SSO and MFA

Nowadays, if you use a home banking portal or other online services from providers such as Microsoft, Apple, or Google (just for an example), you already know that to authenticate for certain services you don't only need to insert your username and password, but an extra level of security is required. Your authentication in order to use the service has that extra step, and normally, it requires you to:

  • Enter your credentials
  • Provide a trusted device you own
  • Receive a security code on the trusted device
  • Re-enter this code on the login phase in order to be authenticated correctly

Azure provides these features via the Azure MFA service.

Azure MFA is a scalable and reliable solution (SLA 99.9%) that provides a two-step verification mechanism for authentication on Azure. It can be integrated with your on-premise Active Directory and with your custom applications and it's very easy to set up.

When Azure MFA is active and a user logs into an application, the second step of authentication is sent to the user. There are different verification methods with Azure MFA, which are explained as follows:

  • Phone call: The user receives a call on the registered phone number, he must then enter a PIN and press #.
  • Text message: The user receives a text message on the registered mobile phone with a 6-digit code that must then be inserted into the login page.
  • Mobile app notification: A verification message is sent to the user's registered mobile phone. The user needs to enter a PIN and then click on a Verify button in the mobile app.
  • Mobile app verification code: The mobile app on the user's phone displays a verification code (changes every 30 seconds). The user has to insert this code in the login page in order to be authenticated.
  • Third-party authentications: You can configure Azure MFA to use other third-party verification methods.

These methods can be configured by users.

Azure MFA is offered at three different main levels:

  • Multifactor Authentication for Office 365: This works only with Office 365 applications, managed from the Office 365 portal. This is totally free of charge.
  • Multifactor Authentication for Azure AD Administrators: This is a feature that is free of charge for users who have the Global Administrator role in Azure AD tenants assigned.
  • Azure Multifactor Authentication (full): This includes the Azure Active Directory Premium and Enterprise Mobility plus Security plans. It's configurable via the Azure portal and can be activated in the cloud or on-premise.
For a feature comparison between these MFA versions, I recommend checking this link: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-versions-plans

From the Azure portal, you can set up MFA for a user in two different ways:

  • MFA always enabled for the user: Every time the user performs a login request, they need to perform a two-step verification (the only exception is if the login is performed from a trusted IP).
  • MFA enabled with a conditional policy: You can define a rule for the user (or for a group) and two-steps verification is required only if the rule condition is met. This method works only with Azure MFA in the cloud.

With Azure MFA active on Azure, a user can be in one of the following states:

  • Disabled: The user is not active with Azure MFA. This is the default state.
  • Enabled: The user has the Azure MFA feature activated, but it's not registered. At the next login, it will receive a prompt to register with MFA.
  • Enforced: The user has the Azure MFA feature active and the registration process is completed.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.97.53