Forum Discussion

Erik Lundgren's avatar
Erik Lundgren
Copper Contributor
Sep 06, 2018

MFA via app on Sharepoint Online

We have already protected our Netscaler login with MFA (MFA server on-prem) and the users authenticate by using the mobile app.   Now we're ready for the next step - to protect Sharepoint Online wi...
Authentication
office 365
sharepoint
VasilMichev's avatar
VasilMichev
MVP
Sep 06, 2018

The MFA server actually supports more methods than Azure MFA, including using the mobile app. It's also possible to configure it for true "passwordless" login, however as Adam mentioned below you will need to deploy AD FS in order to use it with O365 resources. If you don't have AD FS in place, this means additional cost for deployment/operation, as a minimum configuration would require 2+2 servers when done properly. On the other hand, Conditional access requires Azure AD Premium licenses for each user, and if you aren't paying for AAD Prem/EMS yet, the costs there might be even higher in the long run.

 

It's also important to note that Microsoft is slowly, but surely moving towards deprecating the full MFA server version and replacing it with Azure MFA, and although they haven't actually announced anything yet, I fully expect this to happen in the future.

  • Erik Lundgren's avatar
    Erik Lundgren
    Copper Contributor
    Sep 06, 2018

    Thank you Adam Ochs and VasilMichev for your answers.

     

    Actually we do have ADFS in place already.

    Good to know that the full MFA server is about to be deprecated. Maybe it's not a good idea to put a lot of work into it if we need to move the service later.

    As far as I understand Azure MFA is also supporting the mobile app as a second factor, right?

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion

    But I haven't found anywhere to configure that. So at the moment users are using the mobile app to logon via Netscaler to the Citrix Environment and then using OTP to logon to Sharepoint online (only one test user so far). But if we just can use the mobile app instead of OTP - that would be fine.

     

    • VasilMichev's avatar
      VasilMichev
      MVP
      Sep 07, 2018

      No no, that's just my "expectation", Microsoft has not said anything about deprecation yet, and even if they do, you will probably have few years of support left.

       

      Keep in mind that the available primary/secondary auth factor options will differ depending on the use. Afaik those are limited for the RADIUS scenario, similarly if you want to configure Azure MFA as primary auth when using AD FS you are only given a single option.

Resources