March 31, 2014 at 12:15Microsoft Azure Cloud Multi-Factor Authentication Overview
In the security system of Microsoft (then Windows) Azure recently introduced a new functionality - multifactor authentication. MPP, of course, is needed in order to build an additional circuit of protection around the account or cloud services of both Microsoft and solutions of third-party companies or applications and services that use the Microsoft Azure Active Directory service as an authentication system. Local infrastructure can also be protected — for example, our Multifactor Authentication Server can be integrated into a RADIUS loop. Interesting? Under the cut - a description of the solution to the situation when we need to protect access to the Azure subscription not only with a username and password, but a little about where to go for more complex things.
Windows Azure Multi-Factor Authentication provides an additional authentication layer in addition to user credentials. At the same time, multifactor authentication can be used to protect access to both on-premise and cloud-based applications. Possible multifactor authentication options include:
• mobile applications,
• phone calls
• text messages,
Users can choose what is convenient for them, both independently and forcefully - the administrator can regulate this. In the context of securing local applications, multifactor authentication can be used to protect remote access VPNs, RADIUS, and Web applications using a special SDK. If the cloud application uses Active Directory Federation Services, then the developer can configure synchronization with Windows Server Active Directory or another LDAP directory. For other Microsoft services, multifactor authentication is useful for securing access to Microsoft Azure, Microsoft Online Services, Office 365, and Dynamics CRM Online.
Let's see how to prepare multi-factor authentication in Windows Azure.
What you need in order to repeat the demo:
• Subscription Windows Azure - enough trial: free trial
• Tenant Windows Azure Active Directory
First, create an MFA provider: on the Active Directory tab on the Azure management portal, we’ll go to the VALUES OF MULTI-FACTORY INSPECTION. Click Create, and enter the data - the name of the provider (logical), “for the included user” and select the directory to which you want to bind the provider. Now we will create a new user on the Users page - this is necessary in order to activate MFA, since MFA does not work for Microsoft Account (only for organizational).
Adding a user is a three-step process: type of user account ...
... His roles in organization and tenant (install the role of a global administrator and check the option to enable multi-factor authentication) ...
... and set a temporary password.
Create a new password and complete the setup of the new user. Under this user we will log in later. After creating a user, go to his page and specify a mobile phone - note that the country code is also indicated in the drop-down menu - do not write it in the field.
Excellent - the infrastructure tasks for our simple scenario are over. Now try to exit the portal and log in again, but under a new user. A new option will appear - Set it up now, meaning that the tenant administrator has forced the use of MFA for our user.
On the MFA settings page for our user there are all the necessary fields - the choice of authentication type, phone number, and the choice between SMS and call.
On the next page we will be asked to verify the selected authentication type. In our case, a pleasant female voice on the phone will tell you what to press in order to go through an additional security circuit. Try logging into your Azure account with a new account - the experience is the same.
Now let's look at more complex scenarios - using MFA for the directory and On-Premise.
In order to use MFA On-Premise - for example, to integrate with IIS, RADIUS, Windows auth or even LDAP - we need to download and install the Multi-Factor Authentication Server. It loads if you click on the previously created MFA provider, go to the management of this provider and click Server || Loading.
While the server is loading, we’ll also click “Create Credentials for Activation” - they will be needed to activate the server after installation.
Install and activate the server. Please note - the password is valid 10 minutes after the moment of its creation, so do not delay the activation process.
In the process of configuring the server, you will see many interesting options - for example, on the Applications tab, you can configure which services and applications will be protected by MFA.
The MFA server is configured for the default AD directory, but reconfiguring or adding another directory is not a problem at all - you just need to select Synchronization on the Directory Integration tab and click ADD, and then configure the synchronization and frequency.
Another typically corporate utility is the integration of MFA with RADIUS to protect VPNs and other features like Microsoft Unified Access Gateway, TMG, or even RDG. Integration setup on the RADIUS Authentication tab.
We looked at the Windows Azure Active Directory feature - Multi-Factor Authentication. The process of configuring it has been greatly simplified compared to the period when it was just published, and now there are no special problems in setting up MFA in simple scenarios such as providing an additional layer of security for logging into Windows Azure subscription, as well as in complex corporate - integration with RADIUS. About other scenarios - later.
Windows Azure Multi-Factor Authentication provides an additional authentication layer in addition to user credentials. At the same time, multifactor authentication can be used to protect access to both on-premise and cloud-based applications. Possible multifactor authentication options include:
• mobile applications,
• phone calls
• text messages,
Users can choose what is convenient for them, both independently and forcefully - the administrator can regulate this. In the context of securing local applications, multifactor authentication can be used to protect remote access VPNs, RADIUS, and Web applications using a special SDK. If the cloud application uses Active Directory Federation Services, then the developer can configure synchronization with Windows Server Active Directory or another LDAP directory. For other Microsoft services, multifactor authentication is useful for securing access to Microsoft Azure, Microsoft Online Services, Office 365, and Dynamics CRM Online.
Let's see how to prepare multi-factor authentication in Windows Azure.
What you need in order to repeat the demo:
• Subscription Windows Azure - enough trial: free trial
• Tenant Windows Azure Active Directory
First, create an MFA provider: on the Active Directory tab on the Azure management portal, we’ll go to the VALUES OF MULTI-FACTORY INSPECTION. Click Create, and enter the data - the name of the provider (logical), “for the included user” and select the directory to which you want to bind the provider. Now we will create a new user on the Users page - this is necessary in order to activate MFA, since MFA does not work for Microsoft Account (only for organizational).
Adding a user is a three-step process: type of user account ...
... His roles in organization and tenant (install the role of a global administrator and check the option to enable multi-factor authentication) ...
... and set a temporary password.
Create a new password and complete the setup of the new user. Under this user we will log in later. After creating a user, go to his page and specify a mobile phone - note that the country code is also indicated in the drop-down menu - do not write it in the field.
Excellent - the infrastructure tasks for our simple scenario are over. Now try to exit the portal and log in again, but under a new user. A new option will appear - Set it up now, meaning that the tenant administrator has forced the use of MFA for our user.
On the MFA settings page for our user there are all the necessary fields - the choice of authentication type, phone number, and the choice between SMS and call.
On the next page we will be asked to verify the selected authentication type. In our case, a pleasant female voice on the phone will tell you what to press in order to go through an additional security circuit. Try logging into your Azure account with a new account - the experience is the same.
Now let's look at more complex scenarios - using MFA for the directory and On-Premise.
In order to use MFA On-Premise - for example, to integrate with IIS, RADIUS, Windows auth or even LDAP - we need to download and install the Multi-Factor Authentication Server. It loads if you click on the previously created MFA provider, go to the management of this provider and click Server || Loading.
While the server is loading, we’ll also click “Create Credentials for Activation” - they will be needed to activate the server after installation.
Install and activate the server. Please note - the password is valid 10 minutes after the moment of its creation, so do not delay the activation process.
In the process of configuring the server, you will see many interesting options - for example, on the Applications tab, you can configure which services and applications will be protected by MFA.
The MFA server is configured for the default AD directory, but reconfiguring or adding another directory is not a problem at all - you just need to select Synchronization on the Directory Integration tab and click ADD, and then configure the synchronization and frequency.
Another typically corporate utility is the integration of MFA with RADIUS to protect VPNs and other features like Microsoft Unified Access Gateway, TMG, or even RDG. Integration setup on the RADIUS Authentication tab.
Summary
We looked at the Windows Azure Active Directory feature - Multi-Factor Authentication. The process of configuring it has been greatly simplified compared to the period when it was just published, and now there are no special problems in setting up MFA in simple scenarios such as providing an additional layer of security for logging into Windows Azure subscription, as well as in complex corporate - integration with RADIUS. About other scenarios - later.