MFA and Active Directory: Answers to 5 Common Questions

Written by Sean Blanton on May 14, 2021

Share This Article


Top of Page

Updated on January 29, 2024

Identity and data theft in the world of IT and business is a threat that grows more every day. Given an admin’s responsibilities when it comes to securing user identities, multi-factor authentication (MFA) is no longer really an option, but a necessity.

In fact, MFA (or two-factor authentication as it is often referred to) may be the most critical security tool in today’s remote work, cloud-based environment.

While it’s often cited in reference to web apps, multi-factor authentication (MFA) can secure VPNs, workstations, servers, on-prem applications — anything that needs that extra layer of protection – which these days should be just about every IT resource. 

This is because, at its core, MFA is all about making sure that when a user is logging in to a resource, that resource knows who’s asking for permission to enter and they are who they say they are.

What You Need to Know About MFA and Active Directory

With Microsoft Active Directory being the legacy identity provider (IdP) at the center of most enterprises, you’d think that MFA would come standard with all AD packages. But unfortunately, it isn’t that simple. 

This conversation can become even more complex when you add in Azure Active Directory and the MFA capabilities within Azure

Why You Really Need MFA 

Every organization, no matter how big or small, needs to remain secure. More critical information is stored digitally than ever before and keeping that information secure is vital to an organization.

The number one pathway to a compromise is through theft of the right identity. These days, using core user accounts without MFA is putting your proprietary data at risk.

Perpetrators of cyberattacks are getting bolder every day. Between phishing, spear-phishing, and ransomware attacks targeting user credentials, using a simple username/password combination isn’t enough. When you factor in the fact that many people (even CEOs) tend to use simple or re-used passwords for any number of services, these risks only increase. 

IT admins should enable MFA Active Directory wherever possible and the good news is that it doesn’t need to be difficult to install or hard to use for the end user.

Below you’ll find answers to the first five questions that many admins need answers to when they find themselves needing MFA for their Active Directory environment.

1. What Do I Add to Enable MFA?

It’s not easy to seamlessly integrate MFA into IT resources with Active Directory, even when it comes to Windows machines (though it’s especially true for Mac and Linux devices, as well as applications).

Unfortunately, having an Active Directory instance set up as your core IdP isn’t enough to enable MFA across your fleet of systems. To do that, you’ll need an additional application or service to add those capabilities, both to AD and your IT resources.

Generally, the way this will work is to enable MFA Active Directory at the point of login on the Windows machine. Since the Windows machine login is the gateway to access everything within the domain, you would add a second step here by forcing MFA. Unfortunately, Microsoft doesn’t do this natively with AD, so you’ll likely need an add-on solution.

2. Is MFA Included in Azure or Office 365 Accounts and Subscriptions?

Switching gears from Ad to Azure AD or Microsoft 365 accounts, you can enable multi-factor authentication, but it can be complicated. So, the answer to the question about it is, sometimes. It all depends on what kind of Azure AD or M365 subscription you have, as some have a simple point-and-click option under settings, and others require an upgrade.

IT consultant being setup Virtual Document Management System (DMS) with laptop

3. Is MFA Included with Azure AD?

You can use MFA on an Azure AD Free (or Azure AD Basic) subscription — if you elect the per-user or per-authentication billing/usage model. This is basically the minimum Azure setup you’ll need to enable MFA. 

Note, however, that Azure’s MFA extends only to certain web apps, so it can’t be used in conjunction with managing all Windows machines, on-prem apps, file servers, or networks. It is not really a replacement MFA option when logging into the domain with AD.

If you have accounts that belong to a global administrator role in Azure AD, you can activate Azure MFA for free, but it’s only free if the account you’re setting it up for is a “Work” or “School” account. 


Pricing Options for Every Organization

Packages and A La Carte Pricing

4. Is MFA Included with M365?

MFA verification for logging in to M365 accounts is now available to certain M365 pricing tiers (such as the Academic and Nonprofit plans) without any additional purchase or subscription. Outside of this handful of accounts, however, you’ll have to pay for it as you would with Azure AD, and in this case, you’ll need AAD P1 for MFA inclusion.

And while it’s true that Azure AD Free comes with every M365 subscription (and MFA comes with Azure AD Free), it has minimal options and abilities. To get the full version of MFA on Active Directory with all its administrative capabilities, you’ll have to upgrade and pay for it. 

Of course, if you do end up paying for AAD P1, you’ll be able to do some conditional access policies for those accessing Azure resources. You’ll need to figure out a way separately to have those conditional access policies work with other IT resources including systems, on-prem resources, and more.

Low angle view on a blue padlock made to resemble a circuit board and placed on binary computer code.

5. How Do You Add MFA to Active Directory  Without Azure or M365? 

If you need to enable MFA quickly and easily to AD and don’t want to go through the hassle of AAD setup, you can just leverage JumpCloud’s directory platform to set up Windows MFA. You can even get MFA with Active Directory across your hybrid fleet — regardless of platform, protocol, provider, or location.

JumpCloud reimagines the role of Active Directory, providing user management similar to AD’s GPOs, where policies including MFA are controlled with commands that admins can use to control whole fleets of systems. 

It’s ideal for small-to medium-sized enterprises (SMEs), as it approaches the whole of your identity and access management within one centralized platform. With it, you can manage:

  • Users and groups of users
  • Mac/Windows/Linux systems
  • On-prem and cloud-based applications 
  • On-prem apps and file servers 
  • Networks and VPNs
  • Cloud-based infrastructure 

Learn How to Add MFA in Active Directory

While MFA is a common alternative used to fix the shortcomings associated with passwords, a well-designed multi-factor authentication solution seeks to strike a balance between added security and user convenience. 

To learn more about merging MFA with Active Directory, contact us and schedule up a free demo.

Sean Blanton

Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

Continue Learning with our Newsletter