Enable MFA for Privileged Identities with Access to Virtual Machines

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade available at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Azure cloud resources.

03 Choose the Azure subscription that you want to examine from the Subscription filter box.

04 From the Type filter box, select Virtual machine, and choose Apply to list only the virtual machines (VMs) deployed for the selected subscription.

05 Click on the name (link) of the virtual machine (VM) instance that you want to examine.

06 Choose Overview from the resource navigation panel and select the Properties tab to view the configuration information available for the selected VM.

07 Under Extensions + applications, check the Extensions attribute value to determine if the AADSSHLoginForLinux extension is installed on the VM. The extension is installed when you enable Microsoft Entra ID login for your VM instance. If the AADSSHLoginForLinux extension is available in the extensions list, you can continue the Audit process with the next step.

08 Under Essentials, click on the name (link) of the resource group used to deploy the selected virtual machine (VM).

09 Choose Access control (IAM) from the resource group navigation panel and select the Role assignments tab.

10 Role assignment of Virtual Machine Administrator Login or Virtual Machine User Login is required when using Microsoft Entra ID login. To check for these role assignment, select the All tab, and use the Role filter box to search for any role assignment of Virtual Machine Administrator Login or Virtual Machine User Login. If one or more identities (users) are returned as results, you can continue the Audit process with the next step.

11 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview, and select Users under Manage.

12 Click on the Per-user MFA button available in the console top menu. This will open Azure MFA management portal.

13 Choose Sign-in allowed users from the View dropdown list.

14 Choose the identity (user) returned at step no. 10 and check the MFA feature status available in the MULTI-FACTOR AUTH STATUS column. If the status is Disabled, Multi-Factor Authentication (MFA) is not enabled for the selected identity, therefore, the access to your Microsoft Entra ID-enabled VM instance is not MFA-protected.

15 Repeat steps no. 11 - 14 for each identity (user) with the role assignment of Virtual Machine Administrator Login or Virtual Machine User Login.

16 Repeat steps no. 5 - 15 for each Azure virtual machine (VM) provisioned in the selected subscription.

17 Repeat steps no. 3 – 16 for each subscription created within your Microsoft Azure cloud account.

01 Run vm list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group of each virtual machine (VM) provisioned in the current Azure subscription:

az vm list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested virtual machine (VM) identifiers:

Name                      ResourceGroup
-----------------------   ------------------------------
cc-prod-app-server        cloud-shell-storage-westeurope
cc-internal-app-server    cloud-shell-storage-westeurope

03 AADSSHLoginForLinux extension is installed automatically when you enable Microsoft Entra ID login for VM instances. Run vm extension list command (Windows/macOS/Linux) to describe the extensions installed on the virtual machine (VM) instance identified by the --vm-name parameter:

az vm extension list
  --vm-name cc-prod-app-server
  --resource-group cloud-shell-storage-westeurope
  --query '[*].name'

04 The command output should return the names of the extensions installed on the specified VM server. If the AADSSHLoginForLinux extension is available in the extensions list, as shown in the example below, you can continue the Audit process with the next step:

[
	"AADSSHLoginForLinux",
	"IaaSAntimalware"
]

05 Run ad user list command (Windows/macOS/Linux) with query filters to list all Microsoft Entra ID identities (users):

az ad user list
  --query '[].{userPrincipalName:userPrincipalName}'
  --output table

06 The command output should return a table that contains all your Microsoft Entra ID principal user names:

UserPrincipalName
-----------------------------------------------
vmazuremanager@trendmicro.onmicrosoft.com
azadministrator@trendmicro.onmicrosoft.com

07 Run role assignment list command (Windows/macOS/Linux) with custom query filters to return the name of each role assigned to the Microsoft Entra ID identity (user) that you want to examine. For the --resource-group parameter specify the name of the resource group used to deploy your VM instance:

az role assignment list
  --resource-group cloud-shell-storage-westeurope
  --assignee vmazuremanager@trendmicro.onmicrosoft.com
  --query '[].{"roleDefinitionName":roleDefinitionName}'

08 The command output should return an array that contains the name of the role assigned to the specified Microsoft Entra ID user. Role assignment of Virtual Machine Administrator Login or Virtual Machine User Login is required when using Microsoft Entra ID login. If the "roleDefinitionName" is set to Virtual Machine Administrator Login or Virtual Machine User Login, as shown in the example below, you can continue the Audit process with the next step.

[
	{
		"roleDefinitionName": "Virtual Machine Administrator Login"
	}
]

09 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID:

Install-Module MSOnline

10 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace \ with your own Microsoft Entra ID environment name):

Connect-MsolService -AzureEnvironment "<ad-environment-name>"

11 Run Get-MsolUser PowerShell command (using MSOnline module) with custom query filters to identify if the selected Microsoft Entra ID user has registered for Multi-Factor Authentication (MFA):

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property vmazuremanager@trendmicro.onmicrosoft.com

12 The command output returns the verified Microsoft Entra ID user name if MFA is disabled. Otherwise, the Get-MsolUser command does not produce an output:

vmazuremanager@trendmicro.onmicrosoft.com
-----------------------------------------

13 Repeat steps no. 7 – 12 for each identity (user) with the role assignment of Virtual Machine Administrator Login or Virtual Machine User Login.

14 Repeat steps no. 3 - 13 for each Azure virtual machine (VM) provisioned in the selected subscription.

15 Repeat steps no. 1 – 14 for each subscription created within your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, under Manage, select Users.

04 Click on the Per-user MFA button available in the console top menu. This will open Azure MFA management portal.

05 On the MFA management page choose the service settings tab to access the Multi-Factor Authentication settings.

06 On the MFA settings page, under verification options, select the method(s) that you want to use for Multi-Factor Authentication from the Methods available to users list.

07 Choose Save to apply the changes, then select Close to return to the settings page.

08 Choose the users tab and select Sign-in allowed users from the View dropdown list.

09 Select the user (identity) that you want to enroll in MFA and choose Enable under quick steps, in the right menu.

10 On the confirmation box, choose enable multi-factor auth to enable Multi-Factor Authentication (MFA) for the selected user. Select close to return to the console.

11 Install the Microsoft Authenticator mobile app, then sign in to your Microsoft Azure account with the user configured for MFA at the previous steps. Once signed in, you can complete the MFA registration process.

12 On the Keep your account secure setup page, perform the following actions:

1. For Start by getting the app choose Next.
2. For Set up your account choose Next.
3. For Scan the QR code, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, choose Next.
4. For Let's try it out, approve the notification sent to your Authenticator app by entering the number displayed in the box.
5. For Notification approved choose Next.
6. On the confirmation page choose Done to complete the MFA registration process. The MFA status for the user should be automatically switched to Enforced once the registration process is completed.

13 Repeat steps no. 9 – 12 for each Microsoft Azure identity (user) that you want to enroll in MFA.

01 Open an elevated Windows PowerShell command prompt (i.e. run PowerShell as an administrator) and run Install-Module MSOnline command to install MSOnline PowerShell module for Microsoft Entra ID:

Install-Module MSOnline

02 Run Connect-MsolService PowerShell command to connect to your Microsoft Entra ID environment. Once the command request is made you should be prompted for your Microsoft Entra ID credentials. To connect to a specific environment of Microsoft Entra ID, use -AzureEnvironment parameter, as shown in the example above (replace \ with your own Microsoft Entra ID environment name):

Connect-MsolService -AzureEnvironment ""

03 Define an array of strong authentication (i.e. Multi-Factor Authentication) requirements, that will be used later as value for the –StrongAuthenticationRequirements parameter in order to activate MFA using the Set-MsolUser command:

$mfa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mfa.RelyingParty = "*"
$mfa.State = "Enabled"
$setmfa = @($mfa)

04 Run Set-MsolUser PowerShell command (using MSOnline module) using the name of the user that you want to configure as the –UserPrincipalName parameter value and the strong authentication requirements parameter defined at the previous step to update the selected user configuration in order to enable Multi-Factor Authentication (MFA):

Set-MsolUser
-UserPrincipalName vmazuremanager@trendmicro.onmicrosoft.com
-StrongAuthenticationRequirements $setmfa

05 Now that the feature is enabled for the selected identity (user), you can begin the Multi-Factor Authentication (MFA) registration process. Install Microsoft Authenticator mobile app, then sign in to your Microsoft Azure account with the user configured for MFA at the previous steps. Once signed in, you can complete the MFA registration process.

06 On the Keep your account secure setup page, perform the following actions:

1. For Start by getting the app choose Next.
2. For Set up your account choose Next.
3. For Scan the QR code, scan the generated QR code using the Microsoft Authenticator app. Once the application displays a six-digit code, choose Next.
4. For Let's try it out, approve the notification sent to your Authenticator app by entering the number displayed in the box.
5. For Notification approved choose Next.
6. On the confirmation page choose Done to complete the MFA registration process. The MFA status for the user should be automatically switched to Enforced once the registration process is completed.

07 Repeat steps no. 4 – 6 for each Microsoft Azure identity (user) that you want to enroll in MFA.