How to assess the impact of MFA enforcement in Azure

  • Post author:
  • Post category:Azure
  • Post last modified:June 27, 2024
  • Reading time:8 mins read

Throughout a couple of announcements from the Azure team at Microsoft, regarding the enforcement of MFA across Azure management resources, it is imperative that, even if you think you are covered, you assess your environment to understand the potential impact of this change. 

On May 14th, Microsoft released an ambiguous article that caused a stir in the community. It simply stated that MFA would be enforced across all users administering Azure in different capacities. Since then, more clarification has been released to help guide users from being caught out with these large-scale changes. 

Read on for key information about what is changing and to learn how you can assess the impact of MFA enforcement on your tenant.

Key dates for MFA enforcement in Azure

The Azure team has highlighted some key dates:

  • Starting July 2024 MFA enforcement for all customers will begin for the Azure Portal.
  • Mid-August 2024 an announcement regarding the exemption process for Emergency access accounts will be made.
  • Starting Early 2025 MFA enforcement for all customers will begin for all other scenarios such as the Azure CLI, Azure PowerShell and IAC tools.

Key info for MFA enforcement in Azure

  • This will only impact users signing into the Azure Portal, Azure CLI and IAC Tools. It will not impact users signing into services built on Azure.
  • This will include all user types.
  • Enforcement of MFA will be handled by Azure and not by Conditional Access policies.
  • If you already have Security Defaults enabled, then there will be no impact on your user experience.
  • All supported MFA methods are available for you to use, including external authentication methods.
  • An exemption process for emergency access (break-glass account) will be made available and communicated to tenant administrators in mid-August 2024. Exemptions will be time-bound!
  • MFA will be enforced via the following App IDs in Microsoft Entra:

    Azure Portal: c44b4083-3bb0-49c1-b47d-974e53cbdf3c
    Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
    Azure: 1950a258-227b-4e31-a9cf-717495945fc2

Understanding the MFA assessment

To assess your environment, you are going to use the latest version of the MSIdentityTools which was recently updated by Merill Fernando. The additional function within this PowerShell module will scrape through the Azure Sign-in logs and extract a list of users who have generated events against the Azure application ID highlighted above. It will then loop through each user found and report on the registered authentication methods on the account. If no authentication methods are registered, this is highlighted on the report and each user will be deemed as impact by the change.

To add some perspective to what is happening with the tool, it will first use the following graph query and filter to obtain all logs about the app ids above.

(appid eq ‘c44b4083-3bb0-49c1-b47d-974e53cbdf3c’ or appid eq ’04b07795-8ddb-461a-bbee-02f9e1bf7b46′ or appid eq ‘1950a258-227b-4e31-a9cf-717495945fc2’) and status/errorcode eq 0 and createdDateTime ge 2024-05-
15T00:00:00Z

This query can be run manually and exported to grid view by using the following code example:

Connect-MgGraph -Scopes AuditLog.Read.All

$date = $(get-date).AddDays(-30).ToString("yyyy-MM-dd")
$select = "userId,userPrincipalName,userDisplayName,appId,createdDateTime,authenticationRequirement"
$uri = "/beta/auditLogs/signIns?`$select&'$filter=(appid eq 'c44b4083-3bb0-49c1-b47d-974e53cbdf3c' or appid eq '04b07795-8ddb-461a-bbee-02f9e1bf7b46' or appid eq '1950a258-227b-4e31-a9cf-717495945fc2') and status/errorcode eq 0 and createdDateTime ge $date"

$report = Invoke-MgGraphRequest -Method GET -Uri $uri -OutputType PSObject | Select -ExpandProperty Value
$report | Out-GridView

There are some caveats to the above example, like paging and page size, but fundamentally it serves to understand how the assessment is done.

The next stage is to obtain a unique list of names from this output. A simple way of doing this is to use the select-object -unique parameter. I call this, normalising the report, although terminology not entirely accurate.

$Normalised = $report | Sort-Object -Property userPrincipalName -Unique
$Normalised | Out-GridView

The last step is to loop through each user to obtain the registered MFA methods. I demonstrate a similar concept in my blog post Export All Microsoft 365 Users MFA Status with PowerShell. For this, I will create a simple loop, like so:

#Auth methods summary from the MSIdentityTools module
$authMethods = @(
    @{
        ReportType  = 'passKeyDeviceBoundAuthenticator'
        Type        = $null
        DisplayName = 'Passkey (Microsoft Authenticator)'
        IsMfa       = $true
    },
    @{
        ReportType  = 'passKeyDeviceBound'
        Type        = '#microsoft.graph.fido2AuthenticationMethod'
        DisplayName = "Passkey (other device-bound)"
        IsMfa       = $true
    },
    @{
        ReportType  = 'email'
        Type        = '#microsoft.graph.emailAuthenticationMethod'
        DisplayName = 'Email'
        IsMfa       = $false
    },
    @{
        ReportType  = 'microsoftAuthenticatorPush'
        Type        = '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
        DisplayName = 'Microsoft Authenticator'
        IsMfa       = $true
    },
    @{
        ReportType  = 'mobilePhone'
        Type        = '#microsoft.graph.phoneAuthenticationMethod'
        DisplayName = 'Phone'
        IsMfa       = $true
    },
    @{
        ReportType  = 'softwareOneTimePasscode'
        Type        = '#microsoft.graph.softwareOathAuthenticationMethod'
        DisplayName = 'Authenticator app (TOTP)'
        IsMfa       = $true
    },
    @{
        ReportType  = $null
        Type        = '#microsoft.graph.temporaryAccessPassAuthenticationMethod'
        DisplayName = 'Temporary Access Pass'
        IsMfa       = $false
    },
    @{
        ReportType  = 'windowsHelloForBusiness'
        Type        = '#microsoft.graph.windowsHelloForBusinessAuthenticationMethod'
        DisplayName = 'Windows Hello for Business'
        IsMfa       = $true
    },
    @{
        ReportType  = $null
        Type        = '#microsoft.graph.passwordAuthenticationMethod'
        DisplayName = 'Password'
        IsMfa       = $false
    },
    @{
        ReportType  = $null
        Type        = '#microsoft.graph.platformCredentialAuthenticationMethod'
        DisplayName = 'Platform Credential for MacOS'
        IsMfa       = $true
    },
    @{
        ReportType  = 'microsoftAuthenticatorPasswordless'
        Type        = '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod'
        DisplayName = 'Microsoft Authenticator'
        IsMfa       = $true
    }
)

Foreach ($user in $Normalised){
    $UserUri = "/v1.0/users/$($user.UserId)/authentication/methods"
    $UserAuthMethods = (Invoke-MgGraphRequest -Method GET -Uri $UserUri -OutputType PSObject | Select -ExpandProperty Value) | Select '@odata.type'
    $UserAuthMethods
    $UserMFAauthMethods = @()
    Foreach ($method in $UserAuthMethods){
        $value = $AuthMethods | Where {$_.Type -match $($method.'@odata.type')}
        If ($value.IsMfa -eq "True"){
            $UserMFAauthMethods += $value.DisplayName
        }
    }
    $obj = [PSCustomObject][Ordered]@{  
         "Member"                 = $user.userPrincipalName
         "MFA Ready"              = if(!$UserMFAauthMethods){"Not Ready"}else{"ready"}
         "MFA Methods registered" = $UserMFAauthMethods -join ", "
    }
    $Assessment.Add($obj)
}

$Assessment | Out-GridView

Once this last code piece has run, you will be left with a report that looks similar to the following:

MFA Assessment Report
MFA Assessment Report

Running the MFA assessment

Practically speaking, you want to make the process as simple as possible. For this, you should install the MSIdentityTools PowerShell module, this utilises some of the above code examples I shared above. To install the module, run the following command in PowerShell 7.

 Install-module MsIdentityTools -Scope CurrentUser -Force 

You can check you are on the latest version by visiting the PowerShell gallery page for MSIdentityTools.

Once the module is installed, start by connecting to Microsoft Graph using the following command. You will be prompted to provide admin consent to the request permissions.

Connect-MgGraph -Scopes AuditLog.Read.All, Directory.Read.All, UserAuthenticationMethod.Read.All

To produce the report, run the below command and a detailed Excel report will be saved to the location you specify.

 Export-MsIdAzureMfaReport -ExcelWorkbookPath .\report.xlsx -Days 30
Azure MFA report
Azure MFA report

You can use this information to target improvements for user accounts which are likely to be impacted. Notice from the report above that user Bill Gates has signed in with MFA but the Authentication Methods column is empty. This is because the user is configured with External Authentication Methods using Duo. EAM is currently in preview and the reporting information is now yet available in the Graph API. For more information on EAM, check out:

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply