MFA and Active Directory: Four Common Questions

Written by Sean Blanton on May 14, 2021

Share This Article

Updated on September 15, 2021

Identity and data theft in the world of IT and business is a threat that grows more every day, and even more so during this global pandemic when organizations are working remotely. Given an admin’s responsibilities when it comes to securing user identities, multi-factor authentication (MFA) is no longer really an option, but a necessity.

In fact, MFA (or two-factor authentication as it is often referred to as) may be the most critical security tool in today’s remote work, cloud-based environment.

While it’s often cited in reference to web apps, multi-factor authentication (MFA) can secure VPNs, workstations, servers, on-prem applications — anything that needs that extra layer of protection – which these days should be just about every IT resource. This is because at its core, MFA is all about making sure that when a user is logging in to a resource, that resource knows who’s really asking for permission to enter and they are who they say they are.

With Microsoft Active Directory being the legacy identity provider (IdP) at the center of most enterprises, you’d think that MFA would come standard with all AD packages. But unfortunately, it isn’t that simple. Below you’ll find answers to the first four questions that many admins need answers to when they find themselves needing MFA for their Active Directory environment.

And keep in mind that this conversation can become even more complex when you add in Azure Active Directory and the MFA capabilities within Azure

Is MFA Really a Necessity?

This might not be your first question, but it bears a quick re-cap. Every organization, no matter how big or small, needs to remain secure. More critical information is stored digitally than ever before and keeping that information secure is vital to an organization. The number one pathway to a compromise is through theft of the right identity. These days, using core user accounts without MFA is really putting your proprietary data at risk. 

Perpetrators of cyberattacks are getting bolder every day. Between phishing, spear-phishing, and ransomware attacks targeting user credentials, using a simple username/password combination isn’t enough. When you factor in the fact that many people (even CEOs) tend to use simple or re-used passwords for any number of services, these risks only increase. IT admins should implement MFA wherever possible and the good news is that it doesn’t need to be difficult to install or hard to use for the end user.

What Do I Need to Add to AD to Enable MFA?

It’s not easy to seamlessly integrate MFA into IT resources with Active Directory, even when it comes to Windows machines (though it’s especially true for Mac and Linux devices, as well as applications). 

Unfortunately, having an Active Directory instance set up as your core IdP isn’t enough to enable MFA across your fleet of systems. In order to do that, you’ll need an additional application or service to add those capabilities, both to AD and your individual IT resources. Generally the way this will work is to enable MFA at the point of login on the Windows machine. Since the Windows machine login is basically the gateway to access to everything within the domain, you would add a second step here by forcing MFA. Unfortunately, Microsoft doesn’t do this natively with AD, so you’ll likely need an add-on solution.

Is MFA Included in Azure or Office 365 Accounts and Subscriptions?

Switching gears from Ad to Azure AD or Microsoft 365 accounts, you can enable multi-factor authentication, but it can be complicated. So, the answer to the question about it is… sometimes. It all depends on what kind of Azure AD or M365 subscription you have, as some have a simple point-and-click option under settings and others require an upgrade.

Is MFA Included with Azure AD?

You can use MFA on an Azure AD Free (or Azure AD Basic) subscription — if you elect the per-user or per-authentication billing/usage model. This is basically the minimum Azure setup you’ll need to enable MFA. Note, however, that Azure’s MFA extends only to certain web apps, so it can’t be used in conjunction with managing all Windows machines, on-prem apps, file servers, or networks. It is not really a replacement MFA option when logging into the domain with AD.

If you have accounts that belong to a global administrator role in Azure AD, you can activate Azure MFA for free, but it’s only free if the account your setting it up for is a “Work” or “School” account. 

Is MFA Included with M365?

MFA verification for logging in to M365 accounts is now available to certain M365 pricing tiers (such as the Academic® and Nonprofit® plans) without any additional purchase or subscription. Outside of this handful of accounts however, you’ll have to pay for it as you would with Azure AD and in this case, you’ll need AAD P1 for MFA inclusion. 

And while it’s true that Azure AD Free comes with every M365 subscription (and MFA comes with Azure AD Free), it has minimal options and abilities. To get the full version of MFA with all its administrative capabilities, you’ll have to upgrade and pay for it. Of course, if you do end up paying for AAD P1, you’ll be able to do some conditional access policies for those accessing Azure resources. You’ll need to figure out a way separately to have those conditional access policies work with other IT resources including systems, on-prem resources, and more.

How Do You Add MFA to AD Without Azure or M365? 

If you need to enable MFA quickly and easily to AD and don’t want to go through the hassle of AAD setup, you can just leverage JumpCloud’s directory platform. You can even get MFA across your hybrid fleet — regardless of platform, protocol, provider, or location.

JumpCloud reimagines the role of Active Directory, providing user management similar to AD’s GPOs, where policies including MFA are controlled with commands that admins can use to control whole fleets of systems. It’s ideal for the small- to medium-sized business, as it approaches the whole of your identity and access management within one centralized platform. With it, you can manage: 

  • Users and groups of users
  • Mac/Windows/Linux systems
  • On-prem and cloud-based applications 
  • On-prem apps and file servers 
  • Networks and VPNs
  • Cloud-based infrastructure 

Learn More

To learn how to add MFA to Active Directory and more, check out our page about JumpCloud’s MFA capabilities or feel free to contact us and set up a free demo. You can also try it out for yourself — your first 10 users and ten systems are free along with ten days of 24×7 premium in-app chat support. 

Continue Learning with our Newsletter