Microsoft’s Azure MFA (Multi factor Authentication)
Interested in using some kind of easy to implement MFA for your Microsoft OWA(Outlook Web Access) interface? A few years back Microsoft bought and has since supported a product that gets you just that. You can look like the big companies, integrating text, app, or phone out of band verification when using OWA.
Sits Easy on the Infrastructure
The infrastructure is light, you can run a single MFA server to sync with AD, or run a couple at different locations for easy disaster recovery needs. They synchronize with no heavy lifting on your part.
Don’t let the Azure component scare you if you’re not moving to the cloud. Azure’s part in this is more what initiates calls. It doesn’t require any AD sync with the cloud. It’s mainly for API calls from the internal MFA server to Azure so the second factor authentication gets sent to the user through Microsoft’s system (Remember how I said it was light on the infrastructure?).
Installing and Configuring
There’s an MFA component to be installed on Exchange for configuration with IIS.
You can configure it to use MFA for both OWA and ECP(Exchange Control Panel), which I’d highly recommend. You don’t want OWA using MFA but ECP not, do you? This configuration is done with check boxes. You can also consider disabling ECP from external access.
MFA can be made to sync with an AD group, which makes it nice and easy for adding users. It pulls the phone number from their AD object, so beware you will be putting cell numbers in AD which some people may not like if it’s their personal cell. I’ve had users go through all sorts of hoops such as getting a free number from Google and setting up a forward. To each his own.
It can also act as a front end LDAP for certain things. One example – if you’re using Citrix with a Netscaler, the Netscaler can be pointed at the MFA server instead of a domain controller, giving you MFA for remote access as well.
Three ways users can authenticate with the system are:
- Text – Receives a code and has to text it back
- Phone call – An incoming phone call requires either a code-# or just # as a response depending on how you configure it
- Authentication app – Have an app on the smartphone to authenticate
There’s a web interface which you can send to the savvy users and they can change their own method of authentication if they wish.
It’s a product that’s mature and not terribly difficult to administer. If you want MFA on your external system (and you really should) this is a great option for you.
Check out my Google MFA Guide