Rate this post

Last year I had the pleasure of possibly being one of the first in Australia to tinker with Azure multi-factor authentication tied into Office 365 and Office when ADAL was in private preview. That was a great proof of concept project at the time.

I’m currently working on a solution for a client that’s selecting from one of the Azure MFA options: either Azure MFA Cloud, Azure MFA Server or enabling certificate or token MFA strictly on AD FS 3.0 (the latter is what I had used last year in that private preview proof of concept project at Staples Australia).

Today I want to share two tables that outline information that I brought together from various Azure documentation pages and Office 365 documentation pages to review for the client that I’m working on an Azure MFA solution at the moment. In working out what the imperatives / inputs / requirements for the solution, I found it easier to put everything into a table to visually see what options I could look to for this solution.

Option

Azure MFA Cloud

Azure MFA Server

AD FS MFA

First party Microsoft Apps compatibility

  • Azure AD

YES

YES

YES

  • Office 365

YES

YES

YES

Cloud SaaS apps, via the Azure app gallery / Access Panel

YES

Limited

NO

IIS applications published through Azure AD App Proxy / Access Panel

YES

YES

YES

IIS applications not published through Azure AD App Proxy / Access Panel

NO

YES

YES

Radius integration

NO

YES

NO

Remote access integration – RDS through AD FS

NO

YES

YES

Remote access integration – Citrix Web Interface through Netscaler

NO

YES

YES

Remote access integration – VPN through RADIUS connectivity

NO

YES

NO

Admin control over authentication methods

YES

YES

YES

Conditional access – internal, external

YES

YES

YES

Conditional access – per application

YES

Limited

Limited

Hardware Tokens and software tokens

NO

YES

YES

Azure Authenticator App

YES

YES

NO

Mobile app notification

YES

YES

NO

Mobile app verification code

YES

YES

NO

Phone call as second factor – phone called made, pick up only

YES

YES

NO

One-way SMS as second factor – code sent, enter in site

YES

YES

NO

Two-way SMS as second factor – reply to SMS with code

NO

YES

NO

PIN mode – setup a custom PIN and enter for authentication

NO

YES

NO

Fraud alerting

YES

YES

NO

MFA service reporting

YES

YES

NO

One-Time Bypass

YES

YES

NO

Custom greetings for phone calls

YES

YES

NO

Customizable caller ID for phone calls

YES

YES

NO

Contextual IP Address Whitelisting / Trusted IPs

YES

YES

NO

Integration with third party apps, e.g. Citrix, RADIUS

NO

YES

NO

App passwords for clients that don’t support MFA

YES

NO

NO

Cache (remember MFA ‘server’ side)

YES

YES

NO

Remember MFA for trusted devices (for set number of days)

YESNO NO

High availability and resiliency

YES

YES

YES

That’s all well and good when we’re talking core MFA functionality. There is another set of criteria that’s important to consider when choosing an MFA solution of any kind that’s related to Azure: client compatibility. Below is a table that outlines the current, as of 2016-06-03, client compatibility.

Client compatibility

Azure MFA Cloud

Azure MFA Server

AD FS MFA

Web browser: IE, Chrome, Firefox

YES

YES

YES

Microsoft Office 2013, including Skype for Business

YES

YES

YES

Microsoft Office 2016, including Skype for Business

YES

YES

YES

Office 2016 for Mac

YES

YES

YES

Office for Windows Phone

NO

NO

NO

iOS native mail, calendar, contacts apps

NO

NO

NO

Android native mail, calendar, contacts apps

NO

NO

NO

iOS: Word, Excel, PowerPoint (only)

YES

YES

YES

Android mobile: Word, Excel, PowerPoint (only)

YES

YES

YES

Android tablet: Word, Excel, PowerPoint (only)

NO

NO

NO

 iOS Skype for Business

YES

YES

YES

Windows Phone Skype for Business

NO

NO

NO

Android Skype for Business *when not using Hybrid S4B

Limited

Limited

Limited

iOS Outlook Mobile app

YES

YES

YES

Android Outlook Mobile app

YES

YES

YES

Windows Phone Outlook Mobile app

NO

NO

NO

Final words

Multi-factor authentication should be a standard across every website, across every app and system you interact with every day. I am all for leveraging a mobile phone, that everyone has (which is something that’s scary, powerful and inspiring all at the same time), to effectively eliminate almost all security concerns.

There’s a privacy and work/life balance debate there when this comes into play in the corporate world. I certainly get not wanting to share your mobile with corporate systems, which could potentially oust your details to the broader organization and tips the scales more towards work. Security is a much bigger concern though and keeping your personal information safe wherever you are, work or home, is the imperative that trumps all others.

Use MFA as much as possible and reduce stress associated with security.

Cheers

Category:
Azure Platform
Tags:
, ,

23
Leave a Reply

Leave a Reply

  Subscribe  
newest oldest most voted
Notify of
Josh
Guest
Josh

One thing missing from your cheat sheet table: what supports using certificates as a second authentication factor. As far as I can tell it is only AD FS MFA.

andrei
Guest
andrei

Hi Lucian,

How do I make it mandatory for a website so the AUTH token is multi factor authenticated ? We are using ASP.NET / OAUTH 2.0 with Azure AD and MFA is enabled for
all the users. Currently, users can login our website using a token which is not MFA so
when we are trying to obtain a token on behalf of to call other services, the AquireToken fails with
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50079: The user is required to use multi-factor authentication.

Thanks,
Andrei

alexlondon79
Guest

Hi Lucian

Great article.

Is there a way to make mobile (iOS/Android) devices, trusted devices, to reduce/remove the requirement for MFA challenges on approved/known devices?

Scott
Guest
Scott

Doesn’t Cloud Only MFA support One Time Bypass?

Ryan
Guest
Ryan

Hi Lucian

Is there a way to use Azure MFA (without the server) with ADFS relying parties?

Thanks
Ryan

henrik hallebrand
Guest
henrik hallebrand

I would say that one time bypass does not exist in Azure MFA Cloud only for MFA Server. I Think you have to proove me wrong otherwise…hehe

Sonic
Guest
Sonic

Microsoft’s documentation on the subject is just terrible. And that prompts us to do a lot of guess work: For example, when one is reading this article and the comments, one would think that One-time bypass is available in the Azure MFA cloud-only implementation while it is not; that feature requires an on-prem server, yet Microsoft has put the option in their portal to create a one-time bypass entry and it appears as though you can use it. Microsoft also hasn’t provided instructions on how to differentiate between the two implementations (cloud vs on-prem server) and if the two can… Read more »

John Allen
Guest
John Allen

This is a great article. Could you please help me clarify something? I want to require users to use the Azure mobile app for multifactor authentication when they log on to their Office 365 mailboxes. I do not need to use MFA to secure any other resources. I have ADFS on Windows 2012 R2 deployed on premises today.

Do I need to install on premises multifactor authentication server? Or can I just configure ADFS as described at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-adfs#secure-azure-ad-resources-using-ad-fs and not install multifactor authentication server? I would prefer to avoid this installation if I don’t need it.

saurabkhurana
Guest

Hi

I have enabled MFA for O365 apps. When i access the O365 URL it asks me for my user name and password and takes me to th federated page wherein it shows me the list of O365 apps such as Exchange Online, One Drive, One Note etc.

For One Note in particular if i click on it it shows me all my file names at the bottom however accessing the file does trigger MFA. But for security reasons even file names can divulge information.

Any way to overcome this?

Thanks

Preeti

Eddie
Guest
Eddie

If I want to enforce MFA to let a user login on a server that is on-premises what option do I need, MFA server, on-premises or Azure MFA or ADFS? I’m confused about all the options available. We already enabled MFA for Office365 user logins but would also like to use MFA for local server logins. Any advice or links to blogs/articles?

Thanks

Jeffery Birks
Guest

Windows Azure now also supports DeepNet SafeID hardware tokens (which can be a more convenient way to authenticate).

Herry
Guest
Herry

Hello there, I want to integrate Azure MFA in my website, Is it possible to integrate in custom apps? Currently website is hosted on Linux Server (Ubuntu) from AWS EC2, my client wants to integrate Azure MFA on his website (built in PHP), I checked its docs and tutorials but didn’t found any PHP SDK or REST API, I checked and integrate this Node JS code https://github.com/Azure-Samples/active-directory-node-webapp-openidconnect It worked fine, but: – It will need to add an user in Active Directory first (Can I authenticate users directly, without registering on Azure? also currently I have more than 3000 existing… Read more »

Follow Us!

Kloud Solutions Blog - Follow Us!