Multi-factor Authentication will be organizations’ means of authentication verification for a while. After clearing the first hurdles in your organization when implementing multi-factor authentication, consisting of communication, registration and adoption, the next hurdle is optimization.
Why optimize Multi-factor Authentication?
Multi-factor Authentication offers verification of people authenticating to access organizational data, applications, services and/or systems; Beyond the username and password, multi-factor authentication allows for additional verification by prompting the person to prove he or she has access to something (a phone number, a pre-registered app on their phone) or to prove he or she is the person (through facial recognition or a finger print).
The recommendation is to have people register for at least two independent multi-factor authentication methods.
- When a person forgets or loses their phone, they can still perform multi-factor authentication and achieve productivity
- When a person gets a new phone, they don’t require the Authenticator app to be pre-registered to be able to perform multi-factor authentication and achieve productivity
- When nothing else works, they can still sign in using their OATH-based token
Now, in some cultures and organizations, people don’t want to install any corporate application or pushed any organizational setting to their private phones. Multi-factor authentication was rolled-out, keys were handed out, etc. and now no-one in the organization has a firm grip on who uses what authentication method and why.
Azure MFA authentication method analysis
Microsoft offers a Windows PowerShell script to analyse Azure AD user objects to make recommendations on how to improve each user's Azure Multi-factor Authentication configuration.
You can't use a guest (B2B) account to run this script against the target tenant. The script will execute in the guest's home tenant, not the target tenant.
To run the script, you’ll need to meet the following requirements:
- You need an Azure AD tenant, obviously
- You need a Windows system that has networking connectivity to Azure AD. If the system is located behind a proxy or firewall, allow the required traffic by specifying the proxy as the system-wide proxy and/or specify firewall rules to allow the traffic
- You need a Windows system with at least PowerShell version 3 installed
- You need local administrator privileges on the Windows system, unless you’ve previously installed the MSOnline PowerShell module (version 220.127.116.11 of the MSOnline PowerShell Module is required, or up).
- You need networking connectivity to the Nuget infrastructure, unless you’ve previously installed the MSOnline PowerShell module (version 18.104.22.168 of the MSOnline PowerShell Module is required, or up).
- You need permissions in the Azure AD tenant to enumerate user object properties. The user administrator role in Azure AD is the least privilege delegated role that provides these permissions.
Getting the script
Place it in an easily reachable folder on the Windows system.
Getting the Azure AD Tenant ID
The script requires input. It requires the Azure AD TenantID.
There are several ways to get this globally unique identifier (GUID) for your Azure AD Tenant, but below, I’ll show the graphical way to get it:
- Open a browser
- Navigate to the Azure AD Portal
- Sign in with an account in the Azure AD tenant
- Perform multi-factor authentication when prompted
- In the left navigation pane, click on Azure Active Directory.
- In Azure AD’s navigation pane, click on Properties.
- In the main pane, the Tenant ID is shown in the Directory ID field.
- Copy the value.
- Sign out of the Azure AD Portal by clicking on the name of the signed-in account in the top-right corner of the portal experience. Click the Sign out link.
- Close the browser
Sign in with an account that has administrative privileges on the Windows system.
Install or Update the MSOnline Windows PowerShell Module
Open an elevated Windows PowerShell window.
Run the following line of Windows PowerShell to either install or update the MSOnline Windows PowerShell module:
Install-Module MSOnline -force
Run the script
In the existing (and yet elevated) Windows PowerShell window, navigate to the local folder where you’ve placed the MfaAuthMethodsAnalysis.ps1 script. For instance, you can run the following line:
Then, run the script with the following options:
MfaAuthMethodsAnalysis.ps1 -TenantID <YourTenantID> | Out-GridView
Sign in with an Azure AD user account that has at least the User Administrator role assigned and perform multi-factor authentication, when prompted.
The script results in a GridView window with columns for the number of Authentication methods (MfaAuthMethodCount), the default method (DefaultMethod), a column per authentication method (AppNotification, OathTotp, Sms, Phone and AltPhone) and a column with Recommendations. The GridView allows you to sort by column.
The output does not include the actual phone numbers, etc. for privacy reasons.
Putting the information to good use
You can use the authentication method columns to create an inventory of the methods configured. This might result in statistics on the people that won’t use personal gear for business purposes.
You can use the recommendations to allow people in the organization to fulfill all of the multi-factor authentication methods. This way, any of the scenarios that might result in a lock-out (forgotten phone, etc.) do not hinder productivity.
Use the Azure MFA authentication method analysis script to analyse and optimize Azure multi-factor authentication usage within your organization.
Also, consider other methods to satisfy multi-factor authentication like Windows Hello for Business and FIDO2-based security keys.