Test your deployment with MFA enabled

Warning

You should have received an email or teams chat from your SA/SME to continue.

  1. Close any opened browser and re-open Microsoft Edge

  2. Connect to Bluesky. Don’t try with Vanilla as your MFA test account does not exist in on-prem AAD. Thus, the SSo will not work. You can add this user in ADDS if you are confident with AD.

  3. If you are not prompted at Azure AD login page, open an incognito window. It means you still have Azure AD cookies from previous session with ``user1``account.

  4. At prompt, login with your MFA account. In my case, matt@f5access.onmicrosoft.com and the password provided by your SA/SME

  5. You will be asked to enroll and select an MFA method

    ../../_images/moreinfo.png

  6. Click Next

  7. You have the choice to use the Microsoft Authenticator mobile app, or use SMS. Make your choice and follow the step to enroll your device (or phone number)

    ../../_images/choice.png

  8. I select the mobile app, scan the QR code, and approve the push notification on my mobile phone.

  9. I click Next and Done

    ../../_images/done.png

  10. Azure AD asks you to change your password set by your SA/SME.

  11. When done, and redirected to Bluesky, you can notice it does not work. The user has to be assigned with the Bluesky app.

    ../../_images/error.png

  12. In the BIG-IP, edit the ISS-Bluesky-<my name> template, and in Azure Active Directory step, add your account.

    ../../_images/account.png

  13. Click Save and Next and Deploy

    ../../_images/deploy2.png

  14. Make a new test, approve the push notification or enter the OTP received by SMS.

Note

This lab is not Azure AD Conditional Access. This is just user MFA. Conditional Access is similar but it is tied to a policy (group, location, app …). In this lab, matt will be prompted for MFA whatever the apps he connects to.