cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Concerns using Microsoft MFA

C Lee
Brass Contributor

‎Sep 28 2023 06:13 PM

‎Sep 28 2023 06:13 PM

Concerns using Microsoft MFA

Dear Forum members,

 

My company is using ADFS + DUO but thinking about using Microsoft PHS + MS MFA.  We are testing staging roll out but have been told that our Security team has concerns about MS MFA:

  • Can't differentiate session initiation so VPN users will always get flagged
  • No VPN blocking
  • Password portal explicit registration

We are using Cisco VPN which of course should work well with DUO.  I can understand nobody likes to change but financially MS MFA is more cost effective for us.  Since we haven't use MS MFA yet, I am not sure those concerns are valid or not.  And if those are valid concerns, are there any workaround, mitigation strategies or alternative approaches that we can convince our security team to migrate over?  Any recommendations/suggestions are greatly appreciated!

 

Sally  

602 Views
0 Likes
5 Replies
Reply
5 Replies
Chandrasekhar_Arya

‎Sep 28 2023 11:14 PM

‎Sep 28 2023 11:14 PM

Re: Concerns using Microsoft MFA

ADFS doesnt have context based authentication if you are moving from ADFS to Azure AD/Entra ID then you need to define the conditional access to control the access of authentication. Please note Azure AD/Entra ID is a SaaS based solution hence the URL are open to public hence it doesn't care if you are accessing via VPN or from any public Wifi or home those links will be accessible . your conditional access related to IP, Location etc will decide if the user has to be allowed after he enters the username which is typically email address
0 Likes
Reply
best response confirmed by C Lee (Brass Contributor)
C Lee

‎Sep 29 2023 12:49 PM

‎Sep 29 2023 12:49 PM

Solution

Re: Concerns using Microsoft MFA

Hi Chandrasekhar_Arya, thanks for your reply. It is very helpful! If I understand correctly, when we use Microsoft MFA+ PHS, we will need to configure Conditional Access Policy and lefverage Trusted locations+ Identity to control the access. Additionally, we can add device and other controls in the conditional access policies to further fine-tuning it. But in terms of VPN access, I am not familiar with how it works so not sure how to configure CA. Are you saying it has no difference from other access sources so we should just treat them the same and use the same or similar policy? Any suggestions is appreciated.

Thank you once again for all your help!

Sally
0 Likes
Reply
Chandrasekhar_Arya

‎Sep 29 2023 10:46 PM

‎Sep 29 2023 10:46 PM

Re: Concerns using Microsoft MFA

@C Lee yes that's correct. As an example if you have to login to azure portal you can't control via your corporate VPN as it's a public URL and can be accessed anywhere in the world that's has internet.what is in your control is to define a CA and block once the user enters his username 

 

0 Likes
Reply
C Lee

‎Oct 02 2023 04:00 PM

‎Oct 02 2023 04:00 PM

Re: Concerns using Microsoft MFA

Thank you once again for your help!
1 Like
Reply
Chandrasekhar_Arya

‎Oct 02 2023 11:25 PM

‎Oct 02 2023 11:25 PM

Re: Concerns using Microsoft MFA

@C Lee Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

0 Likes
Reply