Thant Zin Phyo

 From an administrator's perspective, MFA activation in Azure AD is straightforward: 1. In the Azure portal, navigate to Azure Active Directory and select the Users navigation pane. In the upper navigation pane, select Per-user MFA, as shown in Figure 1.1: Figure 1.1 – MFA activation in the Azure portal 2. You will be redirected to a retro-style portal at the windowsazure.com domain, in which you can enable or disable MFA for single users or bulk-update them by selecting several accounts or using a CSV file in the users tab. 3. Before you enable MFA for all user accounts, first switch from the users tab to the service settings tab to configure some custom settings for your environment, as shown in Figure 1.2: Figure 1.2 – Service settings for MFA The first option is to allow or disallow users to create app passwords for legacy non-browser apps that do not support MFA. Outlook used to be such an application back in the days; however, nowadays, most applications should be able to aut...

There are few technical features that protect your accounts more than using MFA. With MFA, it is not enough to know a username and a password; you are also challenged to prove who you are using another authentication factor. With MFA, you generally need to be able to log in with the following: • Something you are, such as your user account name or a biometric attribute • Something you know, such as a password • Something you have, such as an additional authentication factor (smartcard, smartphone app, or security key) Given the fact that an MFA challenge is only triggered following a successful login attempt, it is still reliant on passphrases that are not easy to guess. In other words, if an MFA challenge is triggered, the respective username/password combination has already been successfully validated (refer to the following screenshot for reference): Today, there are several options for using MFA in Azure AD: • A push message from the Microsoft Authenticator smartphone app • A one-t...

Dictionary attacks, such as brute-force and password spray attacks, still find success every  day. In a dictionary attack, attackers try combinations of usernames and well-known and  often-used passwords against an authentication service. The brute-force attack is more  noisy and easier to recognize. With brute force, an attacker will try lots of passwords for   a single user account, hoping that one of the attacks will be successful. In the backend, you  will see lots of failed login attempts, so you can easily react to them. However, a password   spray attack is way more sensitive since an attacker will only use a small set of passwords  against lots of user accounts. If the attacks are very slow and widely distributed, it is very  hard to notice an attack. To avoid successful password spray and brute-force attacks in the  cloud and, to be more precise, in Azure AD, there are some easy best practices: • Encourage your users to u...