MFA, MFA or MFA?
The other day I saw a blog post from Peter Daalmans regarding the difference between the MFA service via Microsoft Intune and via Office365. Peter makes a great job in his article about how these two services differentiate between one and another. I would however like to talk about a third MFA service that Microsoft provides.
But first a little back story. MFA, Multi-Factor Authentication, is a way to enable end users and IT Pros to use an additional method to prove that they are who they say that they are. An additional factor can be a smart card, text message (One-Time Pin or Password, known as OTP), phone call etc. Some time ago Microsoft bought the company PhoneFactor and are working hard on implementing that code and functionality through out their services. Intune and Office365 are two of the. Azure and Azure Active Directory is another one.
If you have the EMS suite (Enterprise Mobility Suite) from Microsoft you also have Azure Active Directory Premium and then you have Azure MFA “for free”. This means that you can enable the service cloud only or download a MFA Service Server that you can install on a server on-premise. This server then communicates with cloud services at PhoneFactor/Microsoft (DNS names are still phonefactor, so I’m not sure where the service actually is) to actually perform the MFA authentication, such as sending out a text message.
The MFA Service Server also comes with a User Portal allowing users to validate a MobileApp as well or to select language, change phone number and to set their preferred method of authentication. Phone calls makes perfect as a WOW-factor while on stage, but normally I prefer the MobileApp myself.
When you run the MFA Service Server on-premise you can integrate it with ADFS as a MFA service, and it can act as a RADIUS server as well. A college and I actually used the RADIUS server feature at a customer for their Citrix NetScaler in order to get a cheaper and more flexible SMS OTP service for remote access. More on that later on.
On of the really cool things when using MFA with ADFS is that you can choose when to use MFA and when not to do so based on different factors such as from where the authentication requests originate or other information about the client for example. All based on rules in ADFS. This is not the case when you activate MFA in Office365 for example.