Enable MFA/2FA for AD/AzureAD

We are starting to get prepared for MFA/2FA for our network but I am a little confused. We currently have an in house AD but we also have O365 with AD connect syncing our AD data to azure AD since we want a SSO for office and our email (we use exchange online).

I'm not sure if i am using the Azure AD MFA or if i need to use a third party. I've also heard that once you enable the MFA/2FA that your apps will now need some sort of app password or something?

We currently use windows 2012 R2 for our AD and it's in 2008 forest/domain mode.

thank you.
LVL 2
msidnamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
So what, specifically are your questions? You have a bit of background, but you aren't clear on your intent. It also sounds like you aren't familiar with the underlying technologies so you have a bit of word salad going on.

Experts here are very capable of offering help. But nobody can operate in a vacuum.
0
msidnamAuthor Commented:
I'll try to be more clear.

The first thing is where to start? We have an on prem AD. We use AD Connect to send that data to O365 as we use several apps (team, yammer, SfB, exchange, etc) as well as office.

Am I to create an MFA setup from my O365 admin center/Azure AD or from my on prem AD? If its on prem am I to use a third party, or does activating the O365 MFA also roll down to my on prem AD? How would my users now log on to workstations or RDP farm, current O365 apps, etc.

I am familiar with MFA but i have never set it up in my environment before.  Is one way better than the other? Can i setup only a few users to test or is it all or nothing? Do I need another server that hosts the MFA?

Sorry for the word salad, but I just need a little guidance on where to start, is this done on on prem AD, Azure AD, third party, what to look out for (i heard having MFA you would need app password which is a pain), what if users lose their phone or email address that they use for MFA. List goes on but i was trying not to make it even more confusing.

Thank you.
0
Cliff GaliherCommented:
"Am I to create an MFA setup from my O365 admin center/Azure AD or from my on prem AD?"

Both are options available to you.  Which you choose depends on your BUSINESS needs.  Then choose the technical solution that meets that need.

"If its on prem am I to use a third party, or does activating the O365 MFA also roll down to my on prem AD?"

O365 offers no on-prem option.  Azure MFA does have an on-prem MFA server, but is not a part of O365.

"How would my users now log on to workstations or RDP farm, current O365 apps, etc."

That depends on how you set it up. There are many multiple options.

"Is one way better than the other?"

Yes and no.  One way is better for some business needs.  Another way is better for a different set of business needs.  So they aren't "all the same" but there is not one "universal" better option (or there wouldn't be other options!)  There are only better options for specific use cases.

"Can i setup only a few users to test or is it all or nothing?"

Most MFA solutions, including O365 and Azure MFA, allow gradual onboarding.

"Do I need another server that hosts the MFA?"

For O365? No.  For Azure? It is an option, but not a requirement.  For 3rd party? Depends on the chosen 3rd party.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cliff GaliherCommented:
" List goes on but i was trying not to make it even more confusing. "

Which is the problem.  EE is a *great* resource if you are stuck on a specific thing. But asking questions in a forum is not a great way to learn an entirely new concept or get a ton of information quickly.  There are other educational tools better purposed for that goal.  There are books. There are white-papers.  White-papers are particularly useful because you get to read what the BUSINESS needs were and why the company chose the technical solutions they did.  IF you read a white-paper where the business need was nowhere near yours, then their technical solution and considerations likely won't apply to you.  Securing pentagon internal machines where cell-phones aren't allowed is a wholly different proposition than wanting to allow mobile workers remote access with authentication FOBs.  Reading why Company X chose FOB Y when you want to completely isolate your network wouldn't be helpful.

Which really gets to the crux, that the level of detail you want would turn into a book or white-paper here. Which, due to constraints on time, space, and text boxes, isn't particularly practical.  My honest suggestion to you is to read.  A lot.  Grab MS white papers. Grab 3rd party whitepapers. Implement a solution that you are comfortable with AFTER doing that research.  Or hire an expert in that particular field if you don't have the time to invest in the research.  That's my suggestion anyways.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.