Secure your Network Access with Azure Multi-Factor Authentication
March 09, 2017
As the mobile workplace becomes more and more common in the corporate environment, usernames and passwords are often not enough to protect an organization’s network. Just as we discussed in our "Self-service Password Reset with Azure AD Premium" that services such as Office 365 are using Multi-Factor authentication for added security, many other organizations such as banks, credit card companies, and sites such as Gmail and Facebook are currently doing the same. This provides a higher level of confidence that the person accessing your corporate data is your employee and that any attempts to compromise user passwords will be unsuccessful.
How does Azure Multi-Factor Authentication work?
Azure Multi-Factor Authentication (MFA) is a cloud-based service that installs a small utility into your network. For supported services, this utility intercepts the login request and after verifying the user name and password it requests a second level of authentication from the user. This authentication usually takes one of two forms:
- Azure MFA can call the user on a designated phone number. The user simply presses a key to verify that they initiated a login request.
- Azure MFA also has a mobile app that can be installed on a user’s phone. The app is available on all iOS and Android devices and is available in the app stores for easy access. Once installed and configured the app pushes a prompt to the screen whenever access is requested to verify the login.
Regardless of the authentication method used, once the user verifies their identity, the utility allows the login request to continue and the user is granted access to the company resource. If the secondary verification does not complete, the utility responds to the login request with a failure and the connection is dropped, thus protecting your resources.
What can be protected using Azure Multi-Factor Authentication?
There are many types of resources that can be protected by Azure MFA. Some of the most common are the following:
- VPN Connections – The Azure MFA utility integrates with both RADIUS and LDAP and so it can perform the secondary authentication for all VPN connections. This ensures that any user connecting to your corporate network is verified both via the RADIUS access rules and by the Multi-Factor authentication. In addition, since Azure MFA integrates with the RADIUS or LDAP services directly, this solution is firewall agnostic and will work with any existing firewall you might have in place that supports either of these protocols.
- Active Directory Federation Services (ADFS) – Many organizations use ADFS for active directory application authentication both on-premises and in the cloud. Some examples of these applications are Office 365, Microsoft Dynamics 365, Citrix ShareFile, and Salesforce.com. Azure MFA integrates into the ADFS process to require a second level of authentication when accessing these applications. In addition, ADFS also has advanced options when working with Azure MFA, including only authenticating certain applications, certain users, or only when connecting from outside the corporate network. And just as with VPN, because the Azure MFA integrates with ADFS, the solution is application agnostic and can apply to a large range of services.
- On-Premises and Cloud Web Services – Any IIS based web application or any website that uses LDAP for authentication can be secured by Azure MFA. Similar to VPN connections, the request is verified both by the user database as well as by Azure MFA before access is granted. Also, as with all of the other systems because the solution integrates with the underlying IIS or LDAP infrastructure, the security will work with almost any web application using either of these services.
Any other systems that use LDAP, RADIUS, Remote Desktop services, IIS, and other services can also be protected using Azure Multi-Factor authentication.
In our next blog we look at the issues surrounding password and account sprawl and the EMS solution for this problem – Microsoft’s Single Sign On.