From the last two posts I made related to the Azure Key Vault (one on encrypting with your own key and the other on how to generate a key), I’ll admit I’m getting started with security in Azure.
The moment critical services or data is in Azure, access to the Azure Portal for an administrator should be as secured as possible. So much so, Microsoft even explicitly advises “…it is essential that you use very strong authentication methods.” Truth be told, 10 years ago I blogged about MFA in it’s early days and thought it was an option for extra authentication factor and a strong audit trail. In the cloud era, MFA is the only way to go.
Azure Multi-factor Authentication is in place to service this need. There are options for effectively every offering of Azure. I use a personal account for my Azure usage that I’m sure like many IT pros do before they take configurations into production. On the profile page, you can set up MFA from the change your security tab of your profile page:
Note that I can also see which devices on the right (yellow box) have accessed my Portal account recently, nice touch. Just click on the security tab and you can configure more security options.
You’ll need to re-authenticate with your password and then select the Two-step verification option. There are three options for my account type: an app (the Microsoft Authenticator app, I will review that separately), a phone number or an alternate email address. These options are shown below:
I am going to select a phone number, and specifically to make it a call or text versus an application. For the phone number option, you will need to select a phone number that is not part of your account profile. You will get a call with a code to effectively tokenize the phone number to the Azure account.
The process additionally will provide a recovery code. This recovery code would serve as an alternative to the MFA selection (the device phone number). The instructions also indicate that it is recommended not to store this recovery code on a device, effectively a digital air gap. This is an important recommendation as if the storage of the recovery code is breached – then the MFA implementation is pwned.
The final step of the process is to set up app passwords for adjacent Azure services (Xbox 360, Outlook desktop app for your PC or Mac, Office 2010, Office for Mac 2011, or earlier; Windows Essentials [Photo Gallery, Movie Maker, Mail, Writer], or Zune desktop app) which I do not use; so I can skip this.
Once this is completed, you will have this very comforting message that: “Your account is protected by two-step verification.” This is shown below on my account:
To test this, I have opened a connection to the Azure portal on a completely different system. When I log into the portal, a new part of the login process is provided:
In each of these options, I will be either called or have a message sent with a code that will allow me to proceed into the Azure portal. What is really nice also is that you’ll see the last 2 digits of the phone number are shown; but in order to request the message sent to enable Portal access; I will need to provide the last 4 digits. A nice extra parameter required for the phone number access.
Do you use MFA for Azure? If not, it’s time. You have to secure your portal. This is especially important when you get into managing data and services in the cloud. You don’t want to be the next one of these.