How can the Azure portal be improved?

Restrict access to Portal by IP or RSA SecurID

Azure is not more secure than you Live ID email and password.

Using Azure for serious confidential data requires a lot of dicipline, and it's hard to prove that you enforces this. Eg. you can configure Live ID to require change of password.

I would love to restrict access to the Portal by IP adress, or require a challenge like a RSA SecurID.

99 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Thomas (Mentum) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

This is actually possible today :-)

Check out this article on how to enable IP filtering with multi-factor auth:

Enhancing Azure MFA with Contextual IP Address Whitelisting

http://blogs.technet.com/b/ad/archive/2014/04/25/enhancing-azure-mfa-with-contextual-ip-address-whitelisting.aspx

“Whitelisting a range of IP addresses: Both managed and federated customers have the ability to whitelist a range of IP addresses for MFA in the admin portal.”

9 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    The original question was how to use IP restriction as WELL as TFA, but the answer provided above explains how to use IP Whitelist to SUPPRESS TFA. And IP Whitelist is no longer supported anyway.

  • Anonymous commented  ·   ·  Flag as inappropriate

    The Technet article about "IP Whitelist" is out of date and needs to be removed. That feature is no longer on that page, and in its place is this:
    suspend multi-factor authentication for remembered devices PREVIEW

  • Anonymous commented  ·   ·  Flag as inappropriate

    I would not like to give up the ability to access the portal from other locations. 2-factor auth sounds more appealing.

  • ΕΨΗΕΛΩΝ commented  ·   ·  Flag as inappropriate

    I do agree with SecurID. Anyway, a cheaper idea could be using 2-factor authentication at Microsoft Account level with SMS confirmation, exactly like Google currently does.

    This will enable security on every site that supports OpenID via Microsoft Account (as Azure does)

  • Stephen Askew commented  ·   ·  Flag as inappropriate

    An alternate solution would be to have the ability to disable Live ID authentication via the Management API, effectively switching off access to the Management Portal. The Management API requires mutual certificate authentication.

    There are plenty of client tools available that enable you to perform most day to day tasks via the Management API.

Feedback and Knowledge Base