Monday, October 12, 2015

Let's Learn Azure Multi-Factor Authentication today!!!

Multi-factor Authentication is critical in today's world. Many Organizations already adopted this model from a long time and today's blog post is written to provide you with some essential resources with a Quick demo to experience the benefits of Azure MFA.

What is Azure Multi-Factor Authentication?

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)                              

Multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. It provides a second layer of security to user sign-ins and transactions.
Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of easy verification options—phone call, text message, or mobile app notification or verification code and 3rd party OATH tokens.

How it works ?

Get your answers here :  Azure MFA Overview

Read the complete information available in each section on this  above article

Methods available for multi-factor authentication
  • phone call
  • text message
  • mobile app notification—allowing users to choose the method they prefer
  • mobile app verification code
  • 3rd party OATH tokens
Available versions of Azure Multi-Factor Authentication
  • Multi-Factor Authentication for Office 365
  • Multi-Factor Authentication for Azure Administrators
  • Azure Multi-Factor Authentication
Check what is available with each version before you adopt the MFA using
  • Feature comparison of versions Section
How to get Azure Multi-Factor Authentication
  • Purchase Azure Multi-Factor Authentication licenses and assign them to your users.
  • Purchase licenses that have Azure Multi-Factor Authentication bundled within them such as Azure Active Directory Premium, Enterprise Mobility Suite or Enterprise Cloud Suite and assign them to your users.
  • Create an Azure Multi-Factor Authentication Provider within an Azure subscription. 
Billing options 
  • Per user or Per Authentication model
Be sure to read to know the Pricing 

Most important part to review is to adopt the best one for your needs

Choose the multi-factor security solution for you : 
On premises or cloud

These are the basics to begin your learning.

Microsoft has provided great documentation articles as one of the essential resources when you begin your learning with Azure MFA.

For Office 365 below is the essential one

Currently we have about 40 documentation available on the Azure MFA topic and you can access them below

Some vital articles to read for a successful MFA deployment
  • Directory integration between Azure MFA Server and Active Directory
  • Getting started with Azure Multi-Factor Authentication and Active Directory Federation Services
  • Getting started with the Azure Multi-Factor Authentication Server
  • Securing cloud resources with Azure Multi-Factor Authentication and AD FS
  • Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with AD FS 2.0
  • Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server 2012 R2 AD FS
  • Azure Multi-Factor Authentication FAQ

Review the new Security Best practices article for Azure MFA

More Organizations already use ADFS to secure their environment and now with MFA it adds more one more layer of strong authentication to provide a highly secure access to end users without compromising the Organization's Information Security.

Once you are done with the documentations, you can view some demos with deep dive discussion from Microsoft Virtual Academy course intended on this topic

Its now time for a Quick demo walk-through with my own experience.

I have setup MFA in the cloud and chose Azure Multi-factor authentication for my Office 365 users.

*You can Setup MFA from Office 365 Portal for free and additionally you don't need create a Authentication provider as shown below, I am planning to use some advanced features so, explicitly selected Azure MFA in Cloud for demo.

Also Azure MFA comes as a part of your Azure AD premium and EMS. For this demo I am using the MFA Authentication provider .

Here is the Azure portal view showing my Multi-Factor Authentication Provider

I have selected a test account and configured the Authentication contact info with my Mobile number

Already my test account is enforced for MFA and below is the snapshot

If I navigate to the Service Settings, I have options to configure App passwords, Skip multi-factor authentication for federated users in the intranet and also Suspend MFA for remembered devices.

Since I have already configured the Azure Multi-Factor Authentication as Authentication provider, I can take advantages of the advanced features.

I can Navigate to the MFA portal by accessing the Go to the Portal Hyperlink


For Instance I am showing an example of Usage Reports, I can generate the report for a set of time frame for analysis.

More options are available and the above one is an example.

Lets get in to the end user experience, My user is trying to access his Office 365 Webmail and below is the experience he gets before successfully authenticates to his inbox.

If you take a look at the steps Pic 4 Indicates the user is authenticating for the call he received and after successful authentication he will be accessing his inbox, which is shown in Pic 9.

voluntarily failed the authentication to show you the another method, using Text message with the Verification code.

In Pic 5 the authentication is failed and user is provided with alternative options in Pic 6 I am selecting the Text Me option and successfully receiving the code in the next pics and finally accessing my Inbox.

This is a pretty regular experience with Azure MFA, we can do more than this and hope this one is good with a quick demo.

Note: Selecting Alternative authentication method when primary authentication method failed shown above is available by default in Azure MFA. The same experience was not available in On premises Azure MFA Server, until the recent MFA server version 7.0.0 released with this feature inclusion.


Review the below excellent office blog post showcasing end user experience with MFA

Sign in to Office 365 with a second verification method

Up Next, We have the Office 2013 device apps now support multi-factor authentication through the use of the Active Directory Authenticaton Library (ADAL). Currently this is in preview and you can test this by enabling Modern authentication for your tenant.

You can refer the Plan for multi-factor authentication for Office 365 Deployments guide for more details on the topic.


Modern Authentication reaches GA

Updated Office 365 modern authentication public preview

Before I conclude, I want to share you with one more great TechNet blog post, I came across recently that is pretty new and shows us how to use MFA Support for Windows Azure Active Directory PowerShell Module.

Hope this write-up is quite useful for readers to know Azure MFA a bit better with the curation of various resources under a single window with bits of my own experience and learning.


Microsoft AD team is publishing Azure AD Mailbag series with rich set of information on Azure AD. We also have the MFA Q & A available as a part of the series.

I recently came across this excellent walk through from one of the MFA Q & A series, that makes you understand the logic flow of AD FS and MFA Server as it works with Azure AD.

Access here: Azure AD Mailbag: MFA Q&A, Round 3!

Additionally read the Q&A Round 4 here for more Scenarios : Azure AD Mailbag: MFA Q&A, Round 4!

I would recommend you to read the complete series and stay update.


If you are using Azure MFA Server On premise, make sure you review the release history below,  and ensure that you stay with the current version to get the new benefits

Azure Multi-Factor Authentication Server release notes


Read the below Technical documentation when you are planning to upgrade your MFA Server.

Read here: Upgrade to the latest Azure Multi-Factor Authentication Server

Also read the below post from fellow MVP Brian Reid for additional reference.

Access here: Upgrading Azure Multi-Factor Authentication Server


A new  Azure multi-factor authentication (MFA) cheat available now from Kloud Blog created by Lucian Franghiu.

Access here: Azure multi-factor authentication (MFA) cheat sheet


Read the below Excellent Blog post from MVP Sander Berkouwer to know more about Azure MFA server

Ten Things you need to know about Azure Multi-Factor Authentication Server


AzureAD: Remember my MFA is now GA!


A nice summary of MFA Call Results with Reasons that you can refer and analyze the logs, when you troubleshoot issues with MFA failures.

Access here: MFA Call Results


Preview of Azure AD Conditional Access policies for Exchange and SharePoint Online is now available. These policies can be used to require multi-factor authentication (MFA) or block access based on network location.

Read here to know more: AzureAD Conditional Access for Office365 Exchange & SharePoint preview!

Microsoft recommend enabling these polices alongside risk based Conditional Access policy available with Azure AD Identity Protection.

You can read my blog post covering key updates on Azure AD Identity Protection  along with Azure Security Center here: Azure AD Identity Protection Public Preview and Azure Security Center Overview


AzureAD device based Conditional Access Policies now in preview

AzureAD Conditional Access Policies for iOS, Android and Windows are in Preview!


Azure AD Conditional Access is now GA 

Take look at my new blog post to know more : Protect your data at the front door with conditional access


Review the below Excellent blog post from Kloud Blog to know how On premises MFA Authentication works with ADFS when you have Conditional Access Policies configured in Azure AD.

Using ADFS on-premises MFA with Azure AD Conditional Access


Read my latest Blog post to know about the new "NPS extension for Azure MFA" that extends your cloud-based Azure Multi-Factor Authentication features into your on-premises infrastructure

Access here: NPS Extension for Azure MFA reaches general availability !


Azure Multi-Factor Authentication Configuration settings are now available in the Azure Portal (in Public Preview), Read the below Blog post to know more:

Configure Azure Multi-Factor Authentication settings in Azure Portal - Public preview


Access the updated conditional access documentation here: Azure AD Conditional Access Documentation


Outages are unexpected and Azure AD is not an exception and its always good to be prepared to manage the situation during such scenarios.

Access the new documentation from Microsoft team to know how to manage emergency accounts here: Manage emergency access accounts in Azure AD


Long waited combined registration for Azure AD MFA and Self Service password is now available

Access here for more details: Combined registration for Azure AD MFA and Self Service Password Reset plus two other cool updates now in public preview


Combined MFA and password reset registration is now generally available

Stay tuned for more updates...

No comments:

Post a Comment