Last year I had the pleasure of possibly being one of the first in Australia to tinker with Azure multi-factor authentication tied into Office 365 and Office when ADAL was in private preview. That was a great proof of concept project at the time.

I’m currently working on a solution for a client that’s selecting from one of the Azure MFA options: either Azure MFA Cloud, Azure MFA Server or enabling certificate or token MFA strictly on AD FS 3.0 (the latter is what I had used last year in that private preview proof of concept project at Staples Australia).

Today I want to share two tables that outline information that I brought together from various Azure documentation pages and Office 365 documentation pages to review for the client that I’m working on an Azure MFA solution at the moment. In working out what the imperatives / inputs / requirements for the solution, I found it easier to put everything into a table to visually see what options I could look to for this solution.

Option

Azure MFA Cloud

Azure MFA Server

AD FS MFA

First party Microsoft Apps compatibility

  • Azure AD

YES

YES

YES

  • Office 365

YES

YES

YES

Cloud SaaS apps, via the Azure app gallery / Access Panel

YES

Limited

NO

IIS applications published through Azure AD App Proxy / Access Panel

YES

YES

YES

IIS applications not published through Azure AD App Proxy / Access Panel

NO

YES

YES

Radius integration

NO

YES

NO

Remote access integration – RDS through AD FS

NO

YES

YES

Remote access integration – Citrix Web Interface through Netscaler

NO

YES

YES

Remote access integration – VPN through RADIUS connectivity

NO

YES

NO

Admin control over authentication methods

YES

YES

YES

Conditional access – internal, external

YES

YES

YES

Conditional access – per application

YES

Limited

Limited

Hardware Tokens and software tokens

NO

YES

YES

Azure Authenticator App

YES

YES

NO

Mobile app notification

YES

YES

NO

Mobile app verification code

YES

YES

NO

Phone call as second factor – phone called made, pick up only

YES

YES

NO

One-way SMS as second factor – code sent, enter in site

YES

YES

NO

Two-way SMS as second factor – reply to SMS with code

NO

YES

NO

PIN mode – setup a custom PIN and enter for authentication

NO

YES

NO

Fraud alerting

YES

YES

NO

MFA service reporting

YES

YES

NO

One-Time Bypass

YES

YES

NO

Custom greetings for phone calls

YES

YES

NO

Customizable caller ID for phone calls

YES

YES

NO

Contextual IP Address Whitelisting / Trusted IPs

YES

YES

NO

Integration with third party apps, e.g. Citrix, RADIUS

NO

YES

NO

App passwords for clients that don’t support MFA

YES

NO

NO

Cache (remember MFA ‘server’ side)

YES

YES

NO

Remember MFA for trusted devices (for set number of days)

YES NO  NO

High availability and resiliency

YES

YES

YES

That’s all well and good when we’re talking core MFA functionality. There is another set of criteria that’s important to consider when choosing an MFA solution of any kind that’s related to Azure: client compatibility. Below is a table that outlines the current, as of 2016-06-03, client compatibility.

Client compatibility

Azure MFA Cloud

Azure MFA Server

AD FS MFA

Web browser: IE, Chrome, Firefox

YES

YES

YES

Microsoft Office 2013, including Skype for Business

YES

YES

YES

Microsoft Office 2016, including Skype for Business

YES

YES

YES

Office 2016 for Mac

YES

YES

YES

Office for Windows Phone

NO

NO

NO

iOS native mail, calendar, contacts apps

NO

NO

NO

Android native mail, calendar, contacts apps

NO

NO

NO

iOS: Word, Excel, PowerPoint (only)

YES

YES

YES

Android mobile: Word, Excel, PowerPoint (only)

YES

YES

YES

Android tablet: Word, Excel, PowerPoint (only)

NO

NO

NO

 iOS Skype for Business

YES

YES

YES

Windows Phone Skype for Business

NO

NO

NO

Android Skype for Business *when not using Hybrid S4B

Limited

Limited

Limited

iOS Outlook Mobile app

YES

YES

YES

Android Outlook Mobile app

YES

YES

YES

Windows Phone Outlook Mobile app

NO

NO

NO

Final words

Multi-factor authentication should be a standard across every website, across every app and system you interact with every day. I am all for leveraging a mobile phone, that everyone has (which is something that’s scary, powerful and inspiring all at the same time), to effectively eliminate almost all security concerns.

There’s a privacy and work/life balance debate there when this comes into play in the corporate world. I certainly get not wanting to share your mobile with corporate systems, which could potentially oust your details to the broader organization and tips the scales more towards work. Security is a much bigger concern though and keeping your personal information safe wherever you are, work or home, is the imperative that trumps all others.

Use MFA as much as possible and reduce stress associated with security.

Cheers

Category:
Azure Platform
Tags:
, ,

Join the conversation! 23 Comments

  1. One thing missing from your cheat sheet table: what supports using certificates as a second authentication factor. As far as I can tell it is only AD FS MFA.

    Reply
    • Hey Josh, well spotted there!

      Using certificates would be available in AD FS MFA, but, could be used in conjunction with Azure MFA server. A s a pure solution, you’re certainly right, only AD FS MFA supports certificates at the moment.

      Reply
  2. Hi Lucian,

    How do I make it mandatory for a website so the AUTH token is multi factor authenticated ? We are using ASP.NET / OAUTH 2.0 with Azure AD and MFA is enabled for
    all the users. Currently, users can login our website using a token which is not MFA so
    when we are trying to obtain a token on behalf of to call other services, the AquireToken fails with
    Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50079: The user is required to use multi-factor authentication.

    Thanks,
    Andrei

    Reply
  3. Hi Lucian

    Great article.

    Is there a way to make mobile (iOS/Android) devices, trusted devices, to reduce/remove the requirement for MFA challenges on approved/known devices?

    Reply
  4. Doesn’t Cloud Only MFA support One Time Bypass?

    Reply
  5. Hi Lucian

    Is there a way to use Azure MFA (without the server) with ADFS relying parties?

    Thanks
    Ryan

    Reply
  6. I would say that one time bypass does not exist in Azure MFA Cloud only for MFA Server. I Think you have to proove me wrong otherwise…hehe

    Reply
  7. Microsoft’s documentation on the subject is just terrible. And that prompts us to do a lot of guess work: For example, when one is reading this article and the comments, one would think that One-time bypass is available in the Azure MFA cloud-only implementation while it is not; that feature requires an on-prem server, yet Microsoft has put the option in their portal to create a one-time bypass entry and it appears as though you can use it.
    Microsoft also hasn’t provided instructions on how to differentiate between the two implementations (cloud vs on-prem server) and if the two can work in conjunction, for example use the MFA on-prem server only for One-time bypass and VPN, but manage MFA using the cloud otherwise (to get app password feature for example). Microsoft’s support forum seems to suggest that you can use both, but not their official document.
    The licensing model is also not explained: their website says MFA requires a Premium Azure license, but you can enable it for any user in reality.
    I could go on… but the point is that Microsoft, in an effort to catch up with the tremendously fast growing cloud market, is rolling out features and services that haven’t been properly developed, tested or required know-how published for the administrators to use.

    Reply
    • Hi mate, all valid points. I would say though that with Server 2016, MFA has become easier. AD FS no longer needs that on-prem MFA server component and you can leverage Azure Cloud MFA for everything. The blogs a bit outdated now i think…

      Reply
      • Hi Lucian, thanks for your comment. I did notice that the blog is kinda outdated, especially having in mind how fast Azure services are changing. But you would be surprised how much your blog comes up in searches. Although some of you may have been dealing with Azure for a while now, and have learned how to setup systems like MFA in a jiffy, there are still a bunch of companies that are just entering the cloud space. We for example don’t even have ADFS in our environment, instead we run Office 365 with AD Connect with password hashing. Looking at the current Microsoft documents is not very helpful, that’s why we have to either turn to 3rd party blogs and forums or figure it out by ourselves. Unless you are willing to pay premium prices to consulting companies to implement it while you learn nothing.
        I’m yet to find a good and COMPLETE resource online that explains MFA and how to implement it.

  8. This is a great article. Could you please help me clarify something? I want to require users to use the Azure mobile app for multifactor authentication when they log on to their Office 365 mailboxes. I do not need to use MFA to secure any other resources. I have ADFS on Windows 2012 R2 deployed on premises today.

    Do I need to install on premises multifactor authentication server? Or can I just configure ADFS as described at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-adfs#secure-azure-ad-resources-using-ad-fs and not install multifactor authentication server? I would prefer to avoid this installation if I don’t need it.

    Reply
    • Hi John,
      If you want users in O365 to have MFA using soft tokens via the Authenticator app, then you need an AD Premium license (per user) + configure Azure MFA Server with AD FS 2012 R2. You might be better off upgrading to AD FS 2016 which has a connector built in for Azure MFA (meaning, no MFA Server required).
      Office 365 MFA is limited to phone or SMS soft tokens only. So, if you want the sexy app, you have to pay extra.

      However, because you have federated identity, users will auth against AD FS (1st factor), then be routed back to login.microsoftonline.com and then trigger Azure MFA (2nd factor). Ive seen this in practice, so you technically don’t need MFA server if all you’re doing MFA for is just O365 logon. If SMS or phone call can meet your requirements, it might save on license spend and complexity to just enable O365 MFA. Its easy enough to enable on your account to test the experience and demonstrate that to business stakeholders for adoption approval.

      Last consideration is, if you have AD FS, upgrading to 2016 and using the Azure MFA connector that’s built in + purchasing AD Premium licenses, allows you to apply MFA to any other RPT/app in AD FS. Thats a very good feature is you start to leverage AD FS and SAML authentication for your SaaS apps.

      Reply
  9. Hi

    I have enabled MFA for O365 apps. When i access the O365 URL it asks me for my user name and password and takes me to th federated page wherein it shows me the list of O365 apps such as Exchange Online, One Drive, One Note etc.

    For One Note in particular if i click on it it shows me all my file names at the bottom however accessing the file does trigger MFA. But for security reasons even file names can divulge information.

    Any way to overcome this?

    Thanks

    Preeti

    Reply
    • Office 365 MFA is doing authentication there. Its the more basic version of MFA in Azure AD and only applies to accessing Office 365 services during the authentication phase. Office 365 MFA isn’t designed to trigger on accessing files. You could look at setting up Conditional Access policies. However, from memory you’ll need AD Premium licensing and using Azure AD MFA, rather than Office 365 MFA.

      Reply
  10. If I want to enforce MFA to let a user login on a server that is on-premises what option do I need, MFA server, on-premises or Azure MFA or ADFS? I’m confused about all the options available. We already enabled MFA for Office365 user logins but would also like to use MFA for local server logins. Any advice or links to blogs/articles?

    Thanks

    Reply
  11. Windows Azure now also supports DeepNet SafeID hardware tokens (which can be a more convenient way to authenticate).

    Reply
  12. Hello there,
    I want to integrate Azure MFA in my website, Is it possible to integrate in custom apps?

    Currently website is hosted on Linux Server (Ubuntu) from AWS EC2, my client wants to integrate Azure MFA on his website (built in PHP),
    I checked its docs and tutorials but didn’t found any PHP SDK or REST API,

    I checked and integrate this Node JS code https://github.com/Azure-Samples/active-directory-node-webapp-openidconnect
    It worked fine, but:

    – It will need to add an user in Active Directory first (Can I authenticate users directly, without registering on Azure? also currently I have more than 3000 existing users and don’t want to give them access of Azure Portal),
    – User completely redirected on Microsoft site during authentication process (Is there any way without redirecting?),

    Please help me regarding this,

    Thanks & regards,
    Herry

    Reply

Leave a Reply