Part I – Where to setup your MFA: In cloud or on-premises Server
As discussed in an earlier blog post ‘Azure Multi-Factor Authentication (MFA) Overview’, Multi Factor Authentication (MFA) is an important tool to help safeguard your data and applications, all while meeting the user demand of a simple sign-in process. Microsoft’s cloud offering Azure also provides MFA service. But the question is, where can you execute the MFA service with Azure?
There are two options where a customer can choose to implement their MFA with Azure:
- MFA Server – An on-premise solution
- MFA in the cloud – A cloud-based solution maintained by Microsoft
What will you choose?
There are three questions you need to answer before you opt for either of these two options:
- What are you trying to secure?
- Where are your users?
- What are the features that you require?
You are implementing MFA because you want an exact thing to be secure. Is it an application? Or is it a website? Or a payment gateway? Maybe a financial application? Even a remote access system? It can be anything which requires added layers of security to the thing which you’re securing.
The first and foremost question always remains: what are you trying to secure? Based on that, you can determine the best method you can implement for the Azure MFA.
Please have a look at the table below:
|First-party Microsoft apps|
|Saas apps in the App gallery|
|Web applications published through Azure AD App Proxy|
|IIS applications not published through Azure AD App Proxy|
|Remote access such as VPN, RDG|
First-party Microsoft apps
The first-party applications from Microsoft can be secured in both MFA in the cloud as well as Server. The first-party applications are Microsoft’s own direct offerings like Office, Project, Publisher, Outlook Web App, Calendar and many more.
SaaS applications in the app gallery
The SaaS applications such as Office 365, Box and Salesforce in the Azure Active Directory application gallery can be secured only with MFA in the cloud, and not with the MFA Server.
Web applications published through Azure AD App Proxy
The web applications which are published through Azure Active Directory App Proxy, they can be secured only with MFA in the cloud, and not with the MFA Server.
IIS applications not published through Azure AD App proxy
IIS applications that are not published through Azure AD App Proxy, only that applications can be accessed with the MFA Server.
Remote access like VPN, RDG
Remote access like Virtual Private Networks and Remote Desktop Gateway can be secured in both MFA in the cloud as well as MFA Server.
Since you’ve decided what you are trying to secure, let us see the next question in the next blog ‘MFA Cloud or MFA Server – Depends on Where the Users Are.’
Also see: Azure MFA vs Office 365 MFA