Implementing Multi-Factor Authentication (MFA) in Azure

Almost 90% of security incidents reported in last 5 years were due to identity misconfigurations. This can also be seen how OWASP Top 10 Security Vulnerabilities changed from 2017 to 2021 and now lists “Broken Access Control“ as top security issue to tackle for organizations globally.

MFA is a security enhancement that adds an additional layer of verification on top of standard credentials used for authentication. Azure has many forms of Multi-Factor Authentication including text messages, mobile app notifications, hardware tokens, etc allowing organizations to tailor their security approach to user needs and risk levels.

This blog focuses on exploring MFA and configurations needed in place for its implementation.

Entra ID

Entra ID, formerly Azure Active Directory, is a service offering from Microsoft that provides identity and access management to help secure users, applications, and resources across cloud and on-premises environments.

Before we start we are going to need an active Azure subscription. We can make use of the 12-month free tier that includes a set of popular services with monthly usage limits.

Now we need to locate and navigate to Entra ID service. It can be done either by searching in the search box in navbar or we can select from services listed in Azure portal.

User Provisioning

To start creating user in Entra ID, we need to select Users from the left panel under Manage which lists all available inner configurations related to Users, Groups, RBAC controls, administrative and other delegations.

This shows us all the users created in Microsoft Entra. If this is your first time exploring Azure, naturally you will only see one user which is your admin account. So, lets add a user using the + New User. This allows us to create users and also invite users for collaboration but at this instance we are adding a user to our newly created Azure tenant.

While creating this account let us make use of the auto generated password for logging and testing out MFA as these accounts will be prompted to change password in future logins.

After adding basic information lets head over to Properties tab to fill out other Identity Information, Manager for this account/user and the Usage Location under settings before we review and create this test account. I have chosen myself as manager for this test account, so we naturally select the admin account to manage this test user.

Lastly, we have to add the location information too. As I am currently based in India, so I will be choosing the same. This will play a role in testing out many other features available in Microsoft Entra ID like Privileged Identity Management, Conditional Access, etc. So let us add usage location for this user and review and create to finalize user provisioning part.

With all these steps we can see the list of user(s) available currently. This window lets us view quick information like display name, user principal name, user type and such.

MFA Configuration options

We are done setting up a user for MFA. As of now there are two options for MFA:

• Per-User MFA (Legacy)

• MS Entra ID Authentication Methods

MS Entra ID Auth methods is an offering from Premium P1 and P2 license of Entra. For this blog let us take a look at Per-User MFA first as this is foundational to another MFA option in MS Entra.

This is where we select the account/user we just created and Enable per‑user MFA. This prompts the user to register MFA at next sign‑in. If the “remember MFA on trusted devices” setting is enabled, they can defer it for the chosen number of days (typically up to 90).

So let us enable and enforce MFA to test the regular flow.

As you can see, I have enabled and enforced Per-User MFA for TestUser01 and now we can verify if this is working correctly as we configured so far.

Validating MFA Configs

Now to validate this, let us use any other browser or a private session in the same browser and try logging into Azure portal using the email and password associated with that test account we created, enabled and enforced Per-User MFA for.

Here we see the Action Required message after we have provided the credential for MFA enabled account. Clicking next will want that user to authenticate using an authenticator app.

I have already downloaded Microsoft Authenticator App and have done my setup in the app. We need to add the test account as Work or School Account when asked to scan the QR code through the authenticator app.

So after we are done scanning with authenticator app and clicking “Next”, we will be prompted to enter a two-digit code through authenticator app for us to successfully login to the Azure portal.

With correct application of code from authentication app we will see the following success message:-

I am positive you will be directed to Azure portal for this freshly created test account in Entra ID which has submitted its credential during login and has passed the MFA challenge. We can verify this further with the user principal for this account at the top right of the portal as shown in the final image below:-

What next?!

In this blog, we explored the core features of Multi-Factor Authentication (MFA) in Microsoft Entra ID. While this demonstration used the free tier, it’s worth noting that Entra ID offers powerful identity governance and protection capabilities under paid licenses — ideal for more advanced IAM scenarios.

As threats continue to evolve, so must our security strategies. MFA is a critical first step in building a strong, resilient identity management framework.

Stay tuned for future posts, where we’ll dive into more advanced Entra ID features and key security controls designed to support enterprise-grade protection.