Export (0) Print
Expand All

Azure Multi-Factor Authentication

Published: May 20, 2013

Updated: June 24, 2015

To comment on this content or ask questions about the information presented here, please provide feedback.

This topic provides an overview of multi-factor authentication in general and the Azure Multi-Factor Authentication service in particular. This topic also describes how a global administrator can use multi-factor authentication in Azure to further protect an organization's identity data in the cloud. You can enable the Multi-Factor Authentication service for Azure Active Directory (Azure AD) users or for custom applications by using the software development kit (SDK). You can enable the Multi-Factor Authentication service for on-premises applications by using Azure Multi-Factor Authentication Server.

For a video on this overview, see Azure Multi-Factor Authentication Overview on Channel 9.

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

  • Something you know (typically a password)

  • Something you have (a trusted device that is not easily duplicated, like a phone)

  • Something you are (biometrics)

The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn a user's password, it is useless if the attacker does not also possess the trusted device. Conversely, if the user happens to lose the device, the finder of that device will not be able to use it unless he or she also knows the user's password.

By default, the Azure AD service supports the use of passwords as its only authentication method for user sign-ins. Azure Multi-Factor Authentication is the service that requires users to also verify sign-ins by using a mobile app, phone call, or text message. You can use it together with Azure AD or together with custom applications and directories by using the SDK. You can also use it together with on-premises applications by using Multi-Factor Authentication Server. The following figure illustrates how Azure Multifactor Authentication works.


When you are using the service together with Azure AD, administrators can enable the service for a directory user. The next time that user signs in, the user will be prompted to set up the specifics of his or her multi-factor authentication experience. The user can specify up to three phone numbers (mobile, office, and alternate) to be used for authentication through phone calls or text messages. Also, the user must specify whether he or she will use the Multi-Factor Authentication mobile app, which offers out-of-band push and one-time passcode authentication options.

For more information about configuring the multi-factor experience in your organization, see Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server.

By offering the following options, Azure Multi-Factor Authentication provides flexibility for users and backup options if users cannot pass authentication by using their preferred method:

  • Users can download the free app from the device store and activate it by using a code that they get during setup. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cellular or Wi-Fi access is required for installing and setting up the app. After the app is installed, it can operate in the following modes to provide the additional security that a multi-factor authentication service can provide:

    The Multi-Factor Authentication app functionality has now been added to the Azure Authenticator app for Android devices. The old MFA app will still work for Android devices but going forward Azure Authenticator will replace this app. The Windows Phone and IOS versions are still in development and will be released shortly.

    • Notification. In this mode, the Multi-Factor Authentication app prevents unauthorized access to accounts and stops fraudulent transactions. It accomplishes this by using a push notification to the phone or registered device. The user simply views the notification, and if it is legitimate, selects Authenticate. Otherwise, the user can choose to deny, or choose to deny and report, the fraudulent notification. For information about reporting fraudulent notifications, see How to configure and use Fraud Alert for Azure Multi-Factor Authentication.

    • One-Time Passcode. In this mode, the Multi-Factor Authentication app can be used as software token to generate an Open Authentication (OATH) passcode. The user can then enter this passcode along with the user name and password to provide the second form of authentication. This option is useful in instances of spotty phone coverage.

  • Automated phone calls can be placed by the Multi-Factor Authentication service to any phone, whether landline or mobile. The user simply answers the call and presses the pound key (#) on the phone to complete the sign-in.

  • Text messages can be sent by the Multi-Factor Authentication service to any mobile phone. Each text message contains a one-time passcode. The user is prompted to either reply to the text message by using the passcode or enter the passcode on the sign-in screen.

Only phone-call and text-message options are currently available for the Multi-Factor Authentication SDK.

You can use the Multi-Factor Authentication service to help secure both cloud and on-premises applications in conjunction with Windows Server Active Directory Domain Services (AD DS) or Azure AD. An SDK is also available for helping to secure custom applications. The following solutions are available for use with Azure Multi-Factor Authentication:

  • Adding Multi-Factor Authentication to Azure Active Directory. Enable Multi-Factor Authentication for Azure AD identities, and users will be prompted to set up additional verification the next time they sign in. Use Multi-Factor Authentication to help secure access to Azure, Microsoft Online Services like Microsoft Office 365 and Microsoft Dynamics CRM Online, and non-Microsoft cloud services that integrate with Azure AD, with no additional setup. You can rapidly enable Multi-Factor Authentication for large numbers of global users and applications.

  • Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server. Enable Multi-Factor Authentication for your on-premises resources such as Internet Information Services (IIS) and AD DS by using Azure Multi-Factor Authentication Server. Multi-Factor Authentication Server enables administrators to integrate with IIS authentication to help secure Microsoft IIS web applications, Remote Authentication Dial-In User Service (RADIUS) authentication, Lightweight Directory Access Protocol (LDAP) authentication, and Windows authentication.

  • Building Multi-Factor Authentication into Custom Apps (SDK). An SDK enables direct integration with your cloud services and on-premises custom applications. Build Multi-Factor Authentication phone-call and text-message verification into your application's sign-in or transaction processes, and use your application's existing user database.

Multi-Factor Authentication for Office 365, powered by Azure Multi-Factor Authentication, works exclusively with Office 365 applications and is managed from the Office 365 portal. So administrators can now help secure their Office 365 resources by using multi-factor authentication.

The same subset of Multi-Factor Authentication capabilities for Office 365 will be available at no cost to all Azure administrators. Every administrative account of a Azure subscription can now get additional protection by enabling this core multi-factor authentication functionality. So an administrator that wants to access Azure portal to create a VM, a web site, manage storage, mobile services or any other Azure Service can add multi-factor authentication to his administrator account.

You can use the following figure to determine which type of multi-factor authentication is right for you.

MFA comparison

If you want to extend Azure Multi-Factor Authentication to all of your users, or if you want your global administrators to be able to take advantage of features such as the Management Portal, custom greetings, and reports, you must purchase and configure the service.

To begin using Multi-Factor Authentication, you first need a Azure subscription. To obtain a Azure subscription, see Azure Free Trial. Then sign-in to the Azure management portal and simply create a new Multi-Factor Auth Provider. Two billing options are available:

  • Per User. Generally for enterprises that want to enable multi-factor authentication for a fixed number of employees who regularly need authentication.

  • Per Authentication. Generally for enterprises that want to enable multi-factor authentication for a large group of external users who infrequently need authentication.

Choose the model that works best for your organization. Note that after you create a Multi-Factor Authentication provider, you cannot change the billing model. You can create a new provider, but configuration and user settings will not be transferred over. For more information about purchasing Azure Multi-Factor Authentication, see Azure Pricing Details.

The following topics provide more detailed information about Azure Multi-Factor Authentication:

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft