licenses
When you disable Security Defaults, the Conditional Access Baseline Policies do not reappear.
The Default Azure MFA Experience
In an Azure AD tenant without Azure AD Premium licenses, After successfully signing in with the initial password and changing the sign-in password, a person with a new user account is confronted with a More information required page. Your organization needs more information to keep your account secure.
When clicking Next, the person is met with the following page to register multi-factor authentication, because it is enabled through the Security Defaults:
Here, the person can only register Azure MFA through a mobile app as it is the only option available in the drop-down list.
Changing the Authentication Method
Alternatively, the person can go to the MyProfile experience and click the Skip for now (14 days until this is required) link on the More information required page.
Then, in the MyProfile experience, the person can click the ADDITIONAL SECURITY VERIFICATION link on the Security Info tile. Here, the person is greeted with the default option for Authentication phone:
Additionally, in the MySignins experience, the person can add and change verification methods.
An Authenticator App is not required to get free Microsoft Azure MFA.
Azure AD Preview features may change at any time.
Conditional Access Baseline Policies are in public preview. Microsoft warns not to use Azure AD Preview features in production, as they might change any moment. The Conditional Access Baseline Policies will never leave public preview and are going away to make room for the Azure AD Security Defaults. We had been warned…
Microsoft Documentation may differ from actual technical possibilities.
This may be due to development timelines and overarching strategies. Today, you can technically change the authentication method when using free Azure MFA. Furthermore, as admins for Azure AD tenants without Azure AD Premium licenses do not have access to the Azure MFA admin pages, they cannot enable and/or disable specific Azure MFA authentication methods.
Premium licenses are needed to block non-Authenticator App methods
Chief Information Security Officers (CISOs) who have been dreaming of free secure Azure MFA may be rudely awoken by the information in this blogpost. Yes, Azure MFA is now free. No, without Azure AD Premium licenses you cannot control the authentication methods available to people in the Azure AD tenant. Thus, they can use an authentication method that doesn’t meet NIST’s SP800-63B guideline.
Even this may change…
Security Defaults do not have the Preview label in the Azure Portal, but the above method to change the authentication method might change in the future… Also, the line in the Microsoft Documentation can be interpreted as a licensing statement instead of a technical possibility. In that case, people in organizations without Azure AD Premium licenses may break the organization’s compliance by simply following the above route.