Thursday, 9 January 2020

Microsoft Azure MFA Notes (Az-300)

Study Notes on Multi Factor Authentication:
  • AAD MFA: for 2nd factor done via Text, MS Authenticator, Phone Call 
  • Azure MFA Server - For AD on-prem. MFA.  Most advanced set op options for integrating on-prem. infrastructure with MFA cloud service.  Download and install on a Windows server.  Don't need to AD Connect sync accounts to Azure AD (AAD).


  • Azure MFA Server needs to use the Azure MFA Service to send SMS and Text authentication and MS Authenticator.
  • The Azure MFA Server downloan includes a GDPR.exe utility for generation GDPR reports for a user.
  • MFA billing is per User and is included in AD premium licences
  • Conditional Access - so don't need for every user but when advanced roles can enforce MFA
  • Azure SDK is only a Web Service since 2018
  • ADFS has 2 MFA approaches/options: Azure MFA Server - no need to replicate users to AAD or ADFS 3 (Win 2016) upwards can use cloud based (no Azure MFA Server required).
  • Password Stuffing - Hacker uses compromised password on different sites as people tend to reuse.
  • Know e.g. password, or something you have e.g. RSA token, something you are e.g. fingerprint.  MFA must use 2 or more of these types.  Out-of-band device e.g. you phone using MS Authenticator.
  • As a general rule with the 2nd factor Auth on Azure, if you want to add a pin to the auth, you can't use the cloud service but need to be using Azure MFA Server.
  • OATH tokens for RSA or other outside token MFA (also for offline on phone via MSAuthenticator) but it requires Azure MFA Server to implement.  Azure portal also has basic OATH integration for 3rd party vendors.

0 comments:

Post a comment