DEV Community

Cover image for Securing User Identities with Multi-Factor Authentication (MFA) in Microsoft Entra ID
Rahimah Sulayman
Rahimah Sulayman

Posted on

Securing User Identities with Multi-Factor Authentication (MFA) in Microsoft Entra ID

Introduction

Passwords alone are no longer enough to protect user accounts from today's evolving cyber threats. Multi-Factor Authentication (MFA) adds an essential layer of security by requiring users to verify their identity using multiple authentication factors, significantly reducing the risk of unauthorized access caused by compromised credentials.

In this hands-on guide, I'll walk through configuring Multi-Factor Authentication in Microsoft Entra ID, including enabling and disabling per-user MFA, reviewing MFA service settings, and configuring account lockout policies. These practical exercises demonstrate how to strengthen identity security while balancing usability and administrative control in a modern cloud environment.

Exercise - Perform basic Multifactor Authentication tasks

In this exercise you will explore the MFA setup process and configure a basic MFA deployment.

This exercise should take approximately 10 minutes to complete.

Task 1 - Enable / Disable Per-user MFA settings

1.Open the Microsoft Entra admin center at https://entra.microsoft.com.
2.Log in using the credentials for your tenant.
3.From the menu on the left, open the Identity submenu
4.Select Users and then select All users.
5.Look at the menu on the top of the new screen and find Per-user MFA.
6.Select Per-user MFA.

per-user mfa

7.Put a mark in the box next to Bhogeswar Kalita.

8.Select Enable MFA from the top of the list.
2mfa

9.Read the message box that pops up.

Note - This is a manual URL that you can email to the user, if you want to let them know to set up MFA.

10.Select Enable button.

enable

11.Then select the Enforce button.

enforce

enforce button

12.Note that after a few seconds enforced shows up next to Bhogeswar’s name.

verify

Task 2 - Review the Service settings for MFA

1.Open the Microsoft Entra admin center at https://entra.microsoft.com.
2.Log in using the credentials for your tenant.
3.From the menu on the left, open the Identity submenu.
4.Select Users and then select All users.
5.Select Per-user MFA item.

2mfa

6.Select Service settings.

service setting

7.Review the settings you can configure:

Setting What is it for
App passwords There are some legacy apps that won’t work with MFA, use this setting to allow a user to keep using them.
Trusted IPs If your company has a specifc set of IP-address ranges that are always known safe, you can allow users to by-pass MFA the logging in.
Verification options Select the methods you are willing to allow users to use for their second factor of authentication.
Remember multifactor authentication on trusted device If your users are using a device that you trust, like a company managed laptop; you can allow them to retain thier MFA approved status for a specified number of days.

8.Select the Discard button if you made any changes.
This is one method of configuring MFA for your users.

mfa

Task 3 - View MFA account lockout settings

1.Open the Microsoft Entra admin center at https://entra.microsoft.com.
2.Log in using the credentials for your tenant.
3.From the menu on the left, open the Protection submenu.
4.Scroll to the bottom of the list and select Show more.
5.Select Multifactor authentication from the menu.
6.Select Account lockout from the menu.
7.Set the following lockout values:

Field Value
Number of MFA denials to trigger account lockout 3
Minutes until account lockout counter is reset 180
Minutes until account is automatically unblocked 15

8.Select the Save option at the top of your screen.

mfa setting

Review some of the other configuration options you have on MFA like:

-Fraud alert
-Block / unblock users
-Notifications

Summary

In this article, I explored the core aspects of configuring Multi-Factor Authentication (MFA) in Microsoft Entra ID. I demonstrated how to enable and manage per-user MFA, review and customize MFA service settings, and configure account lockout policies to protect against repeated unauthorized sign-in attempts. By implementing these security measures, organizations can significantly improve identity protection, reduce the risk of account compromise, and build a more resilient authentication framework for their cloud environments.

Top comments (0)