Azure MFA for local AD

Question

Hi,

I'm just lost about all solutions that i could use to activate and manage MFA for local AD user.

Users are now synchronized with AAD, may i activate the MFA from azure directly ? What is Azure MFA Server exactly ? Whats the differences...

Well, thanks for your help.

A

Answer 1

Hi @AHT

You are in hybrid environment , so you are eligible to enable Azure MFA.

You will find all details about Azure MFA in the following : Plan an Azure Active Directory Multi-Factor Authentication deployment

Please don't forget to mark helpful answer as accepted

Answer 2

@AHT

Thank you for posting your question in Microsoft Q&A platform.

MFA server is an MFA solution that helps you in implementing MFA while accessing any on-premises resources.

However, we do not recommend Azure MFA server this product is in the pipeline for deprecation.

In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization.

For more information on Azure MFA server, you can look at below article,

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy

Since you mentioned that user accounts are synced with Azure AD, you can utilize Azure MFA for user's accounts while accessing Azure services/resources.

You can either use conditional access in Azure AD using which user's will be prompted for MFA based on the conditions that you define.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/

Or you can also configure Azure MFA for specific users, which will force users to perform MFA whenever there is Azure resources accessed.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

If it's hybrid environment and you want Password + MFA when RDP to the clients, in that case you can leverage NPS extension with Azure MFA. Also, RDS infra with Azure MFA.
https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
https://learn.microsoft.com/azure/active-directory/authentication/howto-mfa-nps-extension

For interactive logon if you are looking for MFA along with the password, then would recommend going with Windows Hello for Business approach, it replaces passwords with strong two-factor authentication on devices. This authentication consists of a type of user credential that is tied to a device and uses a biometric or PIN.

Refer to this https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview for more information related to Windows hello for business/deployment models which you can choose based on your current infrastructure.

Also, would recommend to read this Is Windows Hello for Business considered multi-factor authentication? The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.

Reference:

Windows Hello for Business: Authentication - https://www.youtube.com/watch?v=WPmzoP_vMek

https://www.youtube.com/watch?v=1kAqaWJYGK8

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.