Azure Multi-factor Authentication allows you to protect your applications and systems by adding a second factor of authentication to logins. This course will teach you how to integrate Azure MFA with on-premises and cloud-based systems.
Username and password authentication is susceptible to many forms of attacks, and multi-factor authentication offers a way to mitigate this threat. Azure multi-factor authentication is a global service that allows you to add a second factor of authentication to your on-premises and cloud based systems using a hardware device already in the hands of your users and customers - their mobile phone. In this course, Implementing and Managing Azure Multi-factor Authentication, you'll learn how to configure Azure MFA in the cloud and on-premises. First you'll learn the self-service options available to users and business administrators, and how to integrate Azure MFA with a variety of technologies and applications. Next, you'll explore the configuration options to integrate Azure MFA with your existing systems. Finally, you'll learn how developers can code against the APIs for even deeper integration. By the end of this course, youâ€™ll know how to deploy, configure, and monitor Azure MFA, in the cloud and on-premises.
Neil is a solutions architect and developer, with a passion for web development, architecture, and security. He has worked in large and small IT organizations, written articles on development, and spoken at local .NET user groups. Neil has several Microsoft Certifications, including MCPD, MCSA, and MCSD.
Course Overview Hi, everyone. My name is Neil Morrissey, and welcome to my course Implementing and Managing Azure Multi-factor Authentication. I'm a senior IT architect with over 13 years experience developing solutions using Microsoft technologies. We've all seen stories in the news about systems getting compromised and data being stolen. A major study in 2016 found that 63% of confirmed data breaches involved weak, default, or stolen passwords. We need a better way to prove that a user is who they say they are before allowing them access to our applications and systems. In this course we're going to go in depth on Microsoft's global multi-factor authentication service that allows you to better verify a user's identity and protect your systems with an additional layer of authentication that uses hardware devices that are already in the hands of your customers and users, their mobile phone. You'll learn all the different ways to protect on-premises and cloud-based systems with Azure MFA. You'll understand the self-service options available to users and business administrators, so increasing security doesn't have to come with an administrative burden. And we'll go in depth on the configuration options to integrat Azure MFA with your existing systems, as well as how developers can code against the APIs for even deeper integration. By the end of this course you'll know how to deploy, configure, and monitor Azure MFA in the cloud and on-premises. I hope you'll join me on this journey to learn how to better protect your users and applications in this Pluralsight course on Implementing and Managing Azure Multi-factor Authentication.
Configuring Azure MFA in the Cloud In this module, we're going to go over some of the setup of Azure MFA within Microsoft Azure. This will include the licensing options and the configuration that needs to be done in Azure, whether you plan to use Azure MFA exclusively in the cloud with Azure Active Directory, or whether you want to integrate with your on premise AE and applications. We'll go through setting up an MFA provider in the cloud and discuss the various features you can leverage, so let's get started.
Implementing Azure MFA Server On-premises So, we've looked at setting up an MFA Provider in the cloud and some of the usage scenarios in the cloud. Now, let's get into how to set up Azure MFA within your enterprise. In coming modules, we'll go in depth on integration with particular technologies in application development, but first, we need to set up the heart of your Azure MFA on-premises deployment, which is the Azure MFA Server. We're going to talk about how Azure MFA Server works. We'll look at how to install and configure it, company-wide settings and defaults, including how to configure the information that gets sent to the cloud service. We'll set up email integration. We'll go over importing and managing users. And lastly, we'll look at how to install the Web Services SDK, which are the services that allow a variety of applications to communicate with the Azure MFA Server. So, let's get started with an overview of Azure MFA Server.
The MFA User Portal for Self-service and Administration We saw in the module on Azure MFA Server that you can set up import of users from your directory, along with synchronizing changes, and that you can manage multi-factor authentication for those users. But that required an administrator to log on to the server hosing Azure MFA Server, and administer the users from the administrative interface, which is a Windows application. In this module, we'll see how you can delegate some of the administration of MFA users to users themselves. First, we'll go through an overview of the user portal. I'll do a demo on installing the user portal on a virtual machine, then we'll look at self-service options that you can enable for users to manager their own accounts. We'll see how administration can be delegated to user portal administrators to manage groups of users, or you might use this for help desk support. Next, we'll look at how forms-based applications protected with IIS authentication can leverage the user portal to enroll users. We'll end with a demonstration of how you can customize the look and feel of the user portal using standard CSS and can use your own company logo in place of the default PhoneFactor branding.
Configuring the Microsoft Authenticator and OATH Clients Most of the authentication modes with Azure MFA are pretty straightforward. We've seen phone call authentication and text message authentication, both one-way and two-way. In this module, we're going to look at the other options you've seen in the MFA Server admin screens, which are the Microsoft Authenticator App and OATH tokens. We'll begin with an overview of the Microsoft Authenticator App, which you download to your mobile device. Then we'll go through installing and configuring the web service that's required in order to register the Microsoft Authenticator App within your enterprise. Before authentications can take place with the app, it needs to be registered with the MFA Server. So we'll go through the ways to do that, as well as some troubleshooting tips. Then we'll shift to looking at OATH, which is an open-source algorithm for time-based one-time passwords, not to be confused with OAuth, the open standard for authorization, and we'll talk about the differences there. Then we'll finish with an example of how to use another OATH client for authentication with MFA Server.
Custom App Integration with the Azure SDKs In this module, we're going to look at how you can call Azure MFA from your custom application code. We'll examine the two SDK's that come with Azure MFA. There's the multi-factor authentication SDK that you download from the portal and it gives you a lightweight way to call the MFA provider in the Cloud to make SMS and phone call authentications. You'll see a demo on how to download and integrate the SDK code into a test application. And then we'll use it in a forms based application to add a multi-factor authentication to a website login. Then we'll look at the web service SDK, this is the name given to the web service that gets installed on the Azure MFA Server on Premises and the web service SDK is used by the ADFS adapter, the user portal, and the mobile app web service, but you can also add a reference to the ASMX web service to your own application code and call the same methods used by those other components. So I'll do an overview of the web service SDK and you'll see how to integrate it into an ASP. NET MVC site.
Protecting Cloud-based Applications We spent a lot of time looking at how Azure MFA can be used with on-premises applications. This module is going to focus on applications that are hosted in the cloud. We'll look at Office 365 applications, and also a platform as a service web applications hosted in Azure App Services. We'll start by discussing app passwords. We saw those in the second module when we configured MFA in the cloud. And now we'll get into how they're used by non-browser-based applications, like Microsoft Office. Then you'll see a couple of examples of older applications that can use Office 365, but still require app passwords in order to bypass multi-factor authentication, when it's turned on. Then I'll show you how to turn on modern authentication in Office 365 for newer email clients, like Outlook 2016 and Outlook 2013. Modern authentication is how desktop and mobile applications can leverage cloud sign in with MFA. Then we'll look at how to enable more MFA features for Office 365 users by managing Office 365 directory within Azure. We saw basic MFA for Office 365 in the second module, and now we'll go a step further. We'll link the Office 365 directory to the Azure portal, and we'll also purchase and add a direct license for users. Then we'll look at web applications hosted in the cloud on Azure platform as a service. I'll do demos on two scenarios. The first, where the web app uses Azure AD for its identity store. And then a scenario where a claims-based web application hosted an Azure app services, uses ADFS on-premises to authenticate against an on-premises active directory that's been exposed to the internet via web application proxy.