Last year I had the pleasure of possibly being one of the first in Australia to tinker with Azure multi-factor authentication tied into Office 365 and Office when ADAL was in private preview. That was a great proof of concept project at the time.
I’m currently working on a solution for a client that’s selecting from one of the Azure MFA options: either Azure MFA Cloud, Azure MFA Server or enabling certificate or token MFA strictly on AD FS 3.0 (the latter is what I had used last year in that private preview proof of concept project at Staples Australia).
Today I want to share two tables that outline information that I brought together from various Azure documentation pages and Office 365 documentation pages to review for the client that I’m working on an Azure MFA solution at the moment. In working out what the imperatives / inputs / requirements for the solution, I found it easier to put everything into a table to visually see what options I could look to for this solution.
| Option | Azure MFA Cloud | Azure MFA Server | AD FS MFA |
|---|---|---|---|
| First party Microsoft Apps compatibility:Azure AD | YES | YES | YES |
| First party Microsoft Apps compatibility:Office 365 | YES | YES | YES |
| Cloud SaaS apps, via the Azure app gallery / Access Panel | YES | Limited | NO |
| IIS applications published through Azure AD App Proxy / Access Panel | YES | YES | YES |
| IIS applications not published through Azure AD App Proxy / Access Panel | NO | YES | YES |
| Radius integration | NO | YES | NO |
| Remote access integration โ RDS through AD FS | NO | YES | YES |
| Remote access integration โ Citrix Web Interface through Netscaler | NO | YES | YES |
| Remote access integration โ VPN through RADIUS connectivity | NO | YES | NO |
| Admin control over authentication methods | YES | YES | YES |
| Conditional access โ internal, external | YES | YES | YES |
| Conditional access โ per application | YES | Limited | Limited |
| Hardware Tokens and software tokens | NO | YES | YES |
| Azure Authenticator App | YES | YES | YES |
| Mobile app notification | YES | YES | NO |
| Mobile app verification code | YES | YES | NO |
| Phone call as second factor โ phone called made, pick up only | YES | YES | NO |
| One-way SMS as second factor โ code sent, enter in site | YES | YES | NO |
| Two-way SMS as second factor โ reply to SMS with code | NO | YES | NO |
| PIN mode โ setup a custom PIN and enter for authentication | NO | YES | NO |
| Fraud alerting | YES | YES | NO |
| MFA service reporting | YES | YES | NO |
| One-Time Bypass | YES | YES | NO |
| Custom greetings for phone calls | YES | YES | NO |
| Customizable caller ID for phone calls | YES | YES | NO |
| Contextual IP Address Whitelisting / Trusted IPs | YES | YES | NO |
| Integration with third party apps, e.g. Citrix, RADIUS | NO | YES | NO |
| App passwords for clients that donโt support MFA | YES | NO | NO |
| Cache (remember MFA โserverโ side) | YES | YES | NO |
| Remember MFA for trusted devices (for set number of days) | YES | NO | NO |
| High availability and resiliency | YES | YES | YES |
Thatโs all well and good when weโre talking core MFA functionality. There is another set of criteria thatโs important to consider when choosing an MFA solution of any kind thatโs related to Azure: client compatibility. Below is a table that outlines the current, as of 2016-06-03, client compatibility.
| Client compatibility | Azure MFA Cloud | Azure MFA Server | AD FS MFA |
|---|---|---|---|
| Web browser: IE, Chrome, Firefox | YES | YES | YES |
| Microsoft Office 2013, including Skype for Business | YES | YES | YES |
| Microsoft Office 2016, including Skype for Business | YES | YES | YES |
| Office 2016 for Mac | YES | YES | YES |
| Office for Windows Phone | NO | NO | NO |
| iOS native mail, calendar, contacts apps | NO | NO | NO |
| Android native mail, calendar, contacts apps | NO | NO | NO |
| iOS: Word, Excel, PowerPoint (only) | YES | YES | YES |
| Android mobile: Word, Excel, PowerPoint (only) | YES | YES | YES |
| Android tablet: Word, Excel, PowerPoint (only) | NO | NO | NO |
| iOS Skype for Business | YES | YES | YES |
| Windows Phone Skype for Business | NO | NO | NO |
| Android Skype for Business *when not using Hybrid S4B | Limited | Limited | Limited |
| iOS Outlook Mobile app | YES | YES | YES |
| Android Outlook Mobile app | YES | YES | YES | Windows Phone Outlook Mobile app | NO | NO | NO |
Multi-factor authentication should be a standard across every website, across every app and system you interact with every day. I am all for leveraging a mobile phone, that everyone has (which is something that’s scary, powerful and inspiring all at the same time), to effectively eliminate almost all security concerns.
There’s a privacy and work/life balance debate there when this comes into play in the corporate world. I certainly get not wanting to share your mobile with corporate systems, which could potentially oust your details to the broader organization and tips the scales more towards work. Security is a much bigger concern though and keeping your personal information safe wherever you are, work or home, is the imperative that trumps all others.
Use MFA as much as possible and reduce stress associated with security.