Answered by:
Using ADFS in Windows 2012 R2 with Azure Multi-factor Authentication

Question
-
Thanks in advance for reading this.
I want to require users to use the Azure mobile app for multifactor authentication when they log on to their Office 365 mailboxes. I do not need to use MFA to secure any other resources. I have ADFS on Windows 2012 R2 deployed on premises today.
Do I need to install on premises multifactor authentication server? Or can I just configure ADFS as described at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-adfs#secure-azure-ad-resources-using-ad-fs and not install multifactor authentication server? I would prefer to avoid this installation if I don't need it.
- Edited by huge828288282 Friday, August 17, 2018 9:50 PM
Friday, August 17, 2018 7:46 AM
Answers
-
Yes the EMS E3 license will suffice and is the recommended and most flexible option. E3 license includes the AAD P1 functionality. E3 license is a superset of AAD P1 and includes Intune so you can also do other sophisticated access control using device health/compliance. This enables you to configure Azure AD conditional access rules and enforce MFA when accessing Exchange Online as Pierre mentions. You could optionally further secure the access to be limited to healthy/compliant devices only. Then you configure the approved MFA verification methods to include the authenticator app based notifications (and any other methods as you see fit). When users access Exchange Online via AD FS, the MFA side is handled on Azure AD side. No need to install any MFA server on-premises.
Note you already have limited amount of MFA functionality as an O365 customer (without any AAD P1 or E3 licenses) . See the differences in functionality at https://azure.microsoft.com/en-us/pricing/details/active-directory/ . So you *could* potentially enforce MFA on each user (see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates ) and configure the MFA methods as you see it. But this approach would force them to do MFA all the time to logon to Azure AD (Not just for Exchange Online). You and end users might consider this a sub optimal end user experience if they don't like regular MFA prompts.
If you only have a need for MFA to access Exchange Online, you may be OK with the latter and the regular MFA prompts for end users. But as you likely see the benefits of moving more apps to integrate with Azure AD (e.g. other SaaS apps such as Workday, Salesforce, ServiceNow etc) and want to secure that access via MFA and other conditional access features, you might prefer to use E3 licenses and conditional access route which offers granular configuration of where and when MFA occurs.
M@
- Edited by maweeras[MSFT]Microsoft employee Thursday, August 30, 2018 8:01 AM added hyperlinks
- Proposed as answer by maweeras[MSFT]Microsoft employee Thursday, August 30, 2018 8:04 AM
- Marked as answer by huge828288282 Tuesday, September 4, 2018 7:42 AM
Saturday, August 25, 2018 11:42 AM
All replies
-
Also, is the "Enterprise Mobility + Security E3" license sufficient for this if I buy one for each user?Friday, August 17, 2018 9:53 PM
-
Ideally you should do that in Azure AD with a Conditional Access Policy: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
All synchronized users will need a AzureAD Premium P1 licence.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thursday, August 23, 2018 1:00 PM -
Yes the EMS E3 license will suffice and is the recommended and most flexible option. E3 license includes the AAD P1 functionality. E3 license is a superset of AAD P1 and includes Intune so you can also do other sophisticated access control using device health/compliance. This enables you to configure Azure AD conditional access rules and enforce MFA when accessing Exchange Online as Pierre mentions. You could optionally further secure the access to be limited to healthy/compliant devices only. Then you configure the approved MFA verification methods to include the authenticator app based notifications (and any other methods as you see fit). When users access Exchange Online via AD FS, the MFA side is handled on Azure AD side. No need to install any MFA server on-premises.
Note you already have limited amount of MFA functionality as an O365 customer (without any AAD P1 or E3 licenses) . See the differences in functionality at https://azure.microsoft.com/en-us/pricing/details/active-directory/ . So you *could* potentially enforce MFA on each user (see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates ) and configure the MFA methods as you see it. But this approach would force them to do MFA all the time to logon to Azure AD (Not just for Exchange Online). You and end users might consider this a sub optimal end user experience if they don't like regular MFA prompts.
If you only have a need for MFA to access Exchange Online, you may be OK with the latter and the regular MFA prompts for end users. But as you likely see the benefits of moving more apps to integrate with Azure AD (e.g. other SaaS apps such as Workday, Salesforce, ServiceNow etc) and want to secure that access via MFA and other conditional access features, you might prefer to use E3 licenses and conditional access route which offers granular configuration of where and when MFA occurs.
M@
- Edited by maweeras[MSFT]Microsoft employee Thursday, August 30, 2018 8:01 AM added hyperlinks
- Proposed as answer by maweeras[MSFT]Microsoft employee Thursday, August 30, 2018 8:04 AM
- Marked as answer by huge828288282 Tuesday, September 4, 2018 7:42 AM
Saturday, August 25, 2018 11:42 AM -
Great answer, thanks!Tuesday, September 4, 2018 7:42 AM