By Ryan Squires Posted October 29, 2019
IT admins looking to secure their user identities are excited about Azure® MFA. Why? Multi-factor authentication, or MFA, provides an extremely important function for any IT organization: It boosts the security of identities. Without MFA, a bad actor with stolen credentials can easily access critical IT resources. That’s why many IT admins are looking into Azure MFA.
Where, Why and How Should I Use MFA?
Ultimately, you should use MFA everywhere you can, from systems to applications and networks. The reasoning is simple. MFA protects your critical resources, even when user credentials are compromised. Bad actors also need access to the associated user’s second method of authentication. The second factor could come from a time-based one-time password (TOTP) generator, like Google Authenticator™, which is generally stored on the corresponding user’s smartphone. Simply put, with MFA enabled, stolen credentials are not enough.
Here’s why: Because TOTP codes are generated roughly every 30 seconds, they are very secure and nearly impossible to guess. So, in order to access an MFA-protected resource, an ever-changing TOTP token must be input in conjunction with a password.
But, TOTP tokens are not the only way to secure user identities with a second factor. Some services send SMS messages with codes that are used to access resources. Additionally, hardware tokens from MFA players like YubiKey and Google Titan™ are another way to generate one-time passwords (OTPs). No matter where you source the second form of authentication, it comes from something you have: a smartphone, hardware key, etc. as opposed to your regular password which is something that you know. Using something you know in conjunction with something you have increases security because just having one or the other is not enough to access resources.
So, What Can Azure MFA Do?
Getting back to Azure MFA, what can you do with Azure MFA and how can it be useful for you? It is best to think of Azure MFA as an add-on to a Windows® directory service environment. So, before we get into Azure’s MFA abilities, you need to know that in order to maximize the usefulness of Azure MFA you need to use Active Directory (AD) and Azure Active Directory (AAD) in conjunction.
Once those are functional, you can set up Azure MFA to secure Microsoft-based / approved tools. The key to enforcing MFA is setting up a Conditional Access policy. Conditional Access policies works by way of an if / then model. An example of if / then is as follows: If a user / group attempts to access a specific resource, then require the use of MFA. Some common resources that you can enable Azure MFA with are as follows:
- Web applications: Specifically the Office 365™ suite of products. But, Microsoft also provides the ability for IT admins to institute MFA for third-party applications.
- On-Prem Applications: A lot of companies utilize legacy applications, and if they’re published to the web, you can set up Azure MFA to work with them.
- Networks: With the use of an on-prem Network Policy Server (NPS), IT admins can enforce MFA on their networks.
The problem with this approach is that it requires a significant amount of configuration work. To get your on-prem AD and AAD instances to talk, you need to configure Azure AD Connect. Then, for legacy applications, an additional tool called Application Proxy must be set up. If you want to utilize MFA for your networks, you will need to set up and configure an on-prem NPS server. In all, with these solutions you’re going to run into quite the challenge of setting up and getting it all to work.
When you realize that most computing environments are not pure Windows environments, the problem gets much larger in scope. What if you use other IT platforms such as macOS®, Linux®, AWS®, G Suite™, Google Cloud Platform™ (GCP™), OpenVPN™ or thousands of other IT tools? You are going to struggle to add MFA to protect those resources. One option for you — even if you use AD — is to leverage a true cloud-based directory service.
Is There A Full-Featured Alternative to Azure MFA?
Many people think that Azure Active Directory is Microsoft’s answer to a cloud directory. Unfortunately, it is not. You still need AD on-prem to get the most out of it. Thankfully, a true cloud-based directory has emerged that not only helps to manage the Windows-based resources in your environment, but also the myriad non-Microsoft tools you most likely leverage too. We call it Directory-as-a-Service. And because MFA is built into the platform, you can easily add it to many of your resources including systems, networks, and applications with minimal configuration and effort.
Learn More About Directory-as-a-Service Today
Utilizing Azure MFA might present more challenges than solutions for your modern IT environment, so schedule a demo today to see how Directory-as-a-Service can simplify your administrative tasks.