You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/governance/policy/tutorials/mfa-enforcement.md
+45-43Lines changed: 45 additions & 43 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,84 +6,86 @@ ms.topic: how-to
6
6
author: nehakulkarni
7
7
ms.author: nehakulkarni
8
8
---
9
-
# Tutorial: Apply MFA Self-Enforcement through Azure Policy
9
+
# Tutorial: Apply MFA self-enforcement through Azure Policy
10
10
[Azure Policy](../overview.md) is a powerful governance tool that allows you to enforce organizational standards and assess compliance at-scale. You can also use Azure Policy to prepare your organization for [upcoming enforcement of multifactor authentication (MFA) across Azure clients](https://aka.ms/mfaforazure).
11
11
This guide walks you through the process of applying Azure Policy assignments to self-enforce multifactor authentication across your organization.
12
12
13
-
## Apply Azure Policy enforcement through Azure Portal
13
+
## Apply Azure Policy enforcement through Azure portal
14
14
15
15
### 1. Sign into Azure portal
16
16
Navigate to the [Azure portal](https://www.portal.azure.com)
17
17
18
18
### 2. Access Azure Policy Service
19
19
Select Policy under Azure services. If you don't see it, type 'Policy' in the search bar at the top and select it from the results.
20
20
21
-
:::image type="content" source="../media/multifactor-enforcement/policy-overview.png" alt-text="Screenshot of Azure Policy Assignment View." border="false":::
21
+
:::image type="content" source="../media/multifactor-enforcement/policy-overview.png" alt-text="Screenshot of Azure Policy Assignment View." border="false"lightbox="../media/multifactor-enforcement/portal-enforcement.png":::
22
22
23
23
### 3. Choose the Scope for Assignment
24
-
- Click 'Assignments' in the left pane of the Policy dashboard.
25
-
- Click 'Assign policy' at the top of the assignments page.
26
-
- Click 'Select scope' in the Scope section.
27
-
- Select the appropriate resource group, subscription, or management group where you want to apply the policy.
28
-
- Click 'Select' to confirm your choice.
24
+
1. Click 'Assignments' in the left pane of the Policy dashboard.
25
+
2. Click 'Assign policy' at the top of the assignments page.
26
+
3. Click 'Select scope' in the Scope section.
27
+
4. Select the appropriate resource group, subscription, or management group where you want to apply the policy.
28
+
5. Click 'Select' to confirm your choice.
29
29
30
30
### 4. Configure Selectors for gradual rollout of policy enforcement
31
31
> [!NOTE]
32
32
> To enable safe rollout of policy enforcement, we recommend using [Azure Policy’s resource selectors](/azure/governance/policy/concepts/assignment-structure#resource-selectors) to gradually rollout policy enforcement across your resources.
33
-
- Click 'Expand' on the 'Resource Selectors' section of the Basics tab.
34
-
- Click 'Add a resource selector'
33
+
1. Click 'Expand' on the 'Resource Selectors' section of the Basics tab.
- Pick a few low-risk regions that you’d like to enforce on. The policy assignment will evaluate Azure resources in those regions.
40
-
- You can update this assignment later to add more regions by adding more resourceLocation selectors or updating the existing resourceLocation selector to add more regions.
37
+
1. Add a name for your selector
38
+
2. Toggle resourceLocation to enable it.
39
+
3. Pick a few low-risk regions that you’d like to enforce on. The policy assignment will evaluate Azure resources in those regions.
40
+
4. You can update this assignment later to add more regions by adding more resourceLocation selectors or updating the existing resourceLocation selector to add more regions.
- Browse or search for the multifactor policy definition – there are 2 of them. Pick one for now:
45
+
1. Click on Policy definition under 'Basics'.
46
+
2. Browse or search for the multifactor policy definition – there are 2 of them. Pick one for now:
47
47
-[[Preview]: Users must authenticate with multifactor authentication to delete resources - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdb4a9d17-db75-4f46-9fcb-9f9526604417/version/1.0.0-preview/scopes/%5B%22%2Fsubscriptions%2F12015272-f077-4945-81de-a5f607d067e1%22%2C%22%2Fsubscriptions%2F0ba674a6-9fde-43b4-8370-a7e16fdf0641%22%5D/contextRender/).
48
48
-[[Preview]: Users must authenticate with multifactor authentication to create or update resources - Microsoft Azure](https://portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetail.ReactView/id/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4e6c27d5-a6ee-49cf-b2b4-d8fe90fa2b8b/version/1.0.0-preview/scopes/%5B%22%2Fsubscriptions%2F12015272-f077-4945-81de-a5f607d067e1%22%2C%22%2Fsubscriptions%2F0ba674a6-9fde-43b4-8370-a7e16fdf0641%22%5D/contextRender/).
- Under 'Basics', enter a name for your policy assignment. Optionally, you may add a description to help others understand the purpose of this assignment.
55
-
- Under 'Basics', enforcement mode should be set to enabled (this mode is set by default, no action needed).
56
-
- Go to the 'Parameters' tab. Uncheck 'only show parameters that require input or review'. The parameter value should be at the preselected value 'AuditAction' or 'Audit' (depending on the definition chosen in step 4).
57
-
- Under the 'Non-compliance messages' tab, configure a custom message that any user sees if they're blocked from deleting a resource because of this enforcement:
54
+
1. Under 'Basics', enter a name for your policy assignment. Optionally, you may add a description to help others understand the purpose of this assignment.
55
+
2. Under 'Basics', enforcement mode should be set to enabled (this mode is set by default, no action needed).
56
+
3. Go to the 'Parameters' tab. Uncheck 'only show parameters that require input or review'. The parameter value should be at the preselected value 'AuditAction' or 'Audit' (depending on the definition chosen in step 4).
57
+
4. Under the 'Non-compliance messages' tab, configure a custom message that any user sees if they're blocked from deleting a resource because of this enforcement:
58
58
59
59
_Sample Text: To resolve this error, set up MFA at aka.ms/setupMFA. If you set up MFA and are still receiving this error, reach out to your Entra administrator to restore your Azure security default._
60
60
61
-
:::image type="content" source="../media/multifactor-enforcement/noncompliance-message.png" alt-text="Screenshot of Azure Policy Message Tab." border="false":::
- Review your selections and settings on the 'Review + create' tab.
66
-
- If everything looks correct, click 'Create' to apply the policy assignment.
65
+
1. Review your selections and settings on the 'Review + create' tab.
66
+
2. If everything looks correct, click 'Create' to apply the policy assignment.
67
67
68
68
### 8. Roll out the policy assignment to all regions
69
-
- Update the policy assignment selector to evaluate resources in other regions. Repeat this step until the policy assignment is evaluating resources in all regions.
69
+
1. Update the policy assignment selector to evaluate resources in other regions.
70
+
2. Repeat this step until the policy assignment is evaluating resources in all regions.
70
71
71
72
### 9. Verify existence of the policy assignment
72
-
- Under the 'Assignments' tab, confirm that the policy assignment was successfully created. You can use the search bar and scope bar to easily filter.
73
+
1. Under the 'Assignments' tab, confirm that the policy assignment was successfully created.
74
+
2. You can use the search bar and scope bar to easily filter.
73
75
74
-
:::image type="content" source="../media/multifactor-enforcement/assignment-list.png" alt-text="Screenshot of Azure Policy Assignment List View." border="false":::
76
+
:::image type="content" source="../media/multifactor-enforcement/assignment-list.png" alt-text="Screenshot of Azure Policy Assignment List View." border="false" lightbox="../media/multifactor-enforcement/portal-enforcement.png":::
75
77
76
78
77
79
## Update the policy assignment to enforcement
78
80
You can enable enforcement by updating the 'Effect' of the policy assignment.
79
-
- Go to the policy assignment under [Policy Assignments](https://portal.azure.com/?subscriptionId=617eb244-7791-4c21-98c5-77f840a7e4ef#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Overview/scope/%2Fsubscriptions%2F617eb244-7791-4c21-98c5-77f840a7e4ef). Click 'Edit assignment'.
80
-
- In the 'Basics' tab, you’ll see 'Overrides'. Click expand.
81
-
- Click 'Add a policy effect override'
82
-
- In the drop-down menu, update the `Override Value` to 'DenyAction' or 'Deny' (depending on the policy definition chosen at Step 4).
83
-
- For `Selected Resources`, pick a few low-risk regions that you’d like to enforce on. The policy assignment will only evaluate Azure resources in those regions.
84
-
:::image type="content" source="../media/multifactor-enforcement/overrides-example.png" alt-text="Screenshot of Azure Policy Overrides Creation." border="false":::
85
-
- Click 'Review + save', then 'Create'.
86
-
- Once you have confirmed no unexpected impact, you may update the existing override to add other regions.
81
+
1. Go to the policy assignment under [Policy Assignments](https://portal.azure.com/?subscriptionId=617eb244-7791-4c21-98c5-77f840a7e4ef#view/Microsoft_Azure_Policy/PolicyMenuBlade/~/Overview/scope/%2Fsubscriptions%2F617eb244-7791-4c21-98c5-77f840a7e4ef). Click 'Edit assignment'.
82
+
2. In the 'Basics' tab, you’ll see 'Overrides'. Click expand.
83
+
3. Click 'Add a policy effect override'
84
+
4. In the drop-down menu, update the `Override Value` to 'DenyAction' or 'Deny' (depending on the policy definition chosen at Step 4).
85
+
5. For `Selected Resources`, pick a few low-risk regions that you’d like to enforce on. The policy assignment will only evaluate Azure resources in those regions.
7. Once you have confirmed no unexpected impact, you may update the existing override to add other regions.
87
89
88
90
## User Experience during Preview
89
91
@@ -104,21 +106,21 @@ Discover deny events in your activity log when this policy assignment is applied
104
106
The next section shows the experience from some select clients when the policy assignment is applied in enforcement mode and a user account attempts to create, update, or delete a resource without being authenticated with MFA.
105
107
> [!NOTE]
106
108
> In preview timeframe, the error messages displayed to the user may differ depending on the client and command being run.
107
-
### Azure Portal
109
+
### Azure portal
108
110
When you attempt to perform a create, update, or delete operation without an MFA-authenticated token, Azure portal may return:
109
111
110
-
:::image type="content" source="../media/multifactor-enforcement/portal-enforcement.png" alt-text="Screenshot of Azure portal view." border="false":::
112
+
:::image type="content" source="../media/multifactor-enforcement/portal-enforcement.png" alt-text="Screenshot of Azure portal view." border="false" lightbox="../media/multifactor-enforcement/portal-enforcement.png":::
111
113
112
114
### Azure CLI
113
115
When you attempt to perform a create, update, or delete operation without an MFA-authenticated token, Azure CLI may return:
114
116
115
-
:::image type="content" source="../media/multifactor-enforcement/cli-sample.png" alt-text="Screenshot of Azure CLI View When User Gets Blocked By Policy." border="false":::
117
+
:::image type="content" source="../media/multifactor-enforcement/cli-sample.png" alt-text="Screenshot of Azure CLI View When User Gets Blocked By Policy." border="false" lightbox="../media/multifactor-enforcement/portal-enforcement.png":::
116
118
117
119
### Azure PowerShell
118
120
When you attempt to perform a create, update, or delete operation without an MFA-authenticated token, Azure PowerShell may return:
119
121
120
-
:::image type="content" source="../media/multifactor-enforcement/powershell-sample.png" alt-text="Screenshot of Azure PowerShell View When User Gets Blocked By Policy." border="false":::
122
+
:::image type="content" source="../media/multifactor-enforcement/powershell-sample.png" alt-text="Screenshot of Azure PowerShell View When User Gets Blocked By Policy." border="false" lightbox="../media/multifactor-enforcement/portal-enforcement.png":::
121
123
122
124
## Limitations in the Preview Timeframe
123
-
- In some cases, you may not be prompted to complete MFA after receiving an error. In such cases, reauthenticate with MFA before retrying the operation (for example, through Azure portal).
124
-
- In some cases, the error message may not indicate that the operation is blocked due to the policy assignment in-place. Take note of the error message samples to familiarize your organization on what error messages they may receive.
125
+
1. In some cases, you may not be prompted to complete MFA after receiving an error. In such cases, reauthenticate with MFA before retrying the operation (for example, through Azure portal).
126
+
2. In some cases, the error message may not indicate that the operation is blocked due to the policy assignment in-place. Take note of the error message samples to familiarize your organization on what error messages they may receive.
0 commit comments