EN 
06.10.2024 Hanuš WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Vícefaktorová autentizace (MFA) registrace ověřovacích metod a přihlašování

Multi-Factor Authentication (MFA) authentication method registration and login

| Petr Bouška - Samuraj |
After a general description of Microsoft Entra Multi-Factor Authentication (MFA), let's take a more practical look at registering and managing authentication methods. We'll focus on the capabilities of Microsoft Authenticator, in this case the optimal Phone sign-in. Then we'll walk through the MFA sign-in process and the use of some authentication methods.
displayed: 2 516x (2 479 CZ, 37 EN) | Comments [2]

Note: The article only includes selected verification methods and certain situations. Microsoft frequently changes things, so it is valid as of the publication date of the article.

Registration of Verification Methods

Registration of verification methods can be triggered in two ways:

  • during login - if for some reason it is required to register or update user methods, the login process is interrupted, and a security information setup wizard is displayed
  • in account settings - part of the user profile is the management of verification methods (security information), where we can manually register new methods

Setting Verification Methods During Login

MFA registrace ověřovacích metod během přihlášení 1
MFA registrace ověřovacích metod během přihlášení 2
MFA registrace ověřovacích metod během přihlášení 3

Managing Verification Methods Within the Account

Within our account My Account we have the option Security Info. Here we see all the verification methods we have set for account login or password reset. We can edit or (in most cases) delete existing methods.

Note: You can also access the settings via the link MFA Setup, where a new login is enforced.

By clicking on + Add sign-in method we start the wizard for adding a new method.

MFA registrace ověřovacích metod v nastavení účtu 1

In the first step, we choose the method we want to register.

MFA registrace ověřovacích metod v nastavení účtu 2

Microsoft Authenticator

To register the Microsoft Authenticator app, choose Authenticator app and follow the wizard (in the first step, you can choose to install a non-Microsoft app).

MFA registrace Microsoft Authenticator 1

On the phone, we need the app installed. In the top bar, click on + Add account. Choose Work or school account and Scan a QR code. Scan the code from the computer screen. The account will be added to the app.

MFA registrace Microsoft Authenticator 2

Then it is necessary to approve the notification in the app by entering the number displayed on the computer.

MFA registrace Microsoft Authenticator 3

This completes the registration of the verification method. For Microsoft Authenticator, a Push Notification is registered, which requires an internet connection. At the same time, the app is set as a SW token for generating an OATH verification code (which works offline).

MFA registrace Microsoft Authenticator 4

Microsoft Authenticator (Phone Sign-in)

When we have the Microsoft Authenticator app registered to our account, we can set up a more secure and convenient option for passwordless sign-in. This method is referred to as phone sign-in Phone Sign-in.

Note: Microsoft Authenticator running on Android currently supports registration of only one account for Phone sign-in. On iOS devices, it is supported to register multiple accounts.

The condition is that the mobile device must be registered to our account and a screen lock must be set (typically PIN or fingerprint).

Enabling phone sign-in is done in the Microsoft Authenticator app. Open the account and click on Set up phone sign-in (visible in the image above this chapter). Then we must sign in using MFA.

MFA registrace Microsoft Authenticator Phone Sign-in

If we do not meet, for example, the device registration, it will offer to perform it. Finally, the Phone sign-in setup is completed.

Whether we have the Phone sign-in method registered can be seen directly in the Microsoft Authenticator app. And also in the account settings under Security Info, where it is one of the two options.

MFA registrace Microsoft Authenticator 5

FIDO2 Security Key

Registration of the FIDO2 security key is described in the article Sign-in with FIDO2 security key.

Windows Hello for Business

Windows Hello for Business is a special method and does not appear among the methods on the Security Info page (the administrator sees this method for the user in Entra ID). Registration is done in the operating system and is described in the article Windows Hello for Business - user settings and usage.

MFA Login Process

Account Identification (Email Entry)

When we log in for the first time, we must enter our email address. Only for signing in with a FIDO2 security key is account identification not needed, just click on Sign-in options and then Sign in with a security key.

Microsoft Modern Authentication

If we have both a work and personal account on the same email address, a selection will appear indicating which account it is.

Microsoft přihlášení výběr typu účtu

During repeated login, the previously used account is usually offered, and we just need to select it.

Microsoft přihlášení výběr účtu

User Authentication

If we have set up a passwordless sign-in method, it will be used in the next step. You may see an approval for sign-in using Microsoft Authenticator Phone Sign-in (entering two digits) or a Windows security dialog for signing in with a FIDO2 key.

In other cases, a dialog for entering a password as the first sign-in factor will appear. This is followed by a dialog for the configured second factor, such as approving the sign-in using Microsoft Authenticator Push Notification (entering two digits) or entering a verification code.

Microsoft přihlášení zadání hesla

Changing the Verification Method

If we have multiple methods registered, we can always interrupt the currently used method and choose another one. In many dialog variants, there is an option Other ways to sign in or I can't use my Microsoft Authenticator app right now. In the Windows dialog for signing in with a FIDO2 key, we must first select Cancel.

Microsoft přihlášení MFA změna ověřovací metody

Depending on whether we are in the passwordless sign-in step or have already entered the password, and of course, which methods we have registered, a different selection of available methods is offered.

Microsoft přihlášení MFA výběr ověřovací metody

Microsoft Authenticator (Phone Sign-in)

If we have set up passwordless sign-in using the Microsoft Authenticator app, a dialog for approving the sign-in in the app by entering the displayed digits should appear immediately after account identification.

MFA autentizace schválení v aplikaci Microsoft Authenticator

If a password entry dialog appears, there should be a link Other ways to sign in, where we select Approve a request on my Microsoft Authenticator app.

Microsoft přihlášení MFA změna ověřovací metody 2

Microsoft Authenticator (Push Notification)

The Microsoft Authenticator app can be used for classic MFA sign-in. This means that we identify the account and in the first step enter the password. Then we can use Push Notification, where a notification is sent to the app that we must approve. The process is exactly the same as with Phone Sign-in. A dialog Approve sign in with a number will appear, which we must enter in the mobile app.

The difference is that with Push Notification we must first enter the password, which is sent over the internet. Whereas Phone Sign-in is more secure and convenient, we do not enter any password and sign in using an asymmetric key pair that is tied to the app and the mobile device.

Reporting Suspicious Activity - Blocking MFA Sign-in

In the notification in the Microsoft Authenticator app, there is also an option No, it’s not me. If we use it, a dialog Report suspicious activity will appear. By selecting Report, MFA sign-in may be blocked, which must be unblocked by the organization administrator.

Microsoft Authenticator - Report suspicious aktivity

Verification Code - OATH One Time Password (OTP)

The second option for classic MFA sign-in is to enter a verification code (Verification Code). We can use the registered Microsoft Authenticator or a third-party app that supports OATH TOTP. A dialog for entering the code will appear.

Microsoft přihlášení MFA zadání ověřovacího kódu OATH

Open the Microsoft Authenticator app on the mobile device and select our account. The current OTP code and its remaining validity from 30 seconds are displayed here. Enter the code into the sign-in dialog.

Microsoft přihlášení MFA ověřovací kód v Microsoft Authenticator
Author:

Related articles:

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

Azure, Microsoft 365, Office 365, Cloud

Various popular topics regarding the public cloud. More focused on Microsoft services, i.e. IaaS, PaaS, SaaS Azure, Entra ID directory services (formerly Azure AD) and hosted Microsoft 365 / Office 365 services.

If you want write something about this article use comments.

Comments
  1. [1] Ondrej Podrouzek

    ;-) dekuji za pekny popis

    Monday, 27.11.2023 10:23 | answer
  2. [2] je to na pikaču

    :-)prima;-)

    Tuesday, 28.11.2023 11:35 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)