MFA and Active Directory: Answers to 5 Common Questions

Written by Sean Blanton and David Worthington on May 14, 2021

Share This Article


Contents


Updated on March 26, 2024

Identity and data theft is an omnipresent threat for businesses of all sizes, and exploiting weaknesses within Active Directory (AD) is one of the most common methods of attack. Implementing multi-factor authentication (MFA) provides stronger identity and access management (IAM), but it’s not included with AD, forcing admins to look for solutions, whether they’re from Microsoft or other identity providers (IdP).

This blog focuses on how MFA fits into the journey to modernize AD, but it also outlines how to leverage modern authentication via MFA to implement a simplified Zero Trust security strategy. It’s an approach to modernize AD that enhances security for what you have, and mitigates the cyber risks found in AD to protect your data and every other resource that makes work happen.

Is MFA for Active Directory Necessary?

MFA (or two-factor authentication as it’s often referred to) is a critical security tool in today’s remote work, cloud-based environment. This is because, at its core, MFA is about making sure that when a user is logging in to a resource, that resource knows who’s asking for permission to enter and they are who they say they are. It’s important to understand that MFA is a starting point for IAM that protects assets, people, and devices wherever they exist.

Perpetrators of cyberattacks are getting bolder every day. Between phishing, spear-phishing, and ransomware attacks targeting user credentials, using a simple username/password combination isn’t enough. When you factor in the fact that many people within an organization tend to use simple or reused passwords for any number of services, these risks only increase.

However, Microsoft has designated AD as a legacy product that must be secured and protected. There are numerous, well-understood attacks that threat actors employ to compromise AD, but Microsoft isn’t taking ownership to address its underlying issues. That’s a problem for admins, especially considering how these attacks often exploit weaknesses in AD’s single-factor authentication. Many admins would disagree that AD is a legacy technology; it remains indispensable for many organizations. But there’s no denying that it has security issues. 

The absence of MFA and some other security features in AD is a problem that IT must overcome. AD simply isn’t secure on its own. Admins face another dilemma: follow Microsoft’s prescribed path and adopt its security services to make AD less vulnerable or modernize AD with another IdP. IT admins should enable MFA wherever possible, but it’s understandable that modernizing AD feels like a big decision. Below, you’ll find answers to five common questions that many admins need answered before implementing MFA for their AD environment.

Common Active Directory MFA FAQs

1. What Do I Add to Enable MFA?

Having an Active Directory instance set up as your core identity provider (IdP) isn’t enough to enable MFA across your fleet of systems. You’ll need additional applications and services to add those capabilities. There are two paths: partner with an IdP or deepen your ties with Microsoft.

First, it’s possible to integrate another IdP, like JumpCloud’s open directory platform, with AD for multiple authentication flows. It’s included with the platform at no additional cost. JumpCloud features MFA, including JumpCloud Go™, a modern authentication factor that works cross-OS to secure applications and network resources. Your identities are independent, safeguarding your organization against vendor lock-in while modernizing AD’s access control and security.

Note:

See a simulation of JumpCloud’s MFA login process.

There are two ways to approach AD modernization using Microsoft solutions:

  • Active Directory Federation Service (AD FS) for customers to configure additional authentication methods and to have single sign-on (SSO) to resources. It requires a server farm, can be complex to operate, and has high management overhead. Microsoft has begun to migrate some of its features, such as smart card support, to Entra ID. Adopting AD FS may not future-proof MFA, because Microsoft is pushing Entra ID.
  • Every edition of Entra ID includes MFA. However, an Entra ID Premium plan is required to use Entra ID Connect, an application that bridges AD DS with Microsoft’s cloud directory. Useful features, such as password write back from Entra to AD, will require a Premium 2 plan in order to function. Also, keep in mind that you may have to pay more to support the authentication flow(s) that you need.
  • There are other considerations that will affect your security posture and costs involved.
    • The Premium 2 SKU is a prerequisite to meet the security requirements of Microsoft’s enterprise access model for managing privileged access with AD; the Microsoft Cybersecurity Reference Architecture (MCRA), which layers multiple cloud services around AD; and Zero Trust Rapid Modernization Plan (RaMP), which recommends using cloud IAM and unified endpoint management (UEM).
    • Identity monoculture means that lateral spread is possible between Microsoft’s cloud platforms and AD. It’s recommended that customers also purchase Defender for Identities to protect AD against those threats. Defender for Identities won’t work to its full potential without Microsoft Defender for Endpoints, an endpoint detection and response solution, being installed to account for server threats. That means purchasing a Microsoft 365 (M365) SKU that includes it.
    • SSO for applications hosted on-premise is made possible through Application Proxy, a Premium feature.
    • Defender for Servers is recommended if you host AD in Amazon Web Services (AWS) or Google Cloud Platform (GCP) for cloud security posture management (CSPM).
    • These services can be difficult to learn, requiring you to contract external partners to help set up and maintain. Microsoft’s guidance suggests that customers partner with vendors to completely implement these services and handle any change management. This makes using Entra more complex and costly. 
  • Windows Hello, a phishing-resistance modern authentication platform that works with Entra and AD, only supports Windows. It makes it possible to use the strongest authentication factors available, but macOS and Linux users go unprotected.
  • Additional services through Entra ID Domain Services (AD DS) or the Network Policy Server (NPS) server role may be necessary to extend SSO/MFA to network resources.

2. Is MFA Included in Azure or Office 365 Accounts and Subscriptions?

MFA is included with every account for Microsoft cloud services, but integration with your on-premise AD infrastructure isn’t possible without paying for Premium SKUs. There are also many dependencies among Microsoft’s services, which may not be immediately evident.

For example, its cloud services require setting up and using Entra ID, even if you decide to federate identities with another IdP. Some products, like Intune for UEM, won’t work without it. Even Teams has features that depend on Entra ID for external collaboration. This has the effect of limiting optionality and locks customers in Microsoft’s vertically integrated toolsuite.

Note:

Evaluating the costs and risks of migrating to M365.

3. Is MFA Included with Entra ID?

Every Entra ID SKU includes MFA. You can use MFA with a Entra ID Free subscription for Microsoft web apps and other SaaS service providers, but it won’t meet SSO requirements for AD identities. As noted above, Premium SKUs and additional security subscriptions are recommended by Microsoft to address security vulnerabilities stemming from its stack.

4. Is MFA Included with M365?

Entra ID is bundled with every M365 subscription (and MFA is included). To get the full version of MFA on Active Directory with all its administrative capabilities, you’ll either have to upgrade and pay for it a la carte or purchase a Premium SKU. Purchasing M365 could lead to buying more than you really need. M365 is a multi-product solution, and consolidating on it could restrict your choice to use best-of-breed SaaS solutions. Each component of M365 has its own challenges and complexities, as well as operational, support, and security considerations to consider.

5. How Do You Add MFA to Active Directory Without Azure or M365? 

JumpCloud Architecture

If you need to enable MFA quickly and easily to AD, without committing to Microsoft’s expansive reference architecture, you can leverage JumpCloud’s open directory platform to set up Windows MFA. You can even get MFA with Active Directory across your hybrid fleet — regardless of platform, protocol, provider, or location. Its MFA can be configured to utilize TOTP, push authentication through JumpCloud’s free Protect app, or passwordless via JumpCloud Go. The platform supports native biometrics on mobile devices as well as security keys.

JumpCloud reimagines the role of Active Directory, providing user management similar to AD’s GPOs, where policies including MFA are controlled with commands that admins can use to control whole fleets of systems. Alternatively, it will coexist with your existing AD infrastructure in place. Visit our Active Directory Integration (ADI) resource page to explore deployment options.

The open directory platform is ideal for small to medium-sized enterprises (SMEs), as it centralizes IAM and device management. With it, you can:

  • Manage your assets and the discovery of shadow IT services (coming soon).
  • Manage your users and groups of users.
  • Manage your Android/Mac/Windows/Linux systems.
  • Manage your on-prem and cloud-based applications. 
  • Manageo your on-prem apps and file servers. 
  • Manage your networks and VPNs.
  • Manage your Cloud-based infrastructure.
  • Manage your reporting and telemetry for compliance.

JumpCloud features automations and workflows to streamline on/offboarding. It also has optional conditional access rules with step-up authentication to protect privileged resources (coming soon), Remote Access and troubleshooting tools, a password manager, and patch management features, all from a unified console to consolidate your IAM/UEM needs.

Note:

See what it’s like to work with JumpCloud. Try our guided simulations.

Learn How to Add MFA in Active Directory

While MFA is a common alternative used to fix the shortcomings associated with passwords, a well-designed multi-factor authentication solution seeks to strike a balance between added security and user convenience. 

To learn more about merging MFA with Active Directory, contact us and schedule up a free demo.

Sean Blanton

Sean Blanton is the Director of Content at JumpCloud and has spent the past decade in the wide world of security, networking and IT and Infosec administration. When not at work Sean enjoys spending time with his young kids and geeking out on table top games.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter