Table Of Contents
Require Multi-Factor Authentication for Azure VM Login
Ensuring the security of your Azure Virtual Machines (VMs) is essential to protect sensitive data and infrastructure from unauthorized access. One effective way to enhance security is by enforcing Multi-Factor Authentication (MFA) for all users logging into Azure VMs. This can be done through Microsoft Entra, a solution that helps businesses manage and secure their identities. In this post, I will walk through the steps to configure a Conditional Access policy in Microsoft Entra to require MFA for logging into Azure VMs.
By implementing MFA, you add an extra layer of security beyond just passwords, making it significantly harder for attackers to gain unauthorized access to your Azure environment.
What is Microsoft Entra?
Microsoft Entra is a comprehensive identity and access management (IAM) solution that provides tools to manage and secure identities, protect resources, and control access to applications and data. It includes capabilities such as Conditional Access, which allows administrators to configure policies that control access to resources based on specific conditions, such as the user’s location, device state, and more.
Why Require Multi-Factor Authentication (MFA) for Azure VM Login?
- Enhanced Security: Passwords alone are vulnerable to attacks like phishing, brute force, and credential stuffing. MFA adds an extra layer of verification, such as a text message, authentication app, or biometric scan, ensuring only authorized users can log in.
- Compliance Requirements: Many organizations must adhere to industry standards or regulatory requirements (e.g., GDPR, HIPAA, PCI DSS) that mandate MFA for certain users accessing critical infrastructure like Azure VMs.
- Risk Reduction: By requiring MFA, you reduce the risk of unauthorized access to sensitive systems, preventing potential data breaches and malicious activity.
Steps to Configure Conditional Access Policy in Microsoft Entra for MFA Requirement
Let’s dive into the detailed steps to configure Conditional Access in Microsoft Entra and enforce MFA for logging into Azure VMs.
Log in to the Microsoft Entra Admin Center with your administrator credentials. In the left navigation pane, click on Protection, then click on Conditional Access. In the Conditional Access section, click on + Create new policy to create a new policy manually.
Give the policy a descriptive name, such as Require MFA for Azure VM Login. In the Assignments section, click on Users. Select All users if you want to enforce the policy for everyone or choose Select users and groups to apply the policy to a specific set of users (e.g., only admins or a specific group of employees).
Click on Exclude to exclude some users or groups based on your organization’s needs. It’s important that you don’t lock yourself out. I will exclude my account as shown below.
Click on Target resources and choose Select resources. Search for Azure and select Azure Linux VM Sign-in and Azure Windows VM Sign-in. Click on Select.
After clicking on Select, your screen should look similar to the screenshot below.
Click on Network, select Yes under Configure. Select Any network or location.
Under the Access controls section, click on Grant. Choose the Grant access option, then select the Require multi-factor authentication checkbox. This ensures that MFA is mandatory for users to access the Azure VMs.
It is important to test the policy before enabling it for all users. Leave it as Report-only, Review the policy settings and make sure everything looks good. Click on the Create button.
Once the policy has been tested and working as expected, it’s time to turn it on.
Click on Protection then click on Conditional Access. In the Conditional Access section, click on Policies, here you will see the list of your conditional access policies. Click on the policy you want to turn on to edit it.
In the Enable policy section, toggle the setting to On to enable the policy. Click on the Save button to save the policy.
Conclusion
Enforcing Multi-Factor Authentication (MFA) through Conditional Access policies in Microsoft Entra is an essential step in securing access to Azure Virtual Machines. By configuring a policy that requires MFA, you significantly reduce the risk of unauthorized access and bolster your security measures. With the right configurations, you can ensure that only legitimate users with verified identities can access your critical infrastructure.
About The Author
