Today, It’s very important that we protect are cloud administrator accounts with a second verification method. Multi-factor authentication, makes it more difficult for an attacker to break-in. Even when the attacker has manage to learn the password of the global administrator account, is still useless without having possession of that second authentication method.
In this example of protecting your global administrator with Multi-Factor Authentication, following components are used:
- Users assigned the Azure AD Global Administrator role in Azure AD tenants can enable two-step verification at no additional cost.
Global Administrator account with MFA enabled.
- YubiKey Neo
- Yubico Authenticator
This means that we will have a solution where we need two extra components, a device where we have a Yubico Authenticator installed and a YubiKey that has been configured to provide a OATH token via the Authenticator. You can use your YubiKey on each device where a Yubico Authenticator has been installed.
Configuration of Azure AD Global Administrator account.
When you go to the Azure portal >> Azure Active Directory >> Users, you will have a menu item in the Top level menu listening to “Multi-Factor Authentication”. This will open a second window where you can enable MFA for your global administrator accounts.
Configuration of MFA authentication at next logon.
At next logon of the global administrator account, the user will need to configure MFA authentication and need to have the Yubico Authenticator installed on – and the Yubikey connected to the device.
Go to the Azure Portal and type the email address of the Azure Administrator and click [Next]
Enter password of the global administrator and click [Sign in]
Select [Mobile app], and select selection [Use verification code]. Click [Set up]
Click [Configure app without notifications], this will generated a new QR code.
In the Yubico Authenticator, select and click [File] >> [Scan QR Code …]. This will get the QR code generated in your Microsoft configuration window. The information is loaded into the Authenticator and by clicking on the [Save credential] button the settings are saved on your Yubikey. The Authenticator start to generated
OATH tokens that will expire every 30 seconds.
Enter the verification code and click [Verify]
Login to the Azure portal has been completed. When you remove the YubiKey from the device the generation of verification codes will stop.
Like post and comments are welcome!