Azure Multi-Factor Authentication features per license and implementation

Multi-Factor Authentication Server Splash Screen

Recently, I’ve been involved in some larger on-premises Azure Multi-Factor Authentication (MFA) Server projects as a senior engineer with a couple of demanding customers. It’s been a lot of fun and quite the roller coaster ride.

One of the more confusing things about Azure Multi-Factor Authentication Server to customers is its licensing and the features you get with each of the deployment scenarios.

In this blogpost, let’s look at the deployment scenarios and then take a look at the features the Azure Multi-Factor Authentication technology has to offer.

 

Deployment scenarios

Basically, as an organization has the following ways to enable Multi-Factor Authentication throughout Microsofts online resources:

Office 365 Multi-Factor Authentication

Microsofts Office 365 Multi-Factor Authentication feature uses the Multi-Factor Authentication service, residing in Microsoft’s datacenters. Office 365 Admins can configure Multi-Factor Authentication enrollment and enforcement in the Office 365 Portal. After successful enrollment (at first logon at any one of Microsofts portal websites or any app or application that uses modern authentication) multi-factor authentication can be enforced. If mere MFA enrollment is selected, but not MFA enforcement, the MFA enrollment may be canceled by the end-user.

The scope for Office 365 Multi-Factor Authentication is limited to Office 365 and included in all Office 365 E licenses. Configuring Office 365 MFA does not result in an MFA Provider being created in the Azure back-end.

Azure Multi-Factor Authentication for Admins

Like Office 365 MFA, Azure Multi-Factor Authentication for Admins is limited in scope. However, Azure MFA for Admins is limited to Azure AD user accounts with one or more Admin roles. Just like Office 365 MFA, configuring Azure MFA for Admins does not result in an MFA Provider being created in the Azure back-end.

Azure Multi-Factor Authentication

In contrast to Office 365 MFA and Azure MFA for Admins, you can enable Azure Multi-Factor Authentication for any or all user accounts in your Azure Active Directory tenant. This feature can be licensed in various ways:

  • Azure Multi-Factor Authentication (Azure MFA)
  • Azure Active Directory Premium
  • Enterprise Mobility + Security (EMS)
  • Secure Productivity Enterprise (SPE)

Note that these licenses, successively, are part of the next license in line. The separate Azure MFA license can be configured per tenant in pay-per-user and pay-per-10authentications model.

By definition, an MFA Provider is created in the Azure backend, allowing configuration of several subfeatures of the Azure MFA Service.

Note:
Some settings for this deployment scenario are managed through the Azure MFA Portal, that can be reached by logging into the Azure Management Website, click on Active Directory in the pane on the left, go to the Multi-Factor Auth Providers tab and then click Manage.  Other settings can be managed through the Azure MFA Service Settings, that can be reached through the same Azure Management Website, but this time select your Azure Active Directory tenant or the Default Directory instead of the Multi Factor Auth Providers tab, and click on the Configure tab to follow the Manage service settings link in the multi-factor authentication area.

Azure Multi-Factor Authentication Server

When going the Azure MFA route, you can, additionally, install one of more Azure Multi-Factor Authentication Servers on-premises. This allows your organization to configure even more Azure MFA settings, but also to enforce multi-factor authentication on on-premises systems, applications and services.

Note:
Do not combine the Office 365 MFA and/or Azure AD MFA for Admins deployment scenarios with the Azure MFA Server deployment scenario when you want to avoid double multi-factor authentications.

 

Azure Multi-Factor Authentication Features

The table below shows the Azure Multi-Factor Authentication Features per deployment scenario:

Multi-Factor Authentication, Phone Call, text message, OATH Tokens, Application Passwords, Authentication Cache, Default and Customized greetings, two-way text message time-out, fraud alert, remembered devices, One-time Bypasses, Fraud Alert, Block Users, Integration with LDAP, Active Directory and RADIUS (click for larger version)

1 When using the Azure Multi-Factor Authentication Server version 7 or up, end-users can be configured to select the authentication method for AD FS and User Portal authentication.
2 US-based numbers only

 

Further reading

Recommended Practices for your Hybrid Identity Admin accounts
Choose the Azure Multi-Factor Authentication solution for you
MFA for Office 365 and MFA for Azure
Multi-Factor Authentication Server Splash Screen – App Passwords
#AzureAD: Remember my MFA is now GA!

leave your comment