Azure Multi-factor Authentication vs. MFA included with Office 365
I have previously described MFA for Office 365. It’s a great way to add an extra layer of security to your cloud-based applications. Here are the features included with MFA for Office 365:
- Administrators can protect accounts with MFA
- Mobile app as a second factor
- Phone call as a second factor
- SMS as a second factor
- App passwords for clients that don’t support MFA
- Remember MFA for trusted devices
If you want to take this even further–for example, by enabling multi-factor authentication for your on-premises applications, or by getting fraud alerts and other handy reporting, then you can consider moving into a full Azure MFA subscription. Here are the additional features you will get:
- Admin control over authentication methods
- PIN mode
- Fraud alert
- MFA Reports
- One-Time Bypass
- Custom greetings for phone calls
- Customization of caller ID for phone calls
- Event Confirmation
- Trusted IPs
- MFA for on-premises applications using MFA server
- MFA SDK
You can get started with the extra “bells and whistles” in one of three ways:
- Create a Multi-Factor Authentication Provider in the Azure portal and link it to your directory (you will be charged against your Azure subscription per user or per authentication–your choice)
- Purchase Azure MFA licensing separately
- Purchase Azure AD Premium or even the full boat of EMS Licensing–effectively bundling MFA together with a bunch of other cool features.
Unlike the MFA provider included with Office 365, there will be a little more elbow-grease required to get the full version running, especially if you intend to enable integration with your on-premises applications (e.g. Directory Synchronization with Azure AD Connect, single sign-on with ADFS, etc.).
Note that the on-premises portion of Azure MFA is not necessary for getting great benefits out of MFA for cloud-based applications. You can do plenty of cool things for apps in the Microsoft cloud and in third party clouds, without needing to setup an on-premises MFA server at all.
I am including links here to a few helpful resources. If you have any more questions or want to see additional info on this topic, do not hesitate to reach out and ask for help!
- Overview and feature comparison with Office 365/Azure-included version
- Q & A on Azure Multi-factor authentication
- Help me choose the MFA solution that is right for me (cloud vs. on-prem)
- How-to deploy Azure MFA (in the cloud)
- Configuring the extra “bells & whistles” for MFA (in the cloud)
- Set up an on-premises Azure MFA Server
Comments (15)
Hello Alex,
I found your blog in my quest to find some usable and comprehend-able how-to on connecting Office365 (with AD FS) to AzureMFA and to force MFA when O365 is accessed from untrusted IPs. We have an AzureMFA subscription in the E-cloud and O365 in the government cloud with ADFS for our O365 authentication. AzureMFA is only currently used for RADIUS authentication for VPN and is not connected to AD. I have read through multiple Microsoft articles and am no less confused than I was before I started. I see at least three different AD FS to AzureMFA integrations, one for 2012R2, one for AD FS and one for AD FS 2.0. There also are multiple scenarios described but none of them appear to be what I want to do, which is to force AzureMFA to call or text or use the Authenticator app when my users access the cloud outside our trusted IPs. Do you have any other suggestions on where I could look for better information? Thanks.
Hi Norm, It sounds like you’re saying you want to trigger MFA prompts for users that are accessing cloud resources, such as Office 365? In that case, I would check out Azure Identity Protection. I’m not sure about trusted IP’s–I don’t use it that way for my own organization–but it is a pretty slick tool that you can use to get alerts/reports as an admin, and set policies around what happens, for example, if a user has “impossible travel”–where they login from geographically disparate locations in short succession. You can then force the user to provide MFA, for example. This might be worth checking out.
One more link for you, I think this is what you want to do: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips
Note that you need the full version of Azure MFA, not just the included stuff w/ Office 365 subscription. This page also contains a link for more information to obtaining the full version (e.g. with Enterprise Mobility & Security).
From this page:
To enable Trusted IPs
Sign-in to the Azure classic portal.
On the left, click Active Directory.
Under, Directory click on the directory you wish to set up Trusted IPsing on.
On the Directory you have selected, click Configure.
In the multi-factor authentication section, click Manage service settings.
On the Service Settings page, under Trusted IPs, select either:
For requests from federated users originating from my intranet – All federated users who are signing in from the corporate network will bypass multi-factor authentication using a claim issued by AD FS.
For requests from a specific range of public IPs – enter the IP addresses in the boxes provided using CIDR notation. For example: xxx.xxx.xxx.0/24 for IP addresses in the range xxx.xxx.xxx.1 – xxx.xxx.xxx.254, or xxx.xxx.xxx.xxx/32 for a single IP address. You can enter up to 50 IP address ranges.
Click save.
Once the updates have been applied, click close.
Hi Alex,
We are looking for a MFA solution to secure access to a very sensitive network from a remote location. There is no internet connection in this network, which means a could based MFA cannot be used. But an MFA server can be used as a stand-alone solution . If I am correct, how will the pricing will be per user? What is included in this MFA server package?
Samuel, actually this is still going to require an internet connection. See the requirements for which ports/addresses the MFA server needs to communicate on: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server
My question is a little odd. We are actually wanting to implement Azure AD Radius authentication, but we are not interested in MFA. Is it possible to use the feature with MFA turned off? We have multiple locations with very poor cell phone reception and wifi that is unreliable. So for a second mode of authentication to fail or not even reach the individual would hinder the end users experience
That is not the use case they are describing for RADIUS in their literature–it is described for the purposes of extending MFA to external clients such as VPN clients, etc.
Hi Alex,
Thank you so much for all the hard work you put in the articles. They are always very interesting reads and learned so much from it!
I have one small question about MFA..how do you as a provider handle MFA for the GA accounts in your customers tenants? MFA for admins is mandatory but you also want to provide access to multiple engineers without having them to all have their own GA account..
Love to hear your opinion about this!
Google voice number or other number that is monitored can be an option on GA accounts in the tenant. However, as a partner you can have delegated access. This isn’t perfect but adequate for many common tasks. Then your techs just do work in each tenant as themselves. To be a partner (CSP) you need to meet certain requirements in the home tenant including MFA enforced for every account.
Thanks for the prompt reply Alex! I was aware of the delegated access. It’s just has such limited functionality that to me it seems useless..
Your suggestions of using a google number made me think though..we have this service; sms to e-mail..I think I finally found a good use case for that!
Hi Alex,
good article.
Regarding the difference between the two solutions, which do you think is better to manage in a company with 300 employees spread throughout Europe, Asia and US ?
I have the chance to test the basic one as we have an Azure AD for Office 365 license, I was thinking the basic one is good for few users but with more can be a pain. Do you recommend the premium one for lot of users ? Is it easier to use ?
Thanks
This is a pretty old article, but basically the subscription I recommend nowadays is Microsoft 365 Business Premium or Enterprise E3/E5–going with less than these plans is the cloud equivalent of having a “workgroup” vs. a fully managed domain environment. So you would have Azure MFA included with your license anyway via Azure AD Premium P1 (which is bundled in Microsoft 365 Business Premium and Enterprise E3/E5).
Can Office 365 MFA be turned on for specific users? The below article suggests you need Azure MFA to provide a targeted approach to rolling it out across a large company?
https://davidmcwee.com/2018/12/04/o365-mfa-vs-azure-ad-mfa/
However, I am an admin to a customer with E3 licenses, and enabling 2FA looks to be possible for specific users?
You can turn it on user by user, yes–with any 365 subscription. By changing the user state, either in the portal or via PowerShell.
An alternative to using an app with secret is to use a programmable hardware token (e.g. the safeid/diamond token – https://deepnetsecurity.com/authenticators/one-time-password/safeid/ ).
Programmable tokens are direct replacements to apps on your mobile devices, but have the convenience of being fully self-contained (typically you would keep one on your keyring). The main advantages over using an app on your mobile device are (1) battery life in years rather than being dependant upon the battery of your mobile (2) security – mobile devices are normally kept connected to the internet and can have multiple apps installed (with the associated security risk that come with that)