Choosing and using a Hardware Security Token for Azure AD Passwordless Authentication

Evaluation criteria for product selection can be a difficult process, especially for items that are rarely purchased. We’ve become accustomed to working out what we want from daily use items such as laptops, and mobile phones which does make that process easier when we refresh them every few years. However, choosing a hardware security token is maybe something you haven’t ever had to do.

So how do I choose a Hardware Security Token? This post outlines some selection criteria I’ve recently used to assist others with answering “Which Hardware Security Token do I need?”… [Keep reading] “Choosing and using a Hardware Security Token for Azure AD Passwordless Authentication”

An Azure MFA Management Agent for User MFA Reporting using Microsoft Identity Manager

Microsoft as part of the uplift in Authentication Methods capability have extended the Graph API to contain User Azure MFA information. My customers have been requesting MFA User Reporting data for some time. How many users are registered for Azure MFA? What and how many methods are they registered with? The new Graph API functions provide this information and we no longer have to use the legacy MSOLUser PowerShell cmdlet to obtain the strongAuthenticationMethods information. The new API’s provide;

Azure MFA User Reporting Management Agent

With this new functionality exposed, I’ve built an Azure MFA Management Agent for Microsoft Identity Manager to consume information from the credentialRegistrationDetails API, which can then be used in Identity Workflows to trigger notifications to users that don’t have enough registered methods (e.g.… [Keep reading] “An Azure MFA Management Agent for User MFA Reporting using Microsoft Identity Manager”

Enrolling and using both Microsoft Authenticator and a YubiKey Physical Token with Azure MFA

Microsoft have just announced the Public Preview for Hardware OATH Tokens such as the Yubico YubiKey with Azure MFA. In this very long and graphic heavy post I show the end-to-end setup and use of a YubiKey physical token from Yubico as a Multi-Factor Authentication (MFA) second factor authentication method to Azure AD/Office 365.

Specifically I detail;

  • the user experience using a YubiKey Hardware Token with Azure MFA
  • the administrator configuration process for admin enabled YubiKey physical tokens for use with Azure MFA
  • a user enrolling a YubiKey physical token as an additional method for use with Azure MFA
  • switching second-factor authentication methods when authenticating to Azure AD / Office 365

For the process I show here;

  • the Admin account I’m using to do the configuration is a Global Admin
  • the user I’m enabling the token for
    • is assigned an Enterprise Mobility + Security E3 license
    • is enabled for MFA
    • was enrolled in MFA using the Microsoft Authenticator App.
[Keep reading] “Enrolling and using both Microsoft Authenticator and a YubiKey Physical Token with Azure MFA”

Windows 10 Domain Join + AAD and MFA Trusted IPs


Those who have rolled out Azure MFA (in the cloud) to non-administrative users are probably well aware of the nifty Trusted IPs feature.   For those that are new to this, the short version is that this capability is designed to make it a little easier on the end user experience by allowing you to define a set of ‘trusted locations’ (e.g. your corporate network) in which MFA is not required.
This capability works via two methods:

  • Defining a set of ‘Trusted” IP addresses.
[Keep reading] “Windows 10 Domain Join + AAD and MFA Trusted IPs”

Resolving the 'Double Auth' prompt issue in ADFS with Azure AD Conditional Access MFA

As mentioned in my previous post, Using ADFS on-premises MFA with Azure AD Conditional Access, if you have implemented Azure AD Conditional Access to enforce MFA for all your Cloud Apps and you are using the SupportsMFA=true parameter to direct MFA execution to your ADFS on-premises MFA server you may have encountered what I call the ‘Double Auth’ prompt issue.
While this doesn’t happen across all Cloud Apps, you will see it on the odd occasion (in particular the Intune Company Portal and Azure AD Powershell Cmdlets) and it has the following symptoms:

  1. User signs into Azure AD App (e.g.
[Keep reading] “Resolving the 'Double Auth' prompt issue in ADFS with Azure AD Conditional Access MFA”

Using ADFS on-premises MFA with Azure AD Conditional Access

With the recent announcement of General Availability of the Azure AD Conditional Access policies in the Azure Portal, it is a good time to reassess your current MFA policies particularly if you are utilising ADFS with on-premises MFA; either via a third party provider or with something like Azure MFA Server.
Prior to conditional MFA policies being possible, when utilising on-premises MFA with Office 365 and/or Azure AD the MFA rules were generally enabled on the ADFS relying party trust itself. … [Keep reading] “Using ADFS on-premises MFA with Azure AD Conditional Access”

Azure MFA: Architecture Selection Case Study

I’ve been working with a customer on designing a new Azure Multi Factor Authentication (MFA) service, replacing an existing 2FA (Two Factor Authentication) service based on RSA Authenticator version 7.
Now, typically Azure MFA service solutions in the past few years have been previously architected in the detail ie. a ‘bottom up’ approach to design – what apps are we enforcing MFA on? what token are we going to use? phone, SMS, smart phone app? Is it one way message, two way message?… [Keep reading] “Azure MFA: Architecture Selection Case Study”

Connecting to and Using the Azure MFA Web Service SDK Server SOAP API with Powershell


A colleague and I are validating a number of scenarios for a customer who is looking to deploy Azure MFA Server. One of the requirements from an Identity Management perspective is the ability to interact with the MFA Server for user information. That led us on the exploration of what was possible and how best to approach it.

The title of this post has pretty much given it away as to how. But why ?… [Keep reading] “Connecting to and Using the Azure MFA Web Service SDK Server SOAP API with Powershell”

Azure multi-factor authentication (MFA) cheat sheet.

Last year I had the pleasure of possibly being one of the first in Australia to tinker with Azure multi-factor authentication tied into Office 365 and Office when ADAL was in private preview. That was a great proof of concept project at the time.

I’m currently working on a solution for a client that’s selecting from one of the Azure MFA options: either Azure MFA Cloud, Azure MFA Server or enabling certificate or token MFA strictly on AD FS 3.0 (the latter is what I had used last year in that private preview proof of concept project at Staples Australia).

Today I want to share two tables that outline information that I brought together from various Azure documentation pages and Office 365 documentation pages to review for the client that I’m working on an Azure MFA solution at the moment. In working out what the imperatives / inputs / requirements for the solution, I found it easier to put everything into a table to visually see what options I could look to for this solution.

Read More