Mar 21 2018 02:01 PM
Mar 21 2018 02:01 PM
We are working on deploying Azure MFA (cloud only).
An interesting scenario has come up with users that don't have mobile phones. While the scenario rare, what is a user to do if (1) they don't have a mobile phone and (2) they are not in a trusted IP location?
Same thing could apply if the user forgot their phone at home and was at a customer site, etc.
Does basic Azure MFA have any extra work around at this point in time?
Mar 22 2018 01:13 AM
You can configure an alternative phone, but apart from that, no. The On-Prem version has a bypass option and alternative method via security questions, this is not yet available for Azure MFA (but I believe it's coming).
Mar 22 2018 06:38 AM
Mar 22 2018 01:43 PM
Two things - it doesn't have to a be a mobile phone - it could be any predefined phone such as a landline.
I have customers where the 1st MFA phone is a users mobile, but the backup is the "Secretary" administrative assistant person.
The protocol is if UserX call the AA and gives a heads up that he (the AA ) will be getting a phone call from MSFT auth. The AA puts UserX on hold and checks with UserX boss or userX calendar to confirm that offsite and also tries to call user X to confirm no answer.
Then the AA tells UserX to go ahead and trigger Auth.
Cumbersome - but provides the some level of identification anti-spoofing verification.
The business could also look into providing a non-smart phone with a text only plan (aka pager).
There is also this for the "I forgot my phone at home" : https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats...
Mar 23 2018 12:39 AM
The bypass is server-only, read the description:
Apr 13 2018 09:36 AM
Why is bypass only for on-prem only? It seems like the cloud MFA admin capabilities are very limited.
Sep 21 2018 01:40 AM
For users not having (or not willing to use their own) mobile phones, the solution is to use hardware tokens. MFA Server on-prem is allowing to use standard OATH TOTP tokens, however, with Cloud MFA the only solution is the programmable tokens.
Disclaimer: I am affiliated with Token2
Oct 25 2018 04:49 AM
Windows Azure officially supports DeepNet SafeID hardware tokens which are OATH compliant. You might want to check it out: