Restrict access to Portal by IP or RSA SecurID
Azure is not more secure than you Live ID email and password.
Using Azure for serious confidential data requires a lot of dicipline, and it's hard to prove that you enforces this. Eg. you can configure Live ID to require change of password.
I would love to restrict access to the Portal by IP adress, or require a challenge like a RSA SecurID.
This is actually possible today :-)
Check out this article on how to enable IP filtering with multi-factor auth:
Enhancing Azure MFA with Contextual IP Address Whitelisting
“Whitelisting a range of IP addresses: Both managed and federated customers have the ability to whitelist a range of IP addresses for MFA in the admin portal.”
That link no longer works - is there an updated one?
The original question was how to use IP restriction as WELL as TFA, but the answer provided above explains how to use IP Whitelist to SUPPRESS TFA. And IP Whitelist is no longer supported anyway.
The Technet article about "IP Whitelist" is out of date and needs to be removed. That feature is no longer on that page, and in its place is this:
suspend multi-factor authentication for remembered devices PREVIEW
Trond Hindenes commented
By using org accounts and ADFS, this can be enabled with the current offering.
Panagiotis Kefalidis commented
You can also enable two-factor authentication on your Microsoft Account which doesn't require an Azure AD to work.
I would not like to give up the ability to access the portal from other locations. 2-factor auth sounds more appealing.
Marcel van den Berg commented
Access to the Azure Management Portal can be set to two-way authentication.
Google authenticator app can be used to generate token. Works fine.
I do agree with SecurID. Anyway, a cheaper idea could be using 2-factor authentication at Microsoft Account level with SMS confirmation, exactly like Google currently does.
This will enable security on every site that supports OpenID via Microsoft Account (as Azure does)
Stephen Askew commented
An alternate solution would be to have the ability to disable Live ID authentication via the Management API, effectively switching off access to the Management Portal. The Management API requires mutual certificate authentication.
There are plenty of client tools available that enable you to perform most day to day tasks via the Management API.