How to manage Active Directory Multi-Factor Authentication (MFA) in Azure

Multi-Factor Authentication (MFA) is a crucial security measure to protect accounts and data in Azure environments. However, when enabling MFA on your Azure account, you may face challenges when running certain scripts, such as automated database backups. In this article, we will explore how to address the issue of MFA being enabled on an Azure account and provide a practical solution for performing database backups in production environments.

The MFA challenge in Azure

When you run a database backup script in Azure with MFA enabled, you will likely encounter the following error:

"Unable to obtain authentication token using the credentials provided. If your Active Directory tenant administrator has configured Multi-Factor Authentication or if your account is a Microsoft Account, please remove the username and password from the connection string, and then retry."

As a security measure, it is recommended to enable MFA on all accounts, especially when configuring and automating the backup of production environments. However, this requires modifications to the original script to allow authentication through an access token instead of a username and password.

Solution for database backup in MFA-enabled environments

Below, we present a practical solution to adapt the database backup script in Azure environments with MFA enabled:

• Store sensitive data in environment variables within the Automation Account: It is important to avoid exposing confidential information, such as passwords or tokens, directly in the script code. Use environment variables within Azure Automation to store this data and access it securely.
• Import the 'SqlServer' module: This module provides cmdlets to interact with SQL Server and Azure Analysis Services from PowerShell. Make sure to import it at the beginning of your script.
• Adjust the authentication: Instead of using the traditional method of authentication with username and password, use the "Get-AzAccessToken" cmdlet to obtain a valid authentication token. This token will allow you to connect to the Azure service even with MFA enabled on your account.
• Build the connection string: Use the information obtained in the previous steps, such as the name of the Analysis Services server, the credentials stored in Azure Automation, and the tenant ID, to build the connection string necessary to interact with the Azure service.
• Perform the database backup: Use a "foreach" loop to iterate through the databases and perform the backup according to your specific needs. You can customize this section of the script to configure the backup options, such as frequency and backup file formats.

Conclusions

Automating the backup of databases in Azure environments with MFA enabled can be a challenge, but by following the best practices and modifications described in this article, you will be able to overcome this difficulty. By using the "Automation Account" and a PowerShell "Runbook", you can ensure reliable and up-to-date backup copies. Adopting security practices, such as using environment variables and token-based authentication, strengthens the protection of sensitive data.