Question: I'm using the Azure MFA on-premises server to provide MFA for an internal application. What happens to the access of this application if our Internet is down or unable to contact the Azure MFA service? Answer: There are two modes for this scenario, Fail Authentication and Succeed Authentication. Fail Authentication is the default behavior. This means users are unable to get to the application until connectivity is restored. Succeed Authentication will allow the user to continue to login without having to go through MFA. You can change this setting in the Azure MFA Server by clicking on the Company Settings icon. On the General tab, change the "When internet is not accessible" option at the top of the page. Question: Do I have to have Azure AD Premium or EMS license to use Azure MFA? Can I use Azure MFA if I have Azure AD Free or Azure AD Basic? Answer: A version of Azure MFA with limited functionality is available for Azure administrators and for Office 365 users at no additional charge for protecting access to Microsoft online resources. You can also purchase the full version of Azure Multi-Factor Authentication through a licensing model or a consumption model. For the licensing model, purchase Azure Multi-Factor Authentication licenses and assign those licenses to your users. For the consumption model, you'll need to do a few things. First you'll need to have an Azure Subscription. Once you log into the portal, you'll click NEW at the bottom, App Services, Active Directory, Multi-Factor Auth Provider, Quick Create. You'll then have the ability to pick either a Per Enabled User or a Per Authentication usage model.
For specifics of the billing please see this https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/ Question: What happens if I created an MFA provider and then later purchased Azure MFA, Azure AD Premium or EMS licenses, will I still be charged? Answer: It depends. If you have purchased enough licenses to cover the number of users enabled for MFA then you would not. Also, the per-user Azure Multi-Factor Auth Provider must also be linked to the directory that contains the licenses for the licenses to be recognized. Let's give an example. I have 50 users today using MFA on a per-user consumption model. I purchase 40 Azure AD Premium licenses and assign them to 40 users. Once the 40 licenses are purchased, my Azure subscription will start getting billed just for the 10 unlicensed users instead of all 50. Note: The per-authentication consumption model is not compatible with the licensing model. All authentications are billed, even if users are assigned an MFA, Azure AD Premium or EMS license. We hope you've found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com , the Microsoft Forums and on Twitter @AzureAD , @MarkMorow and @Alex_A_Simons -Chad Hasbrook, Mark Morowczynski and Shawn Bishop
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.