How can we improve Azure Active Directory?

Azure AD MFA enhancements

Like to suggests a couple of enhancements to Azure MFA (not MFA server).

Ability to pre-provision users at scale (send QR code to selected users via email, import mobile numbers to protected 'authentication contact info' area in users profile via PowerShell, etc.)

Provide method for users to change MFA device or bypass MFA if device isn't available (security / secret questions in lieu of MFA, alternate email - personal, etc. )

Provide administrators a method to bypass MFA for a user (one time bypass, bypass MFA for 'x' amount of time, provide temp code that will work for 'x' amount of time, etc.)

Setup an RBAC role besides GA that can force a user to re-register for MFA and can update the protected 'authentication contact info' area in users profile

45 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

JP shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

7 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • lfo38hgf commented  ·   ·  Flag as inappropriate

    Hey Doug,

    can you tell us how do you set up your nps to bypass mfa authentication by ad group?

    Thank you in advance

  • Doug commented  ·   ·  Flag as inappropriate

    A few ideas in this one... I support the bypass management as we currently have to do this with AAD groups (for Azure/O365 auth) and AD groups (for NPS Extension for Azure MFA). Both require frequent auditing as they are and scripts to maintain.

  • Anonymous commented  ·   ·  Flag as inappropriate

    The ability to use an alternate email address for MFA. Example: user is in an area where cell phones are prohibited and there is no land line. Only access to web based email for MFA.

  • Ryan commented  ·   ·  Flag as inappropriate

    God yes, pre-provisioning is a must.

    The current method allows for a user account that hasn't proofed up yet to be compromised with just a password. The attacker can then set the MFA method to one of their choice and continue to log in as that user.

    We always populate the mobile number field in AD for new staff. We need to be able to set a default auth method of phone call to the mobile number listed in Azure AD. Users who want to use a different method can still use https://aka.ms/mfasetup to change it, but lazy users still have that level of protection.

  • Gareth Lloyd commented  ·   ·  Flag as inappropriate

    Add Azure AD Connect Health module for MFA. We typically install MFA server on the ADFS server. The health module for MFA is a big omission from the Azure AD Connect Health page.

  • Alex St. commented  ·   ·  Flag as inappropriate

    One-Time Bypass as a function on Azure MFA really needed - this should have been implemented already. Also the function to configure One-Time Bypass for a whole day - as this represents the only real life scenario when a Employee left his mobile phone at home, most employee do not go home again extra to get his Mobile Phone.

Feedback and Knowledge Base