MFA Cloud or MFA Server – Depends on Where the Users Are

Part II: Where to setup your MFA?

In the previous blog ‘What Are You Trying to Secure with Azure MFA?’ we discussed the applications or websites that you are trying to secure with MFA. Here, let us discuss where are your users located? You can decide the right MFA solution by knowing where your users are.

  • What are you trying to secure?
  • Where are your users?
  • What are the features that you require?

Once you have figured out what exactly you are trying to secure for implementing MFA, you will need to know where your users are located? There’s a simple logic behind this.

If your users are in the Azure Active Directory, MFA in the cloud is option for you. If your users are in the on-premises Active Directory, then you must go for MFA Server.

However, the users can be in both Azure AD and the on-premises AD with the use of different applications (See the table below). There are specific cases and varying degrees of the user location, but the Active Directory remains central to the selection of your MFA choice.

User Location
MFA in the cloud
MFA Server
Azure Active Directory
Azure AD and on-premises AD using federation with AD FS
Azure AD and on-premises AD using DirSync. Azure AD sync. Azure Connect- no password sync
Azure AD and on-premises AD using DirSync. Azure Connect- with password sync
On-premises Active Directory

If the users are in Azure Active Directory and on-premises Active Directory using the federation with ADFS, you must opt for MFA in the cloud.
The users can be in Azure AD and on-premise AD using synchronization tools like DirSync, Azure AD Connect, Azure AD Sync.

The synchronization tools mentioned above are used in making copies of a local directory in a hybrid cloud deployment of Microsoft Exchange, for example.

If your password is NOT synchronized along with the data, you must choose MFA in the cloud. You might not want your passwords on cloud right, which ultimately defeats the purpose of secure MFA?

But if your password is synchronized along with the data, you might want to choose for MFA Server option, which doesn’t take your data to cloud.

Here, we have discussed about the location of users. Now let us discuss the features that you require in the concluding part (Part 3): The features of Azure MFA – all you need to know.

Comments are closed.