What Are You Trying to Secure With Azure MFA?

Part I – Where to setup your MFA: In cloud or on-premises Server

As discussed in an earlier blog post ‘Azure Multi-Factor Authentication (MFA) Overview’, Multi Factor Authentication (MFA) is an important tool to help safeguard your data and applications, all while meeting the user demand of a simple sign-in process. Microsoft’s cloud offering Azure also provides MFA service. But the question is, where can you execute the MFA service with Azure?

There are two options where a customer can choose to implement their MFA with Azure:

  • MFA Server – An on-premise solution
  • MFA in the cloud – A cloud-based solution maintained by Microsoft

What will you choose?
There are three questions you need to answer before you opt for either of these two options:

  • What are you trying to secure?
  • Where are your users?
  • What are the features that you require?

You are implementing MFA because you want an exact thing to be secure. Is it an application? Or is it a website? Or a payment gateway? Maybe a financial application? Even a remote access system? It can be anything which requires added layers of security to the thing which you’re securing.

The first and foremost question always remains: what are you trying to secure? Based on that, you can determine the best method you can implement for the Azure MFA.

Please have a look at the table below:

What are you trying to secure
MFA in cloud
MFA Server
First-party Microsoft apps
Yes
Yes
Saas apps in the App gallery
Yes
Web applications published through Azure AD App Proxy
Yes
IIS applications not published through Azure AD App Proxy
Yes
Remote access such as VPN, RDG
Yes
Yes

First-party Microsoft apps

The first-party applications from Microsoft can be secured in both MFA in the cloud as well as Server. The first-party applications are Microsoft’s own direct offerings like Office, Project, Publisher, Outlook Web App, Calendar and many more.

SaaS applications in the app gallery

The SaaS applications such as Office 365, Box and Salesforce in the Azure Active Directory application gallery can be secured only with MFA in the cloud, and not with the MFA Server.

Web applications published through Azure AD App Proxy

The web applications which are published through Azure Active Directory App Proxy, they can be secured only with MFA in the cloud, and not with the MFA Server.

IIS applications not published through Azure AD App proxy

IIS applications that are not published through Azure AD App Proxy, only that applications can be accessed with the MFA Server.

Remote access like VPN, RDG

Remote access like Virtual Private Networks and Remote Desktop Gateway can be secured in both MFA in the cloud as well as MFA Server.

Since you’ve decided what you are trying to secure, let us see the next question in the next blog ‘MFA Cloud or MFA Server – Depends on Where the Users Are.’

Comments are closed.