MFA in Azure for a hybrid org

Hello Experts,

I would like to get your thoughts about implementing MFA in Azure for a Hybrid Organization [Azure- AD on-prem].

Id like to see the options for two and three factor and understand if we can choose our own combinations (Captcha, Text to Phone, Alternate email).

Can you please provide a brief explanation of all my different choices, and a nice graph or pic of each representation ? Please, do not only attach MS links on how to deploy MFA, and a single copy/paste?

PROS and CONS of each model to be implemented? Any gotchas on each option?

Thanks in advance
Jerry SeinfieldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
Two-factor is the maximum you can get, and users have control over which method to use with Azure MFA. With the on-prem version you get the option to control which method they can use, but you are still limited to two-factor, that's including any other AD FS based 2FAs.

The methods you can choose from are phone call, SMS or using the app (and using a token in the on-prem version, you can also use SMS+PIN). There are no built-in methods to use a captcha or email address, but you can use the API to create such if needed.
you cannot enforce more than two methods for MFA

security question method will increase helpdesk calls

Phone auth (call / OTP) is the best method to implement MFA with less or no helpdesk calls

There are two types of MFA if you also using O365 services
MFA with modern authentication
MFA with "app password"

If Modern authentication (MA) is enabled in O365 tenant level, you will get same MFA experience with browser based / non bowser based apps
Note - App should support Microsoft ADAL 2 / REST API
Outlook 2013 SP1 with some patch and above office versions are MA enabled applications and can do MFA same like you do for OWA
Earlier versions do not support ADAL 2 / REST API and you have to generate 16 digit random app password for users and outlook will cache that password

If you don't enable MA with O365 tenant, all non browser based clients need to store app password which is annoying for users and admins

So bottom line is:
If you are using Office 365 with older outlook clients (pre office 2013 SP1, you have to deal with app password complexity

Not all scenarios can be explained here, you need to decide what apps you have and impact of MFA on those
If you have on premise application which need to be secured with MFA, you need to install Azure MFA server  on premise in addition to Adfs servers

There are lots off PPT / videos I seen from MSDN for you to prepare your slides / presentation


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.