1

Thanks in advance for reading this.

I want to require users to use the Azure mobile app for multifactor authentication when they log on to their Office 365 mailboxes. I do not need to use MFA to secure any other resources. I have ADFS on Windows 2012 R2 deployed on premises today.

Do I need to install on premises multifactor authentication server? Or can I just configure ADFS as described at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-adfs#secure-azure-ad-resources-using-ad-fs and not install multifactor authentication server? I would prefer to avoid this installation if I don't need it.

Also, is the "Enterprise Mobility + Security E3" license sufficient for this if I buy one for each user?

John Allen
  • 11
  • 1
  • 2

1 Answers1

1

1) Do I need to install on-premises multi factor authentication server?

What you are asking is the difference between what is called ‘MFA Server’ and what is called ‘Azure MFA.’ If all you want to protect is Office 365 resources then all you need is Azure MFA. Read here for a guide to what version you need in various scenarios: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion

However, and this is a big however, because you are running ADFS 3.0 you will need to setup Azure MFA Server on-premise. Read more about that here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-adfs-2012

I do not have experience with Azure MFA and ADFS 3.0. My recommendation is to upgrade to ADFS 4.0 on Windows Server 2016 before moving to Azure MFA. Sever 2016 natively supports Azure MFA and does NOT require the installation or use of Azure MFA Server on premise. It is much simpler.

2) Can I just configure MFA as described in...?

No. That page is a drastic over simplification of what is involved to setup Azure MFA. It doesn’t cover setting up ADFS with Server 2012 or Server 2016. I don’t particularly understand why it even exists as all it is is a partial clip of the site I linked to above, which obviously shows far more involved. Do not follow it as it will not get you where you want to go. There is far more involved and planning needed. Such as how you intend to proof up your users, configuring what second factor methods you want to allow, bypassing trusted devices while using Azure AD device registration, app passwords and how to update non-windows devices, single sign-on, conditional access, etc.

3) Also, is the "Enterprise Mobility + Security E3" license sufficient for this if I buy one for each user?

Yes. The full Azure MFA experience is available with any active directory premium subscription which is included in just about any Office 365 license bundle including enterprise mobility. More information about the different versions of Azure MFA and licensing can be found here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing#how-to-get-azure-multi-factor-authentication-1

My own note about this: Make the investment in to Server 2016 and upgrade your ADFS to 4.0. It has built in support for Azure MFA and almost every component of it is massively overhauled from previous versions of Windows server with all kinds of cloud ready improvements. Save yourself the headaches.

Appleoddity
  • 3,488
  • 2
  • 13
  • 33