Last year I had the pleasure of possibly being one of the first in Australia to tinker with Azure multi-factor authentication tied into Office 365 and Office when ADAL was in private preview. That was a great proof of concept project at the time.

I’m currently working on a solution for a client that’s selecting from one of the Azure MFA options: either Azure MFA Cloud, Azure MFA Server or enabling certificate or token MFA strictly on AD FS 3.0 (the latter is what I had used last year in that private preview proof of concept project at Staples Australia).

Today I want to share two tables that outline information that I brought together from various Azure documentation pages and Office 365 documentation pages to review for the client that I’m working on an Azure MFA solution at the moment. In working out what the imperatives / inputs / requirements for the solution, I found it easier to put everything into a table to visually see what options I could look to for this solution.

Option

Azure MFA Cloud

Azure MFA Server

AD FS MFA

First party Microsoft Apps compatibility

  • Azure AD

YES

YES

YES

  • Office 365

YES

YES

YES

Cloud SaaS apps, via the Azure app gallery / Access Panel

YES

Limited

NO

IIS applications published through Azure AD App Proxy / Access Panel

YES

YES

YES

IIS applications not published through Azure AD App Proxy / Access Panel

NO

YES

YES

Radius integration

NO

YES

NO

Remote access integration – RDS through AD FS

NO

YES

YES

Remote access integration – Citrix Web Interface through Netscaler

NO

YES

YES

Remote access integration – VPN through RADIUS connectivity

NO

YES

NO

Admin control over authentication methods

YES

YES

YES

Conditional access – internal, external

YES

YES

YES

Conditional access – per application

YES

Limited

Limited

Hardware Tokens and software tokens

NO

YES

YES

Azure Authenticator App

YES

YES

NO

Mobile app notification

YES

YES

NO

Mobile app verification code

YES

YES

NO

Phone call as second factor – phone called made, pick up only

YES

YES

NO

One-way SMS as second factor – code sent, enter in site

YES

YES

NO

Two-way SMS as second factor – reply to SMS with code

NO

YES

NO

PIN mode – setup a custom PIN and enter for authentication

NO

YES

NO

Fraud alerting

YES

YES

NO

MFA service reporting

YES

YES

NO

One-Time Bypass

YES

YES

NO

Custom greetings for phone calls

YES

YES

NO

Customizable caller ID for phone calls

YES

YES

NO

Contextual IP Address Whitelisting / Trusted IPs

YES

YES

NO

Integration with third party apps, e.g. Citrix, RADIUS

NO

YES

NO

App passwords for clients that don’t support MFA

YES

NO

NO

Cache (remember MFA ‘server’ side)

YES

YES

NO

Remember MFA for trusted devices (for set number of days)

YES NO  NO

High availability and resiliency

YES

YES

YES

That’s all well and good when we’re talking core MFA functionality. There is another set of criteria that’s important to consider when choosing an MFA solution of any kind that’s related to Azure: client compatibility. Below is a table that outlines the current, as of 2016-06-03, client compatibility.

Client compatibility

Azure MFA Cloud

Azure MFA Server

AD FS MFA

Web browser: IE, Chrome, Firefox

YES

YES

YES

Microsoft Office 2013, including Skype for Business

YES

YES

YES

Microsoft Office 2016, including Skype for Business

YES

YES

YES

Office 2016 for Mac

YES

YES

YES

Office for Windows Phone

NO

NO

NO

iOS native mail, calendar, contacts apps

NO

NO

NO

Android native mail, calendar, contacts apps

NO

NO

NO

iOS: Word, Excel, PowerPoint (only)

YES

YES

YES

Android mobile: Word, Excel, PowerPoint (only)

YES

YES

YES

Android tablet: Word, Excel, PowerPoint (only)

NO

NO

NO

 iOS Skype for Business

YES

YES

YES

Windows Phone Skype for Business

NO

NO

NO

Android Skype for Business *when not using Hybrid S4B

Limited

Limited

Limited

iOS Outlook Mobile app

YES

YES

YES

Android Outlook Mobile app

YES

YES

YES

Windows Phone Outlook Mobile app

NO

NO

NO

Final words

Multi-factor authentication should be a standard across every website, across every app and system you interact with every day. I am all for leveraging a mobile phone, that everyone has (which is something that’s scary, powerful and inspiring all at the same time), to effectively eliminate almost all security concerns.

There’s a privacy and work/life balance debate there when this comes into play in the corporate world. I certainly get not wanting to share your mobile with corporate systems, which could potentially oust your details to the broader organization and tips the scales more towards work. Security is a much bigger concern though and keeping your personal information safe wherever you are, work or home, is the imperative that trumps all others.

Use MFA as much as possible and reduce stress associated with security.

Cheers

Category:
Azure Platform
Tags:
, ,

Join the conversation! 17 Comments

  1. One thing missing from your cheat sheet table: what supports using certificates as a second authentication factor. As far as I can tell it is only AD FS MFA.

    Reply
    • Hey Josh, well spotted there!

      Using certificates would be available in AD FS MFA, but, could be used in conjunction with Azure MFA server. A s a pure solution, you’re certainly right, only AD FS MFA supports certificates at the moment.

      Reply
  2. Hi Lucian,

    How do I make it mandatory for a website so the AUTH token is multi factor authenticated ? We are using ASP.NET / OAUTH 2.0 with Azure AD and MFA is enabled for
    all the users. Currently, users can login our website using a token which is not MFA so
    when we are trying to obtain a token on behalf of to call other services, the AquireToken fails with
    Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50079: The user is required to use multi-factor authentication.

    Thanks,
    Andrei

    Reply
    • Hey Andrai, can you provide some more context?
      Are you using AD FS / federated identity or cloud identity?
      Are you using Azure MFA server or Azure MFA Cloud?

      Reply
  3. Hi Lucian

    Great article.

    Is there a way to make mobile (iOS/Android) devices, trusted devices, to reduce/remove the requirement for MFA challenges on approved/known devices?

    Reply
    • Alex, yes and no. There’s a remember MFA on device feature that wont prompt you for MFA for X amount of days; but that’s only available on Azure Cloud MFA.

      Reply
  4. Doesn’t Cloud Only MFA support One Time Bypass?

    Reply
  5. Hi Lucian

    Is there a way to use Azure MFA (without the server) with ADFS relying parties?

    Thanks
    Ryan

    Reply
    • Hey Ryan, yes there is. The solution is Windows Server 2016!
      Server16 has Azure MFA as a build in option for MFA, much like Server12 had token and certificate as a second factor option.

      Reply
  6. […] In aid of a ‘bottom up’ detailed approach – my colleague Lucian posted a very handy ‘cheat sheet’ last year, in comparing the various architectures and the features they support which you can find here: https://blog.kloud.com.au/2016/06/03/azure-multi-factor-authentication-mfa-cheat-sheet […]

    Reply
  7. I would say that one time bypass does not exist in Azure MFA Cloud only for MFA Server. I Think you have to proove me wrong otherwise…hehe

    Reply
  8. Microsoft’s documentation on the subject is just terrible. And that prompts us to do a lot of guess work: For example, when one is reading this article and the comments, one would think that One-time bypass is available in the Azure MFA cloud-only implementation while it is not; that feature requires an on-prem server, yet Microsoft has put the option in their portal to create a one-time bypass entry and it appears as though you can use it.
    Microsoft also hasn’t provided instructions on how to differentiate between the two implementations (cloud vs on-prem server) and if the two can work in conjunction, for example use the MFA on-prem server only for One-time bypass and VPN, but manage MFA using the cloud otherwise (to get app password feature for example). Microsoft’s support forum seems to suggest that you can use both, but not their official document.
    The licensing model is also not explained: their website says MFA requires a Premium Azure license, but you can enable it for any user in reality.
    I could go on… but the point is that Microsoft, in an effort to catch up with the tremendously fast growing cloud market, is rolling out features and services that haven’t been properly developed, tested or required know-how published for the administrators to use.

    Reply
    • Hi mate, all valid points. I would say though that with Server 2016, MFA has become easier. AD FS no longer needs that on-prem MFA server component and you can leverage Azure Cloud MFA for everything. The blogs a bit outdated now i think…

      Reply
      • Hi Lucian, thanks for your comment. I did notice that the blog is kinda outdated, especially having in mind how fast Azure services are changing. But you would be surprised how much your blog comes up in searches. Although some of you may have been dealing with Azure for a while now, and have learned how to setup systems like MFA in a jiffy, there are still a bunch of companies that are just entering the cloud space. We for example don’t even have ADFS in our environment, instead we run Office 365 with AD Connect with password hashing. Looking at the current Microsoft documents is not very helpful, that’s why we have to either turn to 3rd party blogs and forums or figure it out by ourselves. Unless you are willing to pay premium prices to consulting companies to implement it while you learn nothing.
        I’m yet to find a good and COMPLETE resource online that explains MFA and how to implement it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: