Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Visitor 1

Trying to enable MFA - need some basic help


I run a single person company and know I need to set up MFA for admins.  I need this primarily because I sell CSP licenses.  But I am getting swamped by how much material is out there and need to narrow down the steps I need to take.


So far I have found the Conditional Access Policy in Azure Active Directory.  I turned on the policy "Baseline Policy: Require MAF for admins".  I was then logged out and needed to log back in.   I had to skip and use the 14 day grace period as I did not realize that I had to download an app for the MFA part (I thought it might just use SMS for the 2nd factor).


So I downloaded the app from the Apple app store.  It wants to scan a QR code as the next step - I could not figure out how to generate the QR.


Now before I go any further, I am the one and only admin account in my Azure AD.  I read a couple notes here about people getting locked out (phone problem it seemed) and not having a 2nd method in.


So here are my questions:

1) how do I do the next steps so that I can get the QR code


2) what are my options to create an altenate method to get in?


I have turned off this policy for now - just don't want to get locked out.




You should set up a 2nd admin account by all means, this avoids lockout: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access


General guidance for CSP Partners is here: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

Quick note: You need to enable MFA for all users, not only admins.


 I turned on the policy "Baseline Policy: Require MFA for admins". 

As a CSP Partner one option to make you compliant is using baseline policy for admins AND the end user protection policy. You need both if go this route. Baseline policy will be replaced by AAD security defaults in February though, this can also be used to become compliant: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults 


1) how do I do the next steps so that I can get the QR code

You need to register. So next time do not skip, but register, then the QR code is shown. Alternatively you can go to aka.ms/mfasetup to register.


2) what are my options to create an altenate method to get in?

App needs to be used for initial registration when using the baseline policies or AAD security defaults. If you also enable the user account for MFA (No license required for global admins), you can also set up phone/text message later. Alternatively you can configure multiple apps at all times, also token apps running on your Mac or PC, like Authy.com  

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)