Forum Discussion
Azure MFA and Azure MFA Server side by side
Correct information but Reddit is not yet dependable information and not official by Microsoft, so for the different products its recommended to work according to Microsoft lifecycle information.
I recommended avoiding working with NPS because isn't secure enough and it's better to work on top of SAML with Azure AD. (from experience on the field, the integration with NPS will fail on a first pen test because of the NPS itself and not the Azure AD)
Eli Shlomo Sorry, I'll have to politely disagree :-)
Looking at authentication from an architectural perspective, now that basic authentication can be blocked using conditional access, customers can start to move away from ADFS and start using Password Hash Sync…. but that's a topic for another thread :-)
Righty hoo, NPS - completely agree the documentation is a little cryptic and if implemented incorrectly, could lead to credentials being sent over the wire in clear text.
- In most cases we don’t need to perform primary auth against AD a second time or even at all. So, we set the policy to “Accept users without validating credentials”. (remember the NPS extension doesn't authentication users, it passes the request to the MFA Endpoint which triggers a user proof up - text, phone or auth app)
- Next, the NPS policy needs something to check, so we use a simple NASID condition, “MFA” as seen in the example below.
- As the RADIUS Access-Requests messages are processed without credential validation, we can switch the RAIDUS auth protocol to MSCHAP v2
There’s a few more things to tweak on Netscaler and Windows which I’ll post in a blog later this week.
its ok to disagree.
You cannot compare the reference between Reddit and Microsoft Premier, because Microsoft premier its official and can provide an official reference behind it.
It's better and more secure to work with SAML against the radius because of radius its portiantlyconfiguration that you can break into.
Azure AD with SAML and ADFS can provide more benefits and more security built-in without breaches.
Thank you Both for this Discussion it helped me certainly to see the different Options and I probably will go back to the drawing Board :-)
We also have another Identity Workshop with MS around Feb 2019 so I will certainly follow your lead and also ask the PFE for such Options and what could be best for our Case.
Great stuff, a chalk and talk will certainly help breakdown your scenario :)
I'd also suggest asking about guidance around moving away from ADFS to PHS combined with blocking basic authentication using conditional access. Both are recommend by the product group as best practise.
