In this video, Pete Zerger explains the features of Azure MFA Server, and how it fits into an enterprise organization's hybrid identity strategy. Learn about the features Azure MFA Server brings to the table that you don't get with Azure MFA alone.
- [Voiceover] When it comes to protecting your accounts, two-step verification should be the standard across your organization. This is especially important for administrative accounts that have privileged access to resources. As your MFA Server extends Multi-Factor Authentication to on premises resources, delivering a number of benefits, consistent protection providing Multi-Factor Authentication to your on-premises apps, building consistency into your identity management user experience, should actually increase user satisfaction, your internal customers, and reduce costs through reductions in calls to the Help Desk and reducing or eliminating the need to train users on how to navigate different authentication experiences.
A more consistent user experience, in that the second factor of authentication appears the same across Cloud and on-premises apps. And if you find your organization authentication needs lead you to the Federated Identity model, as your MFA Server brings multi-factor support to Active Directory Federation Services. With Multi-Factor Authentication you're adding the second factor, leveraging something your users have, upping the security of the authentication process and greatly reducing the chance of compromise.
With Azure MFA, you're delivering that capability for your cloud hosted apps. PaaS, IaaS, and SaaS apps like Office 365. What you're getting in Azure MFA, is effectively MFA as a service, as part of the identity as a service, you get with Azure Active Directory. Azure MFA Server brings that same capability to your on-premises environment, and applications by introducing a server into your corporate data center as the MFA Broker. How do you know MFA Server is right for your work? Well you need to ask yourself two questions.
Which types of resources, on-premises, do I need to protect with MFA? If you're looking to protect resources on-premises which are not covered by Azure MFA, then MFA Server can be a good solution to protect a variety of on-premises resources such as VPN, AD Federation services, IIS web apps, and even remote desktop. Particularly, if you're trying to protect IIS applications you're hosting on-premises, MFA Server is going to bridge a gap.
It can fill that same gap for your remote desktop gateway and VPN solutions, as well. And the second question is, where are your users located? If you're synchronizing identities, but not passwords, which is less common now-a-days, but a situation we see every now and again, or if you're organization leverages the Federated Identity model, then MFA Server extends the Azure MFA experience to on-premises resources. There are even a handful of features MFA Server delivers that you don't get with Azure MFA, including two-way SMS as a second factor, so rather than getting code a via SMS and typing it into a webpage, users can simply respond to the text message on their phone.
Hardware tokens is a second factor. If you have RSA tokens or a similar solution implemented in your environment, with MFA Server you can leverage that as a second factor of authentication. PIN mode enhances the security of MFA by requiring the user to enter a PIN in the Azure authenticator mobile app, as the second factor of authentication. You can even allow users to initiate a one-time bypass of MFA. If a user sets this up, it will take affect the next time the user signs in and lasts 300 seconds, five minutes, by default.
You can offer the user a box to change the duration of the one-time bypass. This can come in really handy when a user is traveling and they temporarily don't have access to their normal second-factor of authentication. And finally, caching. Caching allows you to set a specific time period so that subsequent authentication attempts succeed automatically, reducing the number of MFA prompts your users see. Long story short, MFA Server is a key component in the implementation of a secure and consistent hybrid identity and access management strategy for your enterprise.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups