2FA for Azure AD Apps: How to Enable using Conditional Access Policies
Configuring Two Factor Authentication for Cloud Apps in Azure AD
In an earlier post, we discussed in depth about how single sign-on (SSO) for cloud apps in hybrid Active Directory works and the various methods of implementing it. However, SSO alone cannot be a standalone layer of security to guard users from cybercriminals. SSO merely serves as a hassle-free way through which users can seamlessly use applications without resorting to weak passwords and other bad password practices.
However, this renders SSO to be the single point of failure if and when an attacker gets hold of a user's Windows credentials. Attackers will gain access to multiple applications because of one compromised account. To prevent this, an added layer of security for applications is to be mandated. Two-factor Authentication (2FA) requires users to verify themselves with an extra factor, usually something that they have - such a biometric identification, an OTP sent via email, or a physical device, such as Yubikey. This will be used in conjecture with something that the users know - the traditional user name and password.
The best practice way is to enable Azure AD 2FA is with the help of Conditional Access policies. Conditional Access Policies lets administrators create and define policies that dynamically react to end user's sign in requests and starts off a set of predetermined actions before access is granted to the application. The conditional access policy can be applied to just a subset of users - say, the users with the most privileges, such as the local administrators and helpdesk technicians.
Related Articles
SSO for Azure AD Apps: Ways to Setup
Most business organizations rely on Microsoft Active Directory or it's hybrid offering, Azure AD to manage users and carry out day-to-day essential IT tasks. However, it is not uncommon to find businesses using directory services to control access to ...
Enable Self-service password reset in a Azure Active Directory
Enable Users to Reset Passwords using Azure Active Directory Password reset tickets constitute a major chunk of the help desk ticket pile. Allowing users to reset their own passwords is a sure way of boosting productivity. Microsoft Azure Active ...
Detecting changes in privileged accounts in Azure AD
Monitoring and protecting privileged accounts is paramount because failure to do so can lead to loss or theft of sensitive information, or enable malware to compromise your network. Privileged accounts can include global administrators, Azure ...
Enable Active Directory Recycle Bin | PowerShell
What is Active Directory Recycle Bin? While using Active Directory (AD), administrators tend to accidentally delete objects such as users, computers, groups or organizational units (OUs). This may cause complications in the network functionality and ...
How to Control USB Access on select Devices using GPO
Enabling and Disabling USB access using Active Directory Group Policy Removable storage devices such as USB drives have gained widespread use and become an indispensable way for the storage of data. However, they also pose a threat to the security of ...