Azure multi-factor authentication or Azure MFA

Thinking of multi-factor authentication as a service is powerful and can open the door for many business opportunities. Multi-factor authentication as a service is simply consuming the second factor from the cloud, so that your on-premises applications and cloud workloads can both use the same multi-factor authentication platform. Azure multi-factor authentication or Azure MFA is the platform we are going to talk about here.

Azure Multi-Factor Authentication is Microsoft’s two-step verification solution that helps safeguard access to data and applications. It is offered as a cloud service and it has a flexible licensing options that fits any business needs. If you are using Office 365 or Azure Active Directory, then Azure Multi-Factor Authentication is the best choice for you.

Azure Multi-Factor Authentication is a service that can be hosted in Azure or on-premises, and can be used in addition to username and password authentication. You must authentication using username and password first, before consuming this service.

How it works

Azure Multi-Factor Authentication uses something you have method to provide an additional level of authentication to prevent unauthorized access to both on-premises and cloud application. It provides three flavors:

Mobile App: available on Windows phones, android and IOS devices. Within this application, you can do two things:

  • Software token: offline one-time password with short life time, which is a great way in case you do not have internet connectivity.
  • Push notification.

Phone calls: you can receive a phone call prompting you to press a key to complete your authentication. This can be a land line or a mobile phone.

Text messages: you will receive a text message with a verification code.

How to it is licensed and offered

Microsoft Azure MFA provides flexible licencing offering through four channels:

  1. Azure Multi-Factor Authentication stand-alone: pay as you go [per user per month model] or [per authentication]. By using this model, you can consume Azure Multi-Factor Authentication as a cloud service, or download the on-premise server to protect on-premise applications.
  2. Included in Azure Active Directory Premium: Any user with Azure Active Directory Premium license can use this service as part of his license.
  3. Free for Azure Administrators: if you have an Azure subscription, then you can secure your Azure administrators accounts for free.
  4. Azure MFA included in Office 365 [limited functionality]

Azure MFA is offered as a limited functionality in Office 365. This means if you have an Office 365 subscription, you can enable MFA when accessing Office 365 resources as explained in the below table:

Azure multi-factor authentication Azure MFA 6

Why to use Azure Multi-Factor Authentication?

Today, people are using multiple devices and are working from remote locations more than ever. With the revolution happening on personal computing and devices, people have many options on how they are going to connect and from which device. Azure Multi-Factor Authentication is an easy, convenient, scalable and reliable solution that provides strong second factor authentication.

Convenient for users

  • No devices or certificates to purchase, provision and maintain.
  • No training for end users.
  • Users will usually take care of replacing their lost or broken phones.
  • Users have the power to manage which authentication method they want.
  • Integrates with existing user directory.


  • SDK Integration with custom apps and directories.
  • Supports high volume, mission critical scenarios
  • Built into Microsoft Azure Active Directory for use with cloud apps.
  • Support ADFS and SAML-based apps for federation to the cloud.


  • Strong multi-factor authentication.
  • Real-Time Fraud Alert.
  • PIN option.
  • Reporting and logging for auditing
  • Enables compliance with NIST 800-63 Level 3, HIPPA, PCI DSS, and other regulatory requirements.

Protecting on-premise applications

What about on-premise applications? what if you do not have any cloud presence yet, and you want to use only the MFA part of Azure?

This is completely possible because of the smart design and offering of Azure MFA. Microsoft designed the solution in a completely abstracted way. It starts with your applications that require multi-factor authentication. These applications can be your VPN server, your RDS farm, your IIS portals or any other service. The problem is that every application can offload the authentication task in a different way. Some of them (like most VPN gateways) prefer to offload the authentication using RADIUS protocol, while others may prefer LDAP.

Since different applications prefer different methods of offloading the authentication, and these applications need to contact Azure MFA cloud services, Microsoft introduced a proxy server on-premise (called the MFA server), that acts as an authentication proxy mainly. It has many listeners (like RADIUS and LDAP) from one side to talk to your applications, and it connects to Azure MFA services from the other side using HTTPS.

Azure multi-factor authentication Azure MFA 1

Azure MFA server is so easy to deploy on-premise. You just need to install the bits and do a little configuration via a wizard. No special service accounts, no extra difficult configuration to worry about, and you can rebuild it in few minutes.

What I really like about the Azure MFA server, is the level of abstraction it provides. Your applications will do the first factor authentication using username or password perhaps, and then offload the second factor authentication to Azure MFA services. So, what you are buying is really the second factor authentication here, which can be a mobile call, SMS or even a mobile app. You can configure each user with his preferable second factor authentication method. One user can choose a phone call as his second factor authentication where the other may choose the mobile app.

Because Azure MFA server can integrate to your applications using RADIUS also, you can easily enable multi-factor authentication to your VPN clients in no time. The speed of deployment for such multi-factor authentication solution in addition to simplicity and cost savings are things you cannot find easily elsewhere.

Azure multi-factor authentication Azure MFA 2

Protecting cloud applications

Azure multi-factor authentication integrates with Azure Active Directory, so any workload or SaaS application that is using Azure Active Directory, can use Azure multi-factor authentication with no extra configuration or deployments.

If you are using Office 365, then enabling multi-factor authentication can be achieved easily, as Office 365 consume Azure Active Directory identities. Furthermore, Azure multi-factor authentication can be enforced per user or as part of Azure conditional access model.

With Azure conditional access, you can protect corporate identities and require multi-factor authentication only if specific condition or conditions are met. This so powerful concept, as users do not want to be prompted for second factor authentication every time they want to access a corporate resource. You can say for example, if users are connecting to SharePoint Online from your corporate network, then no multi-factor authentication will be required, while connecting from external network will prompt users for multi-factor authentication.

Extra reading