locked
Using ADFS in Windows 2012 R2 with Azure Multi-factor Authentication RRS feed

Answers

  • Yes the EMS E3 license will suffice and is the recommended and most flexible option. E3 license includes the AAD P1 functionality. E3 license is a superset of AAD P1 and includes Intune so you can also do other sophisticated access control using device health/compliance. This enables you to configure Azure AD conditional access rules and enforce MFA when accessing Exchange Online as Pierre mentions. You could optionally further secure the access to be limited to healthy/compliant devices only. Then you configure the approved MFA verification methods to include the authenticator app based notifications (and any other methods as you see fit). When users access Exchange Online via AD FS, the MFA side is handled on Azure AD side. No need to install any MFA server on-premises.

    Note you already have limited amount of MFA functionality as an O365 customer (without any AAD P1 or E3 licenses) . See the differences in functionality at https://azure.microsoft.com/en-us/pricing/details/active-directory/ . So you *could* potentially enforce MFA on each user (see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates )  and configure the MFA methods as you see it. But this approach would force them to do MFA all the time to logon to Azure AD (Not just for Exchange Online). You and end users might consider this a sub optimal end user experience if they don't like regular MFA prompts.

    If you only have a need for MFA to access Exchange Online, you may be OK with the latter and the regular MFA prompts for end users. But as you likely see the benefits of moving more apps to integrate with Azure AD (e.g. other SaaS apps such as Workday, Salesforce, ServiceNow etc) and want to secure that access via MFA and other conditional access features, you might prefer to use E3 licenses and conditional access route which offers granular configuration of where and when MFA occurs.

     

    M@


    Saturday, August 25, 2018 11:42 AM

All replies

  • Also, is the "Enterprise Mobility + Security E3" license sufficient for this if I buy one for each user?
    Friday, August 17, 2018 9:53 PM
  • Ideally you should do that in Azure AD with a Conditional Access Policy: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

    All synchronized users will need a AzureAD Premium P1 licence.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 23, 2018 1:00 PM
  • Yes the EMS E3 license will suffice and is the recommended and most flexible option. E3 license includes the AAD P1 functionality. E3 license is a superset of AAD P1 and includes Intune so you can also do other sophisticated access control using device health/compliance. This enables you to configure Azure AD conditional access rules and enforce MFA when accessing Exchange Online as Pierre mentions. You could optionally further secure the access to be limited to healthy/compliant devices only. Then you configure the approved MFA verification methods to include the authenticator app based notifications (and any other methods as you see fit). When users access Exchange Online via AD FS, the MFA side is handled on Azure AD side. No need to install any MFA server on-premises.

    Note you already have limited amount of MFA functionality as an O365 customer (without any AAD P1 or E3 licenses) . See the differences in functionality at https://azure.microsoft.com/en-us/pricing/details/active-directory/ . So you *could* potentially enforce MFA on each user (see https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates )  and configure the MFA methods as you see it. But this approach would force them to do MFA all the time to logon to Azure AD (Not just for Exchange Online). You and end users might consider this a sub optimal end user experience if they don't like regular MFA prompts.

    If you only have a need for MFA to access Exchange Online, you may be OK with the latter and the regular MFA prompts for end users. But as you likely see the benefits of moving more apps to integrate with Azure AD (e.g. other SaaS apps such as Workday, Salesforce, ServiceNow etc) and want to secure that access via MFA and other conditional access features, you might prefer to use E3 licenses and conditional access route which offers granular configuration of where and when MFA occurs.

     

    M@


    Saturday, August 25, 2018 11:42 AM
  • Great answer, thanks!
    Tuesday, September 4, 2018 7:42 AM