To help secure access to critical data and applications may be necessary to provide multifactor authentication which generally requires the use of at least two of the following test methods:
- Something you know (typically a password).
- Something that you own (a unique device and not easily duplicable, such as a phone).
- A biometric recognition system that aims to identify a person based on one or more biological or behavioral characteristics (Biometrics).
Microsoft allows you to adopt a two-factor authentication solution using theAzure Multi-Factor Authentication (MFA) which provides for the adoption of a second method of verifying during the authentication process. Using this solution can be configured the following additional authentication factors:
- Phone call: a call is made to the phone registered to users. In this case the user will be prompted to answer the call and to verify that you can access by pressing the button # or entering a PIN code.
- Text message (SMS): is sent to the user's mobile phone an SMS that contains a pin code of 6 figures who must be entered during the authentication process.
- Notified by Mobile App: the user's smartphone is sent through Mobile App a challenge that must be approved by the user to complete the authentication process.
- Verification code via Mobile App: in this user's smartphone Mobile App generates a code of 6 digits each 30 seconds. The user would then put the latest code at the time that authenticates.
- Party OATH token: There is the possibility to configure Azure Multi-Factor Authentication to accept verification methods provided by third-party solution.
The Azure Multi-Factor Authentication (MFA) provides for two possible deployment models:
- MFA as a solution entirely in the Cloud.
- MFA system installed and configured on-premises systems.
To locate the most appropriate deployment model you need to consider several aspects: What I'm putting in security, where are the users who need access to your solution and what features I really need.
What you are trying to protect?
This is the first question you should ask yourself whose answer we can already point to a specific deployment template. If indeed there is a need to enable the dual factor authentication for IIS applications that are not published by Azure App Proxy or remote access solutions (VPN or Remote Desktop Gateway) You must use the server Azure MFA implemented on-premises systems.
Figure 1 – What is secured by MFA
Where the users are located?
Another important aspect to consider is where the users are located on the basis of the Identity model adopted, come mostra la figura 2.
Figure 2 – Location of users
What features are needed?
Depending on the type of deployment selected (MFA in the cloud or local MFA) different capabilities that we could opt for a choice rather than another, come mostra la figura 3.
Figure 3 Available in two models – MFA
Requirements for the use of MFA
In order to use the Azure Multi-Factor Authentication (MFA) You must have access to a subscription Azure. If you want to test your service you can possibly use a trial subscription of Azure.
The hardware requirements as regards Multi-Factor Authentication Server Azure are minimal (200 MB disk space and 1 GB RAM), While the following software features:
- Operating System: Windows Server 2008 R2 or higher
- Microsoft .NET 4.0 Framework
- IIS 7.0 or higher if you want to install the User Portal or the Web Service SDK
Each server MFA must be able to communicate on port 443 outbound to the following web address:
- HTTPS://pfd.phonefactor.net
- HTTPS://pfd2.phonefactor.net
- HTTPS://css.phonefactor.net
Also if there are firewall policy to block outbound to the door 443 You must open the IP address range are documented in section "Azure Multi-Factor Authentication Server firewall requirements"the Microsoft's official documentation.
Azure Multi-Factor Authentication in the cloud
Enabling MFA cloud scenario is very simple and is done per user. To do so you need to access the service Azure Active Directory, figura 4, from the Azure Portal:
Figure 4 – Step 1: enabling MFA to the cloud
After selecting the Directory, in the "Users and groups" select "Multi-Factor Authentication":
Figure 5 – Step 2: enabling MFA to the cloud
You will be redirected to another website where selecting the specific user, figura 6, You can enable the MFA:
Figure 6 – Step 3: enabling MFA to the cloud
At this point the user is mail-enabled MFA. The same thing can also be done by selecting multiple users simultaneously and by the same portal you can configure various settings of Azure Multi-Factor Authentication. For more details about I invite you to consult Microsoft's official documentation.
The same thing can be accomplished by using the cmdlets PowerShell for Azure to which allow us to easily make enabling MFA to more users with just a few lines of code, as shown in the following example:
$users = “user1@ugisystemcenter.org”,”user2@ugisystemcenter.org”,”user3@ugisystemcenter.org”
foreach ($user $users)
{
$St = New-Object-TypeName Microsoft StrongAuthenticationRequirement. Online. Administration.
$St. Relyingparty = “*”
$St. State = "Enabled"
$is = @($St)
$User-StrongAuthenticationRequirements-MsolUser-UserPrincipalName $sta set
}
Azure Multi-Factor Authentication on-premises
On-premises deployment of Azure Multi-Factor Authentication Server requires you to download the setup installer direct from the Azure Portal. If you want to dismiss Azure Multi-Factor Authentication as a standalone service with user authentication and billing options you need to create a new Classic Azure Portal Multi-Factor Auth Provider (This feature will soon be available on the new Azure Portal).
Figure 7 — Creating new Multi-Factor Auth Providers
By selecting the button Manage you will be redirected towards the Azure Portal Multi-Factor Authentication, figura 8, from where can I donwload the setup and build the service activation credentials.
Figure 8 – Multi-Factor Authentication Server downloads and generation credentials
If you want to use the bundled license to Enterprise Mobility Suite, Azure to Premium or Enterprise Cloud Suite is not necessary to create a Multi-Factor Auth Provider but simply log into the Azure Portal Multi-Factor Authentication to directly download the setup.
After coming into possession of the setup you can install the Azure MFA Server. During setup you will be asked only the installation path, figura 9.
Figure 9 – Setup Azure MFA Server
Figure 10 – Setup Azure MFA Server
At this point you must run on Multi-Factor Authentication Server you just installed that will guide us in the activation process.
Figure 11 – Applying Multi-Factor Authentication Server
Figure 12 – Step 1: How to activate Multi-Factor Authentication Server
On the following screen you must enter the logon credentials that are generated by the Azure Portal Multi-Factor Authentication (see Figure 8).
Figure 13 – Step 2: How to activate Multi-Factor Authentication Server
After completing the first server Configuration Wizard cannot start Azure MFA, figura 14, to enable replication across multiple servers highly available service and configure the MFA Azure.
Figure 14 Multi-server MFA – Configuration Wizard
In the scenario where the Multi-Factor Authentication Server is enabled on multiple systems, the servers communicate with each other via RPC calls MFA Azure and to make sure that everything happens safely must authenticate with each other. This authentication process can occur either through specific security group membership in Active Directory (named Phone Factor Admins) is through the use of SSL certificates.
Now that you have configured the server Azure MFA there is the ability to easily import users from Active Directory, figura 15, and enable the desired authentication dual factor.
Figure 15 -Import users from Active Directory
In the scenario of use of Azure Multi-Factor Authentication (MFA) Server is good to specify that user data is saved on-premises systems and no data is stored permanently on the cloud. In fact, when a user places the process of multi-factor authentication the server Azure MFA sends the following data to the Azure Cloud service MFA to verify and reporting purposes:
- Unique ID of the user (username or internal MFA server ID)
- Name and surname (Optional)
- Email Address (Optional)
- Phone number (in the case of a telephone call or send SMS)
- Token device (When using authentication via mobile app)
- Authentication method
- Authentication result
- Name and IP address of the server Azure MFA
- Client IP (If available)
- Result verification (success or denied) and motivation if deny
In addition to targeted different import users from Active Directory on which you want to enable the dual factor authentication you can integrate with the Active Directory Directory service server Azure MFA and set up a targeted and scheduled import of users according to certain criteria. For details please visit the official documentation Directory integration between Active Directory and server Azure MFA.
Solution Licensing models
Azure Multi-Factor Authentication is available as standalone service, with user authentication and billing options, or in bundle with Azure Ad Premium, Enterprise Mobility Suite and Enterprise Cloud Suite. Azure Multi-Factor Authentication is available through a Microsoft Enterprise agreement, the Open Volume License program, the program Cloud Solution Provider and a Direct contract, as annual per user model. The service is also available with a model based on consumption per-user and per-authentication, billed every month according to the Azure monetary commitmen.
For more information on costs of the solution you can consult the following document: Prices of Multi-Factor Authentication.
Conclusions
Azure Multi-Factor Authentication is a simple solution to use, scalable and reliable that offers the possibility of introducing a second method of validation so that users are able to access more securely to your data and applications, both present on-premises cloud environments. For those interested in trying out the service can easily activate a subscription Azure for free by going to Free Trial of Azure.