Forum Discussion

Slee6004's avatar
Slee6004
Brass Contributor
Sep 29, 2023

Concerns using Microsoft MFA

Dear Forum members,

 

My company is using ADFS + DUO but thinking about using Microsoft PHS + MS MFA.  We are testing staging roll out but have been told that our Security team has concerns about MS MFA:

  • Can't differentiate session initiation so VPN users will always get flagged
  • No VPN blocking
  • Password portal explicit registration

We are using Cisco VPN which of course should work well with DUO.  I can understand nobody likes to change but financially MS MFA is more cost effective for us.  Since we haven't use MS MFA yet, I am not sure those concerns are valid or not.  And if those are valid concerns, are there any workaround, mitigation strategies or alternative approaches that we can convince our security team to migrate over?  Any recommendations/suggestions are greatly appreciated!

 

Sally  

  • Slee6004's avatar
    Slee6004
    Sep 29, 2023
    Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated.

    Thank you once again for all your help!

    Sally
  • ADFS doesnt have context based authentication if you are moving from ADFS to Azure AD/Entra ID then you need to define the conditional access to control the access of authentication. Please note Azure AD/Entra ID is a SaaS based solution hence the URL are open to public hence it doesn't care if you are accessing via VPN or from any public Wifi or home those links will be accessible . your conditional access related to IP, Location etc will decide if the user has to be allowed after he enters the username which is typically email address
    • Slee6004's avatar
      Slee6004
      Brass Contributor
      Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated.

      Thank you once again for all your help!

      Sally
      • Chandrasekhar_Arya's avatar
        Chandrasekhar_Arya
        Steel Contributor

        Slee6004 yes that's correct. As an example if you have to login to azure portal you can't control via your corporate VPN as it's a public URL and can be accessed anywhere in the world that's has internet.what is in your control is to define a CA and block once the user enters his username 

         

Resources