Azure AD MFA cheat sheet

Last year I had the pleasure of possibly being one of the first in Australia to tinker with Azure multi-factor authentication tied into Office 365 and Office when ADAL was in private preview. That was a great proof of concept project at the time.

I’m currently working on a solution for a client that’s selecting from one of the Azure MFA options: either Azure MFA Cloud, Azure MFA Server or enabling certificate or token MFA strictly on AD FS 3.0 (the latter is what I had used last year in that private preview proof of concept project at Staples Australia).

Today I want to share two tables that outline information that I brought together from various Azure documentation pages and Office 365 documentation pages to review for the client that I’m working on an Azure MFA solution at the moment. In working out what the imperatives / inputs / requirements for the solution, I found it easier to put everything into a table to visually see what options I could look to for this solution.

Option Azure MFA Cloud Azure MFA Server AD FS MFA
First party Microsoft Apps compatibility:
Azure AD
YES YES YES
First party Microsoft Apps compatibility:
Office 365
YES YES YES
Cloud SaaS apps, via the Azure app gallery / Access Panel YES Limited NO
IIS applications published through Azure AD App Proxy / Access Panel YES YES YES
IIS applications not published through Azure AD App Proxy / Access Panel NO YES YES
Radius integration NO YES NO
Remote access integration – RDS through AD FS NO YES YES
Remote access integration – Citrix Web Interface through Netscaler NO YES YES
Remote access integration – VPN through RADIUS connectivity NO YES NO
Admin control over authentication methods YES YES YES
Conditional access – internal, external YES YES YES
Conditional access – per application YES Limited Limited
Hardware Tokens and software tokens NO YES YES
Azure Authenticator App YES YES YES
Mobile app notification YES YES NO
Mobile app verification code YES YES NO
Phone call as second factor – phone called made, pick up only YES YES NO
One-way SMS as second factor – code sent, enter in site YES YES NO
Two-way SMS as second factor – reply to SMS with code NO YES NO
PIN mode – setup a custom PIN and enter for authentication NO YES NO
Fraud alerting YES YES NO
MFA service reporting YES YES NO
One-Time Bypass YES YES NO
Custom greetings for phone calls YES YES NO
Customizable caller ID for phone calls YES YES NO
Contextual IP Address Whitelisting / Trusted IPs YES YES NO
Integration with third party apps, e.g. Citrix, RADIUS NO YES NO
App passwords for clients that don’t support MFA YES NO NO
Cache (remember MFA ‘server’ side) YES YES NO
Remember MFA for trusted devices (for set number of days) YES NO NO
High availability and resiliency YES YES YES


That’s all well and good when we’re talking core MFA functionality. There is another set of criteria that’s important to consider when choosing an MFA solution of any kind that’s related to Azure: client compatibility. Below is a table that outlines the current, as of 2016-06-03, client compatibility.

Client compatibility Azure MFA Cloud Azure MFA Server AD FS MFA
Web browser: IE, Chrome, Firefox YES YES YES
Microsoft Office 2013, including Skype for Business YES YES YES
Microsoft Office 2016, including Skype for Business YES YES YES
Office 2016 for Mac YES YES YES
Office for Windows Phone NO NO NO
iOS native mail, calendar, contacts apps NO NO NO
Android native mail, calendar, contacts apps NO NO NO
iOS: Word, Excel, PowerPoint (only) YES YES YES
Android mobile: Word, Excel, PowerPoint (only) YES YES YES
Android tablet: Word, Excel, PowerPoint (only) NO NO NO
iOS Skype for Business YES YES YES
Windows Phone Skype for Business NO NO NO
Android Skype for Business *when not using Hybrid S4B Limited Limited Limited
iOS Outlook Mobile app YES YES YES
Android Outlook Mobile app YES YES YES
Windows Phone Outlook Mobile app NO NO NO

Final words

Multi-factor authentication should be a standard across every website, across every app and system you interact with every day. I am all for leveraging a mobile phone, that everyone has (which is something that’s scary, powerful and inspiring all at the same time), to effectively eliminate almost all security concerns.

There’s a privacy and work/life balance debate there when this comes into play in the corporate world. I certainly get not wanting to share your mobile with corporate systems, which could potentially oust your details to the broader organization and tips the scales more towards work. Security is a much bigger concern though and keeping your personal information safe wherever you are, work or home, is the imperative that trumps all others.

Use MFA as much as possible and reduce stress associated with security.


Questions?

Have a question about this post? Ask away on Twitter or in my AMA repo.