Azure AD MFA enhancements
Like to suggests a couple of enhancements to Azure MFA (not MFA server).
Ability to pre-provision users at scale (send QR code to selected users via email, import mobile numbers to protected 'authentication contact info' area in users profile via PowerShell, etc.)
Provide method for users to change MFA device or bypass MFA if device isn't available (security / secret questions in lieu of MFA, alternate email - personal, etc. )
Provide administrators a method to bypass MFA for a user (one time bypass, bypass MFA for 'x' amount of time, provide temp code that will work for 'x' amount of time, etc.)
Setup an RBAC role besides GA that can force a user to re-register for MFA and can update the protected 'authentication contact info' area in users profile
can you tell us how do you set up your nps to bypass mfa authentication by ad group?
Thank you in advance
A few ideas in this one... I support the bypass management as we currently have to do this with AAD groups (for Azure/O365 auth) and AD groups (for NPS Extension for Azure MFA). Both require frequent auditing as they are and scripts to maintain.
The ability to use an alternate email address for MFA. Example: user is in an area where cell phones are prohibited and there is no land line. Only access to web based email for MFA.
God yes, pre-provisioning is a must.
The current method allows for a user account that hasn't proofed up yet to be compromised with just a password. The attacker can then set the MFA method to one of their choice and continue to log in as that user.
We always populate the mobile number field in AD for new staff. We need to be able to set a default auth method of phone call to the mobile number listed in Azure AD. Users who want to use a different method can still use https://aka.ms/mfasetup to change it, but lazy users still have that level of protection.
Gareth Lloyd commented
Add Azure AD Connect Health module for MFA. We typically install MFA server on the ADFS server. The health module for MFA is a big omission from the Azure AD Connect Health page.
Alex Strupler commented
One-Time Bypass as a function on Azure MFA really needed - this should have been implemented already. Also the function to configure One-Time Bypass for a whole day - as this represents the only real life scenario when a Employee left his mobile phone at home, most employee do not go home again extra to get his Mobile Phone.