| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure MFA cloud vs server | Microsoft Docs |
Choose the multi-factor authentication security solution that is right for you by asking, what am I trying to secure and where are my users located. Then choose cloud, MFA Server or AD FS. |
multi-factor-authentication |
kgremban |
femila |
yossib |
ec2270ea-13d7-4ebc-8a00-fa75ce6c746d |
multi-factor-authentication |
identity |
na |
na |
get-started-article |
01/06/2017 |
kgremban |
Because there are several flavors of Azure Multi-Factor Authentication (MFA), we must answer a few questions to figure out which version is the proper one to use. Those questions are:
The following sections provide guidance on determining each of these answers.
To determine the correct two-step verification solution, first we must answer the question of what are you trying to secure with a second method of authentication. Is it an application that is in Azure? Or a remote access system? By determining what we are trying to secure, we can answer the question of where Multi-Factor Authentication needs to be enabled.
| What are you trying to secure | MFA in the cloud | MFA Server |
|---|---|---|
| First-party Microsoft apps | ● | ● |
| SaaS apps in the app gallery | ● | ● |
| IIS applications published through Azure AD App Proxy | ● | ● |
| IIS applications not published through Azure AD App Proxy | ● | |
| Remote access such as VPN, RDG | ● |
Next, looking at where our users are located helps to determine the correct solution to use, whether in the cloud or on-premises using the MFA Server.
| User Location | MFA in the cloud | MFA Server |
|---|---|---|
| Azure Active Directory | ● | |
| Azure AD and on-premises AD using federation with AD FS | ● | ● |
| Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no password sync | ● | ● |
| Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - with password sync | ● | |
| On-premises Active Directory | ● |
The following table is a comparison of the features that are available with Multi-Factor Authentication in the cloud and with the Multi-Factor Authentication Server.
| Feature | MFA in the cloud | MFA Server |
|---|---|---|
| Mobile app notification as a second factor | ● | ● |
| Mobile app verification code as a second factor | ● | ● |
| Phone call as second factor | ● | ● |
| One-way SMS as second factor | ● | ● |
| Two-way SMS as second factor | ● | |
| Hardware Tokens as second factor | ● | |
| App passwords for clients that don’t support MFA | ● | |
| Admin control over authentication methods | ● | |
| PIN mode | ● | |
| Fraud alert | ● | ● |
| MFA Reports | ● | ● |
| One-Time Bypass | ● | |
| Custom greetings for phone calls | ● | ● |
| Customizable caller ID for phone calls | ● | ● |
| Trusted IPs | ● | ● |
| Remember MFA for trusted devices | ● | |
| Conditional access | ● | ● |
| Cache | ● | ● |
Now that we have determined whether to use cloud multi-factor authentication or the MFA Server on-premises, we can get started setting up and using Azure Multi-Factor Authentication. Select the icon that represents your scenario!
