Article from https://docs.microsoft.

com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

How it works: Azure AD Multi-Factor

Authentication
 08/05/2021

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional
form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak
or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an
attacker? When you require a second form of authentication, security is increased as this additional factor isn't
something that's easy for an attacker to obtain or duplicate.

Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication
methods:

 Something you know, typically a password.

 Something you have, such as a trusted device that is not easily duplicated, like a phone or
hardware key.
 Something you are - biometrics like a fingerprint or face scan.

Azure AD Multi-Factor Authentication can also further secure password reset. When users register themselves
for Azure AD Multi-Factor Authentication, they can also register for self-service password reset in one step.
Administrators can choose forms of secondary authentication and configure challenges for MFA based on
configuration decisions.

Apps and services don't need changes to use Azure AD Multi-Factor Authentication. The verification prompts
are part of the Azure AD sign-in event, which automatically requests and processes the MFA challenge when
required.
Available verification methods
When a user signs in to an application or service and receives an MFA prompt, they can choose from one of
their registered forms of additional verification. Users can access My Profile to edit or add verification
methods.

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication:

 Microsoft Authenticator app

 OATH Hardware token (preview)
 OATH Software token
 SMS
How to enable and use Azure AD Multi-Factor Authentication
All Azure AD tenants can use security defaults to quickly enable Microsoft Authenticator for all users. Users
and groups can be enabled for Azure AD Multi-Factor Authentication to prompt for additional verification
during the sign-in event.

For more granular controls, Conditional Access policies can be used to define events or applications that
require MFA. These policies can allow regular sign-in events when the user is on the corporate network or a
registered device, but prompt for additional verification factors when remote or on a personal device.

Next steps
To learn about licensing, see Features and licenses for Azure AD Multi-Factor Authentication.

To learn more about different authentication and validation methods, see Authentication methods in Azure
Active Directory.

To see MFA in action, enable Azure AD Multi-Factor Authentication for a set of test users in the following
tutorial:

Enable Azure AD Multi-Factor Authentication

Recommended content

Deployment considerations for Azure AD Multi-Factor Authentication

Learn about deployment considerations and strategy for successful implementation of Azure AD Multi-
Factor Authentication
 
Enable Azure AD Multi-Factor Authentication

In this tutorial, you learn how to enable Azure AD Multi-Factor Authentication for a group of users and
test the secondary factor prompt during a sign-in event.


Configure Azure AD Multi-Factor Authentication - Azure Active Directory

Learn how to configure settings for Azure AD Multi-Factor Authentication in the Azure portal


Phone authentication methods - Azure Active Directory

Learn about using phone authentication methods in Azure Active Directory to help improve and secure
sign-in events

Show more