The story of Multi-Factor Authentication and the Azure MFA [Updated Feb 2017]

Note : Azure MFA stands for Azure Multi Factor Authentication Cloud Services

Old Way

We use passwords all the time, weather we are using a good authentication protocol like NTLM or a better one like Kerberos. Cryptography and digital certificates are the stronger alternatives to traditional passwords as you will have a public and private key pairs, which indeed makes things more interesting in terms of manageability and cost of implementation.

As security becomes more and more relevant to business today, people start thinking of two and three factor authentications. I can remember when smart cards were so popular because of their two factor nature and they indeed provide some sort of prestige. Smart cards are a good example of two factor authentication, because you need to have the physical card in addition to the PIN (something you have and something you know).

One of the big disadvantages of using smart cards is the cost of management. You need to enroll smart cards, replace them, retire them, update the certificates on them,etc. Imagine that someone forgot his smart card at home and he needs to log on. One time password devices become common also. You get a hardware token with a number that keep changing every while. When you want to access a resource, just enter that number currently displayed in the device.

Some smart card providers are now offering smart cards with Biometrics. You should have the card itself (something you have), your thump (something you are) and perhaps a PIN (something you know). The addition of biometrics adds a difficult-to-clone token as they describe it.


The common thing between all the previous solutions is that you need to buy a hardware token, and maintaining it. If you look at the business model today, it is easily seen that every thing is moving fast. Security is a top priority and a must to be deployed from day one. There is no time to get a PKI specialist and educate people to carry around physical tokens all the time just to enable two factor authentication. People will forget their cards at airports, or at their home. Even worse, they will keep the smart card plugged in the smart card reader so that if the laptop get stolen, the smart card is stolen too.

Azure MFA old way problems


Nowadays, no one can move without carrying his mobile phone, and nothing can be a better second factor of authentication than your mobile device. There is a very small chance that you will forget your mobile device at home. Even if you do so, i am sure that you will go back and get it right away.

MFA New Way

Your phone becomes the token, and it is by far the most cost effective solution for businesses nowadays. No extra training for people to use their mobiles, and no extra overhead for IT administrators if the token (mobile) is lost. There is no provisioning or management of tokens, since users already managing and owning their own mobiles.

I will talk about multi-factor authentication on premise just to explain my point here. To perform a multi-factor authentication for on premise applications, you need your application to redirect authentication to a service (MFA service) that will authenticate users by username and password, and by using the user’s mobile phone as a second factor authentication.

MFA Story

Although this seems to be a very effective solution, it introduces another problem. The IT administrators need to install and deploy the MFA service on premise, worry about how this service can contact the user’ mobile device for second factor authentication, and to make sure this service is always available.

The smart thing to do is to move the MFA service to the cloud, and use the MFA part as an offered cloud service. Your application will contact a cloud service for a second factor authentication, the cloud service will take over the task of contacting the user mobile number and getting response back, and finally the cloud service will return to your application with a response (success/failure).

Azure MFA Story continues

Microsoft Azure MFA Offering

Microsoft Azure Multi Factor Authentication is a An Azure Identity and Access management service that prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication.

The good news is that Azure Multi-Factor Authentication services is can be used right away if you have your applications on Azure or if you are using Office 365. Nothing can work better that using Multi-Factor authentication for your Office 365 users, since the application is already hosted in Azure.

What about on premise applications? what if you do not have any cloud presence yet and you want to use only the MFA part of Azure?

This is completely possible because of the smart design and offering of Azure MFA. Microsoft designed the solution in a completely abstracted way. It starts with your applications that require the multi-factor authentication. These applications can be your VPN server, your RDS farm, your IIS portals or any other service. The problem is that every application can offload the authentication task in a different way. Some of them (like most VPN gateways) prefer to offload the authentication using RADIUS protocol, while others may prefer LDAP.

Since different applications prefer different methods of offloading the authentication, and theses applications need to contact Azure MFA services, Microsoft introduced a proxy server on premise (called the MFA server), that acts as an authentication proxy mainly. It has many listeners like RADIUS and LDAP from one side to talk to your applications, and it connects to Azure MFA services from the other side using HTTPS. This server is so easy to deploy on premise, and you just need to install the bits and do a little configuration via a wizard. No special service accounts, no extra difficult configuration to worry about, and you can rebuild it in few minutes.

MFA Story 4

So how does this Azure MFA works? well, corporate applications that require multi-factor authentication will proxy any authentication request to the on premise MFA server. The MFA on premise server will contact your Active Directory or any LDAP directory on premise to check if the first factor authentication (username and password) is correct. If and only if the first factor authentication is successful, then the MFA on premise server will connect to Auzre services asking it to do the second factor authentication via the user’s mobile phone. This can be a phone call, an SMS message, or a push notification using Azure MFA mobile App.

What I really like about the Azure MFA is the level of abstraction that it provides. Your applications will do the first factor authentication using username or password perhaps, and then offload the second factor authentication to Azure MFA services. So what you are buying is really the second factor authentication here, which can be a mobile call, SMS or even a mobile app. You can configure each user with his preferable second factor authentication method. One use can choose a phone call as his second factor authentication where another may choose the mobile app.

Because Azure MFA can integrate to your applications using RADIUS also, you can easily enable multi factor authentication to your VPN clients in no time. The speed of deployment for such multi factor authentication solution in addition to simplicity and cost is something you cannot find easily elsewhere.

Azure Multi Factor Authentication Poster by AmmarHasayen

Microsoft Azure Multi-Factor authentication is offered in different ways:

  • Stand-alone offering : one example would be to download the MFA on premise server and use it to authenticate on premise systems. Microsoft then charges for MFA service either per user per month or per authentication request
  • Included in Azure Active Directory Premium
  • Free for Azure Administrators
  • A subset of Azure MFA functionality included in Office 365

Why to go with Azure MFA Solution?

MFA Security Ammar

MFA Security Ammar

 Read Also


10 comments on “The story of Multi-Factor Authentication and the Azure MFA [Updated Feb 2017]

  1. Pingback: Azure Multi Factor Authentication – On Premise | Ammar Hasayen - Blog

  2. Pingback: Azure Multi-Factor Authentication “MFA” – Mobile App | Ammar Hasayen - Blog

  3. Pingback: Azure Multi-Factor Authentication Server Deployment – P2 | Ammar Hasayen - Blog

  4. Pingback: Azure Multi-Factor Authenticaion on premise – Tricks | Ammar Hasayen - Blog

  5. Pingback: Azure Multi-Factor Authentication Server Deployment – P1 | Ammar Hasayen - Blog

  6. Hi Ammar, which Visio symbol/icon set did you use for the Azure MFA Mobile App, SMS and Call images? It looks very nice!

  7. Hi Ammar,

    I wonder if you can help – in our scenario, Azure has SSPR information such as “Authentication Phone”. When we use MFA on premises server we need to add mobile number to user AD profile or manually add it to the user in MFA console.

    Bearing in mind Azure has mobile number already for each user is it possible to have the MFA server request Azure to simply call/text the number associated with the Azure AD Premium user?

    Our users do not want their mobile numbers visible in the Exchange GAL and I don’t really want to have (potentially) multiple authentication numbers for our users.

    If Azure has the info already it makes sense to use it.

    Any ideas appreciated.


    • Hi..
      Let us try to go back..

      Microsoft has acquired a company that do multi factor authentication and they did some integration with azure web services to do the second factor authentication. The product in the first place is designed to pull information from AD or entered manually from the product management console.

      I did not think Microsoft has done a full development cycle on the product so that the product will connect to Azure AD and pull records their where phone numbers are. They just integrate the web services that perform the second factor.

      After all, this is not a pure fully build up product from Microsoft to expect such integration with azure.

      • Hi Ammar,

        Thanks for responding!

        Your answer makes perfect sense. I am hoping that as things evolve Microsoft integrate the on prem MFA details with the azure self service details. It would make sense to do this.

        I will keep an eye on things 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s