Azure AD – Protect cloud administrator access with MFA and Yubikey NEO

Today, It’s very important that we protect are cloud administrator accounts with a second verification method. Multi-factor authentication, makes it more difficult for an attacker to break-in. Even when the attacker has manage to learn the password of the global administrator account, is still useless without having possession of that second authentication method. 

In this example of protecting your global administrator with Multi-Factor Authentication, following components are used:

  • Users assigned the Azure AD Global Administrator role in Azure AD tenants can enable two-step verification at no additional cost. 
    Global Administrator account with MFA enabled.
  • YubiKey Neo
  • Yubico Authenticator

This means that we will have a solution where we need two extra components, a device where we have a Yubico Authenticator installed and a YubiKey that has been configured to provide a OATH token via the Authenticator. You can use your YubiKey on each device where a Yubico Authenticator has been installed. 

How-to?

Configuration of Azure AD Global Administrator account.

Azure Active Directory – Go-to Multi-Factor Authentication

When you go to the Azure portal >> Azure Active Directory >> Users, you will have a menu item in the Top level menu listening to “Multi-Factor Authentication”. This will open a second window where you can enable MFA for your global administrator accounts.

Multi-factor authentication

Configuration of MFA authentication at next logon.

At next logon of the global administrator account, the user will need to configure MFA authentication and need to have the Yubico Authenticator installed on – and the Yubikey connected to the device. 

Go to the Azure Portal and type the email address of the Azure Administrator and click [Next]

Add email address of the global administrator for your Azure Tenant.

Enter password of the global administrator and click [Sign in]

Enter password of the global administrator account.
More information required because MFA has been enabled

Click [Next]
Select [Mobile app], and select selection [Use verification code]. Click [Set up]

First QR code

Click [Configure app without notifications], this will generated a new QR code. 

Second QR code, open Yubico Authenticator

In the Yubico Authenticator, select and click [File] >> [Scan QR Code …]. This will get the QR code generated in your Microsoft configuration window. The information is loaded into the Authenticator and by clicking on the [Save credential] button the settings are saved on your Yubikey. The Authenticator start to generated
OATH tokens that will expire every 30 seconds. 

Click [Next

Enter the verification code and click [Verify]

Enter telephone/mobile number

Click [Next]

Click [Done]

Login to the Azure portal has been completed. When you remove the YubiKey from the device the generation of verification codes will stop. 

No YubiKey connected to the device.

Like post and comments are welcome!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.