Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
Azure Multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. It provides a second layer of security to user sign-ins and transactions.
Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of easy verification options—phone call, text message, or mobile app notification or verification code and 3rd party OATH tokens.
For an overview of how Azure Multi-Factor Authentication works see the following video.
Today, now more than ever, people are increasingly connected. With smart phones, tablets, laptops, and PCs, people have several different options on how they are going to connect and stay connected at any time. People can access their accounts and applications from anywhere and this means that they can get more work done and serve their customers better.
Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
|Easy to use||Scalable||Always Protected||Reliable|
For additional information on why use Azure Multi-Factor Authentication see the following video.
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device. Should the user lose the device, the person who finds it won't be able to use it unless he or she also knows the user's password.
Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy verification options:
For additional information oh how it works see the following video.
When a user signs in, an additional verification is sent to the user. The following are a list of methods that can be used for this second verification.
|Phone Call||A call is placed to a user’s smart phone asking them to verify that they are signing in by pressing the # sign. This will complete the verification process. This option is configurable and can be changed to a code that you specify.|
|Text Message||A text message will be sent to a user’s smart phone with a 6 digit code. Enter this code in to complete the verification process.|
|Mobile App Notification||A verification request will be sent to a user’s smart phone asking them complete the verification by selecting Verify from the mobile app. This will occur if you selected app notification as your primary verification method. If they receive this when they are not signing in, they can choose to report it as fraud.|
|Verification code with Mobile App||A verification code will be sent to the mobile app that is running on a user’s smart phone. This will occur if you selected a verification code as your primary verification method.|
Azure Multi-Factor Authentication is available in three different versions. The table below describes each of these in more detail.
|Multi-Factor Authentication for Office 365||This version works exclusively with Office 365 applications and is managed from the Office 365 portal. So administrators can now help secure their Office 365 resources by using multi-factor authentication. This version comes with an Office 365 subscription.|
|Multi-Factor Authentication for Azure Administrators||The same subset of Multi-Factor Authentication capabilities for Office 365 will be available at no cost to all Azure administrators. Every administrative account of a Azure subscription can now get additional protection by enabling this core multi-factor authentication functionality. So an administrator that wants to access Azure portal to create a VM, a web site, manage storage, mobile services or any other Azure Service can add multi-factor authentication to his administrator account.|
|Azure Multi-Factor Authentication||Azure Multi-Factor Authentication offers the richest set of capabilities. It provides additional configuration options via the Azure Management portal, advanced reporting, and support for a range of on-premises and cloud applications. Azure Multi-Factor Authentication comes as part of Azure Active Directory Premium.|
The following table below provides a list of the features that are available in the various versions of Azure Multi-Factor Authentication.
|Feature||Multi-Factor Authentication for Office 365 (included in Office 365 SKUs)||Multi-Factor Authentication for Azure Administrators (included with Azure subscription)||Azure Multi-Factor Authentication (included in Azure AD Premium and Enterprise Mobility Suite)|
|Administrators can protect accounts with MFA||*||* (Available only for Azure Administrator accounts)||*|
|Mobile app as a second factor||*||*||*|
|Phone call as a second factor||*||*||*|
|SMS as a second factor||*||*||*|
|App passwords for clients that don't support MFA||*||*||*|
|Admin control over authentication methods||*|
|Custom greetings for phone calls||*|
|Customization of caller ID for phone calls||*|
|Suspend MFA for remembered devices (Public Preview)||*|
|MFA for on-premises applications using MFA server||*|
Azure Multi-Factor Authentication comes as part of Azure Active Directory Premium and the Enterprise Mobility Suite. If you already have these then you have Azure Multi-Factor Authentication.
If you are an Office 365 users or an Azure subscriber and want to take advantage of the additional features provide by Azure Multi-Factor Authentication then continue reading.
If you do not have any of the above, then to begin using Azure Multi-Factor Authentication, you first need an Azure subscription or an Azure trial subscription.
When using Azure Multi-Factor Authentication there are two billing options available:
For pricing details see Azure MFA Pricing.
Choose the model that works best for your organization. Then to get started see Getting Started
Because there are several flavors of Azure Multi-Factor Authentication we must determine a couple of things in order to figure out which version is the proper one to use. Those things are:
The following sections will provide guidance on determining each of these.
In order to determine the correct multi-factor authentication solution, first we must answer the question of what are you trying to secure with a second method of authentication. Is it an application that is in Azure? Or is it a remote access system for example. By determining what we are trying to secure, we will see to answer the question of where multi-factor authentication needs to be enabled.
|What are you trying to secure||Multi-Factor Authentication in the cloud||Multi-Factor Authentication Server|
|First party Microsoft apps||*||*|
|Saas apps in the app gallery||*||*|
|IIS applications published through Azure AD App Proxy||*||*|
|IIS applications not published through Azure AD App Proxy||*|
|Remote access such as VPN, RDG||*|
Next, depending on where are users are located, we can determine the correct solution to use, whether it is mutli-factor authentication in the cloud or on-premises using the MFA Server.
|Azure Active Directory||Multi-Factor Authentication in the cloud|
|Azure AD and on-premises AD using federation with AD FS||Both MFA in the cloud and MFA Server are available options|
|Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no password sync||Both MFA in the cloud and MFA Server are available options|
|Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - with password sync||Multi-Factor Authentication in the cloud|
|On-premises Active Directory||Multi-Factor Authentication Server|
The following table is a comparison of the features that are a with Multi-Factor Authentication in the cloud and with the Multi-Factor Authentication Server.
|Multi-Factor Authentication in the cloud||Multi-Factor Authentication Server|
|Mobile app notification as a second factor||●||●|
|Mobile app verification code as a second factor||●||●|
|Phone call as second factor||●||●|
|One-way SMS as second factor||●||●|
|Two-way SMS as second factor||●|
|Hardware Tokens as second factor||●|
|App passwords for clients that don’t support MFA||●|
|Admin control over authentication methods||●|
|Custom greetings for phone calls||●||●|
|Customizable caller ID for phone calls||●||●|
|Suspend MFA for remembered devices (Public Preview)||●|
Now that we have determined whether to use cloud multi-factor authentication or the MFA Server on-premises, we can get started setting up and using Azure Multi-Factor Authentication. Select the icon that represents your scenario!