Azure Multi-factor Authentication vs. MFA included with Office 365

Back to Blog

Azure Multi-factor Authentication vs. MFA included with Office 365

I have previously described MFA for Office 365. It’s a great way to add an extra layer of security to your cloud-based applications. Here are the features included with MFA for Office 365:

  • Administrators can protect accounts with MFA
  • Mobile app as a second factor
  • Phone call as a second factor
  • SMS as a second factor
  • App passwords for clients that don’t support MFA
  • Remember MFA for trusted devices

If you want to take this even further–for example, by enabling multi-factor authentication for your on-premises applications, or by getting fraud alerts and other handy reporting, then you can consider moving into a full Azure MFA subscription. Here are the additional features you will get:

  • Admin control over authentication methods
  • PIN mode
  • Fraud alert
  • MFA Reports
  • One-Time Bypass
  • Custom greetings for phone calls
  • Customization of caller ID for phone calls
  • Event Confirmation
  • Trusted IPs
  • MFA for on-premises applications using MFA server

You can get started with the extra “bells and whistles” in one of three ways:

  1. Create a Multi-Factor Authentication Provider in the Azure portal and link it to your directory (you will be charged against your Azure subscription per user or per authentication–your choice)
  2. Purchase Azure MFA licensing separately
  3. Purchase Azure AD Premium or even the full boat of EMS Licensing–effectively bundling MFA together with a bunch of other cool features.

Unlike the MFA provider included with Office 365, there will be a little more elbow-grease required to get the full version running, especially if you intend to enable integration with your on-premises applications (e.g. Directory Synchronization with Azure AD Connect, single sign-on with ADFS, etc.).

Note that the on-premises portion of Azure MFA is not necessary for getting great benefits out of MFA for cloud-based applications. You can do plenty of cool things for apps in the Microsoft cloud and in third party clouds, without needing to setup an on-premises MFA server at all.

I am including links here to a few helpful resources. If you have any more questions or want to see additional info on this topic, do not hesitate to reach out and ask for help!

Comments (15)

  • Norm Reply

    Hello Alex,
    I found your blog in my quest to find some usable and comprehend-able how-to on connecting Office365 (with AD FS) to AzureMFA and to force MFA when O365 is accessed from untrusted IPs. We have an AzureMFA subscription in the E-cloud and O365 in the government cloud with ADFS for our O365 authentication. AzureMFA is only currently used for RADIUS authentication for VPN and is not connected to AD. I have read through multiple Microsoft articles and am no less confused than I was before I started. I see at least three different AD FS to AzureMFA integrations, one for 2012R2, one for AD FS and one for AD FS 2.0. There also are multiple scenarios described but none of them appear to be what I want to do, which is to force AzureMFA to call or text or use the Authenticator app when my users access the cloud outside our trusted IPs. Do you have any other suggestions on where I could look for better information? Thanks.

    January 11, 2017 at 7:33 pm
    • Alexander Reply

      Hi Norm, It sounds like you’re saying you want to trigger MFA prompts for users that are accessing cloud resources, such as Office 365? In that case, I would check out Azure Identity Protection. I’m not sure about trusted IP’s–I don’t use it that way for my own organization–but it is a pretty slick tool that you can use to get alerts/reports as an admin, and set policies around what happens, for example, if a user has “impossible travel”–where they login from geographically disparate locations in short succession. You can then force the user to provide MFA, for example. This might be worth checking out.

      January 14, 2017 at 8:56 pm
    • Alexander Reply

      One more link for you, I think this is what you want to do:

      Note that you need the full version of Azure MFA, not just the included stuff w/ Office 365 subscription. This page also contains a link for more information to obtaining the full version (e.g. with Enterprise Mobility & Security).

      From this page:
      To enable Trusted IPs

      Sign-in to the Azure classic portal.
      On the left, click Active Directory.
      Under, Directory click on the directory you wish to set up Trusted IPsing on.
      On the Directory you have selected, click Configure.
      In the multi-factor authentication section, click Manage service settings.
      On the Service Settings page, under Trusted IPs, select either:

      For requests from federated users originating from my intranet – All federated users who are signing in from the corporate network will bypass multi-factor authentication using a claim issued by AD FS.
      For requests from a specific range of public IPs – enter the IP addresses in the boxes provided using CIDR notation. For example: for IP addresses in the range –, or for a single IP address. You can enter up to 50 IP address ranges.
      Click save.
      Once the updates have been applied, click close.

      January 14, 2017 at 9:02 pm
  • Samuel Reply

    Hi Alex,

    We are looking for a MFA solution to secure access to a very sensitive network from a remote location. There is no internet connection in this network, which means a could based MFA cannot be used. But an MFA server can be used as a stand-alone solution . If I am correct, how will the pricing will be per user? What is included in this MFA server package?

    June 20, 2017 at 1:57 am
  • Ben Hodges Reply

    My question is a little odd. We are actually wanting to implement Azure AD Radius authentication, but we are not interested in MFA. Is it possible to use the feature with MFA turned off? We have multiple locations with very poor cell phone reception and wifi that is unreliable. So for a second mode of authentication to fail or not even reach the individual would hinder the end users experience

    November 30, 2017 at 11:53 am
    • Alex Reply

      That is not the use case they are describing for RADIUS in their literature–it is described for the purposes of extending MFA to external clients such as VPN clients, etc.

      December 9, 2017 at 6:03 pm
  • Guus van Berge Reply

    Hi Alex,

    Thank you so much for all the hard work you put in the articles. They are always very interesting reads and learned so much from it!

    I have one small question about do you as a provider handle MFA for the GA accounts in your customers tenants? MFA for admins is mandatory but you also want to provide access to multiple engineers without having them to all have their own GA account..

    Love to hear your opinion about this!

    July 15, 2020 at 4:28 am
    • Alex Reply

      Google voice number or other number that is monitored can be an option on GA accounts in the tenant. However, as a partner you can have delegated access. This isn’t perfect but adequate for many common tasks. Then your techs just do work in each tenant as themselves. To be a partner (CSP) you need to meet certain requirements in the home tenant including MFA enforced for every account.

      July 15, 2020 at 7:16 pm
      • Guus van Berge Reply

        Thanks for the prompt reply Alex! I was aware of the delegated access. It’s just has such limited functionality that to me it seems useless..

        Your suggestions of using a google number made me think though..we have this service; sms to e-mail..I think I finally found a good use case for that!

        July 17, 2020 at 1:56 am
  • Stefano Reply

    Hi Alex,
    good article.
    Regarding the difference between the two solutions, which do you think is better to manage in a company with 300 employees spread throughout Europe, Asia and US ?
    I have the chance to test the basic one as we have an Azure AD for Office 365 license, I was thinking the basic one is good for few users but with more can be a pain. Do you recommend the premium one for lot of users ? Is it easier to use ?

    October 6, 2020 at 7:43 am
    • Alex Reply

      This is a pretty old article, but basically the subscription I recommend nowadays is Microsoft 365 Business Premium or Enterprise E3/E5–going with less than these plans is the cloud equivalent of having a “workgroup” vs. a fully managed domain environment. So you would have Azure MFA included with your license anyway via Azure AD Premium P1 (which is bundled in Microsoft 365 Business Premium and Enterprise E3/E5).

      October 8, 2020 at 11:54 am
  • George Stinson Reply

    Can Office 365 MFA be turned on for specific users? The below article suggests you need Azure MFA to provide a targeted approach to rolling it out across a large company?

    However, I am an admin to a customer with E3 licenses, and enabling 2FA looks to be possible for specific users?

    October 8, 2020 at 10:11 am
    • Alex Reply

      You can turn it on user by user, yes–with any 365 subscription. By changing the user state, either in the portal or via PowerShell.

      October 8, 2020 at 11:55 am
  • Jeff Brixhamite Reply

    An alternative to using an app with secret is to use a programmable hardware token (e.g. the safeid/diamond token – ).

    Programmable tokens are direct replacements to apps on your mobile devices, but have the convenience of being fully self-contained (typically you would keep one on your keyring). The main advantages over using an app on your mobile device are (1) battery life in years rather than being dependant upon the battery of your mobile (2) security – mobile devices are normally kept connected to the internet and can have multiple apps installed (with the associated security risk that come with that)

    November 3, 2020 at 8:39 am

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.