MFA in Azure for a hybrid org

Jerry Seinfield
Jerry Seinfield used Ask the Experts™
Hello Experts,

I would like to get your thoughts about implementing MFA in Azure for a Hybrid Organization [Azure- AD on-prem].

Id like to see the options for two and three factor and understand if we can choose our own combinations (Captcha, Text to Phone, Alternate email).

Can you please provide a brief explanation of all my different choices, and a nice graph or pic of each representation ? Please, do not only attach MS links on how to deploy MFA, and a single copy/paste?

PROS and CONS of each model to be implemented? Any gotchas on each option?

Thanks in advance
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018

Two-factor is the maximum you can get, and users have control over which method to use with Azure MFA. With the on-prem version you get the option to control which method they can use, but you are still limited to two-factor, that's including any other AD FS based 2FAs.

The methods you can choose from are phone call, SMS or using the app (and using a token in the on-prem version, you can also use SMS+PIN). There are no built-in methods to use a captcha or email address, but you can use the API to create such if needed.
Distinguished Expert 2018
you cannot enforce more than two methods for MFA

security question method will increase helpdesk calls

Phone auth (call / OTP) is the best method to implement MFA with less or no helpdesk calls

There are two types of MFA if you also using O365 services
MFA with modern authentication
MFA with "app password"

If Modern authentication (MA) is enabled in O365 tenant level, you will get same MFA experience with browser based / non bowser based apps
Note - App should support Microsoft ADAL 2 / REST API
Outlook 2013 SP1 with some patch and above office versions are MA enabled applications and can do MFA same like you do for OWA
Earlier versions do not support ADAL 2 / REST API and you have to generate 16 digit random app password for users and outlook will cache that password

If you don't enable MA with O365 tenant, all non browser based clients need to store app password which is annoying for users and admins

So bottom line is:
If you are using Office 365 with older outlook clients (pre office 2013 SP1, you have to deal with app password complexity

Not all scenarios can be explained here, you need to decide what apps you have and impact of MFA on those
If you have on premise application which need to be secured with MFA, you need to install Azure MFA server  on premise in addition to Adfs servers

There are lots off PPT / videos I seen from MSDN for you to prepare your slides / presentation


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial