Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
Let’s start by discussing the basics.
Azure Multi-Factor Authentication logo
Principles of multi-factor authentication ^
A primer on authentication
Authentication is the process of confirming the truth of an attribute of an entity—in short, confirming its identity. The most common attribute checked to confirm the identity of the person signing in with a user account (object) in networking environments is the password attribute.
In an Active Directory environment, logon credentials do not travel over the network unencrypted. When a person signs in, the password entered is not checked with the password in Active Directory. Instead, a one-way irreversible conversion takes place on the password entered, resulting in a password hash. This hash is then compared to the hash that has been stored in the password attribute for the user account object in the Active Directory database. When these two hashes match, the password is considered to be correct.
The password attribute is a value that the person sets. It is:
- Something the person knows.
In addition to the password attribute, other authentication factors can be used today:
- ·Something the person can prove he/she has in physical possession.
Examples are tokens, soft tokens, and phone devices. All of these devices provide the employee with an expiring temporary passcode that needs to be entered. The authenticating system knows the outcome of the passcode and can, therefore, perform the match. Smart cards also fall into this category, because an employee can prove possession of the smart card by getting the certificate from it and presenting it to the authenticating system.
- Something the person can prove he/she is.
Examples of the second authentication factor mentioned are iris-scanning and fingerprint-scanning procedures. The authenticating system compares the outcome of scanning an iris or fingerprint to the outcome of a previously enrolled scan.
To make authentication more reliable and, thus, confirm the identity without a doubt, multiple authentication factors are combined. The most common approach is to expand authentication based on what an employee knows, in conjunction with one of the other two authentication factors.
Authentication systems can be configured to include multi-factor authentication in several ways. The most common method is by placing a multi-factor, on-premises component between the authenticating user and the authentication system to delegate logon to the authentication system and only relaying the token/claim to the user upon verifying the additional authentication factor(s). This is often referred to as a hybrid implementation.
In such an implementation, when using authentication methods in the Something the person can prove he/she has category, an on-premises component needs to communicate with a cloud-based component to send the passcode to the employee and/or to receive the outcome of the authentication process. This cloud-based component can be as robust as an SMS gateway infrastructure or as functional as a true cloud service.
Azure Multi-Factor Authentication is a solution that leverages a cloud-based component, which is part of Azure.
Features, licensing, and suites ^
Now that we’ve covered the basics of authentication and what multi-factor authentication is, I think it’s time for a high-level view of the different Microsoft Azure Multi-Factor Authentication (Azure MFA) features per license and suite.
Let’s start by looking at the three ways you can put Microsoft’s Azure-based multi-factor authentication to good use for your organization:
- Office 365 Multi-Factor Authentication
- Azure Multi-Factor Authentication for Admins
- Azure Multi-Factor Authentication
Office 365 Multi-Factor Authentication
The first way your organization can put Microsoft’s Multi-Factor Authentication to good use is by enabling it for Office 365 identities.
Admins for organizations with Office 365 subscriptions can enable multi-factor authentication for their online and synced identities on a per-identity basis. This way, authentication to services in Office 365 can be implemented more reliably. Today, these services include:
- Exchange Online
- SharePoint Online
- Lync Online
- Dynamics CRM Online
- Project Online
- Office 2013 Pro Plus on-premises, activated as Office 365 with the benefit of Yammer
Its feature set is pretty decent and has a plethora of second authentication factors, including mobile app, phone call, and text message. For applications that access Office 365 services that do not (yet) support multi-factor authentication, app passwords are available to make these work securely.
To make this work, Microsoft takes care of hosting both the Multi-Factor Authentication service (the online service that takes care of authentication: calling, texting, or communicating with the mobile app) and a hosted version of the Multi-Factor Authentication management endpoint for you to manage in the Azure portal.
Although Office 365 Multi-Factor Authentication is only available to secure access to Office 365, the good news is that Office 365 Multi-Factor Authentication is free of charge.
Azure Multi-Factor Authentication for Admins
Similar to Office 365 Multi-Factor Authentication, Microsoft offers free Multi-Factor Authentication for Azure Active Directory Global Administrators, if the Azure Active Directory has not yet been enabled for Azure Multi-Factor Authentication for users.
Azure Multi-Factor Authentication
For full multi-factor authentication functionality, Microsoft’s Azure Multi-Factor Authentication (Azure MFA) is the product of choice.
Beyond the technical functionality that the first two implementations provide, an implementation—hybrid by default—with this product offers:
- On-premises MFA Server implementation
An on-premises Multi-Factor Authentication Server offers the ability to help secure Virtual Private Networks (VPNs), Active Directory Federation Services (AD FS), Internet Information Services (IIS)-based web applications, Remote Desktop and other remote access applications using RADIUS, and LDAP authentication.
- Granular Multi-Factor Authentication
When using the Active Directory Federation Services (AD FS) adapter, granular enforcement of Multi-Factor Authentication can be achieved based on Claims Issuance Authorization rules that contain combinations of groups, network locations, browsers, and operating systems.
This feature reports on sign-ins from unknown sources, sign-ins from multiple geographies, and sign-ins from unknown sources.
Azure Multi-Factor Authentication is based on the cloud model. Updates and upgrades are free of charge and communicated beforehand.
Azure Multi-Factor Authentication as part of suites ^
Azure Multi-Factor Authentication (Azure MFA) can be licensed in four ways:
- Azure MFA per ten authentications
- Azure MFA per assigned user
- Azure MFA as part of Azure Active Directory Premium, per assigned user
- Azure MFA as part of the Enterprise Mobility Suite (EMS) license, per assigned user
Azure Multi-Factor Authentication (Azure MFA)
Although Office 365 Multi-Factor Authentication and Multi-Factor Authentication for Azure Admins are free, Azure Multi-Factor Authentication is a paid service. You can purchase Azure MFA in two models:
- Azure per-authentication pricing, where organizations would pay per ten authentication requests, regardless of the authentication method used
- True flat-fee pricing, where organizations would pay a fixed fee, per assigned user, per month. Licenses are assigned through the Azure portal.
Prices for both purchasing models are equal.
Azure Active Directory Premium
With its Office 365 E3 subscriptions, organizations already have an Azure Active Directory Free subscription. As an alternative to purchasing Azure Multi-Factor Authentication, organizations can choose to upgrade their Azure Active Directory subscription to Azure Active Directory Premium. In addition to Azure MFA, Azure Active Directory Premium also offers:
- Self-Service Password Reset
Aside from the ability to change their Active Directory credentials through the MyApps portal, Azure Active Directory users with an assigned Premium license have access to the Self-Service Password Reset (SSPR) feature to reset their password, using any of the configured second authentication methods (phone call, SMS, app). Changed and reset passwords are always checked with the password and account lockout policies of the on-premises Active Directory environment.
- Self-Service Group Management
In an Azure Active Directory with the Premium license assigned to at least one user, employees can create groups and manage group membership. This allows them to quickly create distribution lists. Policy controls for administrators and for owners of groups are available.
- Forefront Identity Manager server licenses and Client Access Licenses (CALs)
Azure Active Directory Premium comes with (unlimited) Forefront Identity Manager (FIM) server licenses and FIM Client Access Licenses (CALs) for the number of users the subscription is licensed and assigned to. These licenses allow organizations to implement Microsoft FIM to streamline workflow and/or automate user account (de)provisioning.
- Extensive reporting
In addition to the reporting found in the per-user or per-authentication subscriptions of Azure MFA, Azure Active Directory Premium also offers reporting on sign-ins from IP addresses with suspicious activity, irregular sign-in activity, users with anomalous sign-in activity, which users are most actively using an application, and what devices a user has signed in from.
- 99.9% uptime SLA
For Azure Active Directory Premium, Microsoft guarantees a financially-backed 99.9% uptime. The service is considered unavailable when it can’t receive or process authentication requests for the multi-factor authentication provider deployed in a customer subscription.
The Azure Active Directory Premium pricing model is a true flat-fee model, where organizations pay a fixed monthly fee per assigned user, regardless of the number of authentications. Licenses are assigned through the Azure portal.
Enterprise Mobility Suite
You can also purchase Azure Active Directory Premium as part of the Microsoft Enterprise Mobility Suite (EMS).
In addition to the Azure Active Directory Premium subscription, this subscription offers:
Microsoft Intune provides device management based on open standards such as OpenMDM. You can use this feature to manage device settings and application (un)installs on devices running iOS 7.1+, Android 2.3.4+, Windows Phone 8.0+, Windows RT, and Windows Vista+, regardless of the location of the device (internal network or Internet). Although Microsoft Intune may not be of particular interest to an organization, it does allow for a flexible way to purchase licenses for its on-premises System Center Configuration Manager (ConfigMgr) implementation because it includes a ConfigMgr Server license and ConfigMgr Client Management Subscription Licenses (CSLs).
- Azure Rights Management Services
Organizations can leverage Azure Rights Management Services to automatically encrypt business files based on data classification on its file servers and SharePoint document libraries, as well as with Exchange Server.
Pricing for Azure Multi-Factor Authentication depends on the region in which the subscription is purchased.
Currently, Azure Active Directory Premium is roughly four times more costly compared to Azure Multi-Factor Authentication.
The Enterprise Mobility Suite (EMS) costs roughly nine times more, except when an organization has active Software Assurance (SA) within an Enterprise Agreement for the Professional Desktop or Enterprise Desktop. In that case, specifically, the EMS costs only two times more than Azure Multi-Factor Authentication, making it an outstanding offer.
In my next post I will discuss the MFA components and we will have a look at the traffic flows.