Forum Discussion

Slee6004's avatar
Slee6004
Brass Contributor
Sep 29, 2023

Concerns using Microsoft MFA

Dear Forum members,   My company is using ADFS + DUO but thinking about using Microsoft PHS + MS MFA.  We are testing staging roll out but have been told that our Security team has concerns about M...
cloud security
compliance
identity protection
Multifactor Authentication
  • Slee6004's avatar
    Slee6004
    Sep 29, 2023
    Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated.

    Thank you once again for all your help!

    Sally
Chandrasekhar_Arya's avatar
Chandrasekhar_Arya
Steel Contributor
Sep 29, 2023
ADFS doesnt have context based authentication if you are moving from ADFS to Azure AD/Entra ID then you need to define the conditional access to control the access of authentication. Please note Azure AD/Entra ID is a SaaS based solution hence the URL are open to public hence it doesn't care if you are accessing via VPN or from any public Wifi or home those links will be accessible . your conditional access related to IP, Location etc will decide if the user has to be allowed after he enters the username which is typically email address
  • Slee6004's avatar
    Slee6004
    Brass Contributor
    Sep 29, 2023
    Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated.

    Thank you once again for all your help!

    Sally
    • Chandrasekhar_Arya's avatar
      Chandrasekhar_Arya
      Steel Contributor
      Sep 30, 2023

      Slee6004 yes that's correct. As an example if you have to login to azure portal you can't control via your corporate VPN as it's a public URL and can be accessed anywhere in the world that's has internet.what is in your control is to define a CA and block once the user enters his username 

       

      • Slee6004's avatar
        Slee6004
        Brass Contributor
        Oct 02, 2023
        Thank you once again for your help!

Resources