Forum Discussion
Azure MFA and Azure MFA Server side by side
Eli Shlomo – thanks for sharing the links.
Ueli Zimmermann - the Azure MFA feature program manager has some insightful comments on Reddit:
https://www.reddit.com/r/AZURE/comments/7r4324/azure_mfa_server_on_premise_lifecycle_roadmap/
“There isn't any engineering effort going into MFA server, and eventually it will end of life. All of our work is going into Azure MFA and features like conditional access policy...”
“Eventually, yes, Azure MFA Server will probably be deprecated in favour of the cloud-only Azure MFA service. However, we wouldn't do this until we have feature parity in cloud-only Azure MFA, and a reasonable migration path. We also wouldn't do this without advance notice: I'm not completely sure (I'll find out and report back), but I'm pretty sure this will be at least 1 year. There are still some features we haven't quite finished yet which are only available in Azure MFA Server but not in the cloud-only service (PIN mode, pre-registration, OATH token support, etc.), but we're working on it.”
So I wouldn’t be overly concerned if you’ve already deployed MFA Server, however to avoid migrating in the future, I’d recommend opting for the NPS extension or appliances that support direct Azure MFA integration.
Hope this help,
Matt
Correct information but Reddit is not yet dependable information and not official by Microsoft, so for the different products its recommended to work according to Microsoft lifecycle information.
I recommended avoiding working with NPS because isn't secure enough and it's better to work on top of SAML with Azure AD. (from experience on the field, the integration with NPS will fail on a first pen test because of the NPS itself and not the Azure AD)
Eli Shlomo Sorry, I'll have to politely disagree :-)
Looking at authentication from an architectural perspective, now that basic authentication can be blocked using conditional access, customers can start to move away from ADFS and start using Password Hash Sync…. but that's a topic for another thread :-)
Righty hoo, NPS - completely agree the documentation is a little cryptic and if implemented incorrectly, could lead to credentials being sent over the wire in clear text.
- In most cases we don’t need to perform primary auth against AD a second time or even at all. So, we set the policy to “Accept users without validating credentials”. (remember the NPS extension doesn't authentication users, it passes the request to the MFA Endpoint which triggers a user proof up - text, phone or auth app)
- Next, the NPS policy needs something to check, so we use a simple NASID condition, “MFA” as seen in the example below.
- As the RADIUS Access-Requests messages are processed without credential validation, we can switch the RAIDUS auth protocol to MSCHAP v2
There’s a few more things to tweak on Netscaler and Windows which I’ll post in a blog later this week.
its ok to disagree.
You cannot compare the reference between Reddit and Microsoft Premier, because Microsoft premier its official and can provide an official reference behind it.
It's better and more secure to work with SAML against the radius because of radius its portiantlyconfiguration that you can break into.
Azure AD with SAML and ADFS can provide more benefits and more security built-in without breaches.
