Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 69
Reply with quote  #1 
I've been taking a look at Azure MFA (Multi Factor Authentication) and this link in particular:

https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server/#comments

It is clear that on-premises Active Directory needs access to Azure (not possible within an air-gapped environment) and that (at very least) you have to set up a MFA Server.

It is less clear (to me anyway) what kind of infrastructure you would need otherwise.

Has anyone implemented this?

For example:

- Is ADFS necessary?
- Is DirSync necessary? I saw that you import users into the Azure AD but is it the MFA Server that does that?
- What kind of High Availability is necessary? At least two MFA Servers?

FYI, the objective would be to use this on-premises.
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 165
Reply with quote  #2 
If you want this on premise you need ADFS. I'm not sure why you want this on prem though.
And you need azure ad premium for every user using it.
You'd also need azure ad premium license for every user you want mfa enabled on

If you use password sync with azure ad connect you would not need ADFS, and you would use the azure service for MFA

__________________
Have SpaceSuit, Will Travel

0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 69
Reply with quote  #3 
We want this on-premises because we have reservations about going to the Cloud (and yes, we do see that apparently there is a Cloud component regardless if we want to use certain forms of authentication).

The current configuration is a Windows 2008 R2 domain (DFL/FFL) with Windows 7 workstations, everything (with very rare exceptions) virtualized on VMware ESXi 5.1 with Citrix 7.5 used for desktop deployment. We already use RSA MFA authentication for external access via CAG (Citrix Access Gateway). The objective would be to bring MFA to the internal network. 

So ADFS is our only option if we want to do this internally?

Note: we do use OneLogin, currently for a single application, but we could potentially expand its use for MFA internally (?).

0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 165
Reply with quote  #4 
To be clear, that specific MFA Azure component is for logging in to Office 365 and other Azure AD related services. It's not for your AD.
__________________
Have SpaceSuit, Will Travel

0
jsclmedave

Administrator
Registered:
Posts: 426
Reply with quote  #5 
Quote:
Originally Posted by Infradeploy
To be clear, that specific MFA Azure component is for logging in to Office 365 and other Azure AD related services. It's not for your AD.


Is this the bit that your UPN Should Match Your Primary SMTP Address..?

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 165
Reply with quote  #6 
it does not need to, it's just best practice Tim. I'm just saying this MFA is for logging on to Azure related services
__________________
Have SpaceSuit, Will Travel

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 751
Reply with quote  #7 
We use MFA to get 2nd factor authentication for high level accounts, admin accounts in Azure/ ServiceNow/ CRM etc.
ADFS deals with the [SSO (not really)] Login for O365/ Sharepoint OnLine.

I somehow went from having just the Google Authentication App on my phone to now having 4 or 5.
I think we will soon be able to merge them all into the Google Authentication App. 

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: