In this article we will discuss the concept of Azure Multifactor Authentication (MFA) concept, when and how you can use it and what is the difference between cloud MFA and Standalone MFA server.
As you know Microsoft azure offers many cloud services, Azure can be used to deploy your datacenter in the cloud, extend your on premise datacenter to cloud as a hybrid deployment, Single Sign On service for cloud and on premise applications … etc. In this article we will introduce a new feature called Multifactor authentication (MFA).
to demonstrate the concept of multifactor authentication, let take a simple scenario, assume you have an accounting application which is published over internet, Users enter the URL of the app in their browsers then the app ask for username and password, once the user provide the correct credential it allow the user for access.
Now assume if there is (Man in the Middle) stole a credential for one of the users or more, then simply he can access your application and stole the data and no one will know !
from the above scenario the concept of MFA was introduced, simply once the credential provided to the App, MFA will say “Stop my dear user, even if you provide the correct credential I still need to confirm that you are the real owner of this credential, to prove that I will call you in your mobile then if you answer my phone call and press “#” for example I will allow you to access the application since it’s very hard for someone to stole your credential and mobile at same time”. This is exactly the concept of multifactor authentication.
So from above example we can define MFA as a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
So these days, many vendors providing MFA services such as EMC-RSA, Symantec … etc. Microsoft Also provide an Azure Multifactor Authentication (MFA) service, so why to use Microsoft MFA !
As usual Microsoft is very easy for use for end users and administrators, You can integrate Azure MFA with your cloud and on premise custom apps with easy configurations, Microsoft MFA is a highly reliable solution by guarantee 99.9% of service availability, Also you can decide during the deployment if you want to charge per user enabled for MFA or per authentication.
So Azure MFA is very convenience solutions since it’s:
1- No device or certificate to purchase, Provision and maintain.
2- No end user training is required.
3- Users replace their own lost or broken phones.
4- Users can managed their phone numbers.
5- Users can report fraud attempts for their administrators easily.
Now, let’s take a look in how Azure MFA works:
Again, you need at least two way to authenticate yourself, for example when you provide the correct credential you will receive a phone call or SMS to prove your identity, so if someone know your password he will not access the apps without have your trust device for example your mobile phone and vice versa if someone stole your mobile he cannot access the app without having your credentials, so it’s very strong protection method.
so once you provide the correct credential, the MFA server or service will initial a call or send an SMS to your phone to prove your identity, This scenario applied for on premise and cloud applications such as office 365, on premise exchange, custom applications … etc.
SO in Azure MFA there is many way for verification methods used as listed below:
- phone call
- text message
- mobile app notification—allowing users to choose the method they prefer
- mobile app verification code
- 3rd party OATH tokens
Below figure from Microsoft website show a description for each verification method:
Microsoft offer MFA service in two main types (flavors) as below:
Azure Multifactor Authentication stand alone server: in this type you can deploy the MFA in stand alone server in your on premise environment, in this case you need just an Azure tenant to create Azure MFA provider which will yalk about it late in the technical parts).
Azure AD Premium: in this type you can use MFA service from Azure portal direct without the need of on premise MFA server, but in this deployment you need to sync your users to Azure active directory using a sync tools such as ADConnect.
Azure Multifactor Authentication is free for administrators to protect their account.
Just to clarify the concept again, you can see below figure, it show that the user must first provide his correct credential then he/she need to authenticate again using one of Azure MFA authentication methods mentioned earlier such as mobile call or SMS:
As we mentioned earlier in this article, you have two options for use Azure MFA, the first one by deploying stand alone MFA server in your on premise environment and the second one to use Azure AD premium (Multifactor authentication in cloud) so how you can decide which type to use, Below some scenarios which will help you to decide:
On premise MFA stand alone server:
1- IIS applications not published through Azure AD App Proxy or any custom application.
2- Remote access such as secure your RDS session environment using RD gateway, Terminal services, VPN … etc.
Multifactor authentication in cloud:
1- IIS applications published through Azure AD App Proxy.
2- Saas apps in Azure app gallery.
3- First Party Microsoft Apps.
Finally, for MFA pricing please follow Microsoft link:
In Next parts, we will discuss more about MFA and do some real examples in how to use MFA to secure your environment, keep tuned 🙂
About Blogger …
Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of
AzureDummies blog. He also hold many certificates in office 365
and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions
and MCSA office 365, Ahmad is currently working in Specialized Technical Services Company (STS).