With Microsoft’s announcement to discontinue MFA via the Microsoft MFA server and a rebranding to Microsoft Entra ID (formerly Azure AD), many organizations are at a crossroads: embrace the cloud-based Azure AD (now Microsoft Entra ID) MFA or maintain on-premise authentication.
This decision isn’t one-size-fits-all. While cloud migration may be the ideal path for some, others need an on-premise authentication solution to meet regulatory requirements, fit existing infrastructure, or address security concerns.
In this article, we’ll clarify the differences between Azure Multi-Factor Authentication (MFA) and the old MFA server. Additionally, we’ll delve into the reasons why organizations might want to maintain MFA on-premises and how third-party solutions like UserLock MFA can help.
What is Azure AD MFA?
Azure AD Multi-Factor Authentication (MFA) — now known as Microsoft Entra ID — provides an extra layer of security on the user level. Azure AD MFA operates by necessitating the usage of at least 2 authentication methods concurrently. These methods involve using a password, a trusted device like a mobile phone, and biometric verification techniques like fingerprint recognition or facial scanning.
Microsoft Entra ID leverages the power of the cloud to provide MFA for users. This means that authentication processes are no longer confined to on-premise servers. Users can authenticate from anywhere with an internet connection.
When you use the on-premises MFA Server, you keep user data within your local servers so it isn’t stored in the cloud. For 2-step verification, the MFA Server communicates with the Azure MFA cloud service to carry out the verification process.
Microsoft Entra ID offers a variety of authentication methods, including push notifications, phone calls, text messages, and authenticator apps. This diversity ensures that users can choose the method that best suits their preferences and security needs.
In terms of pricing, Microsoft Entra ID offers different pricing tiers to accommodate organizations of various sizes and needs. The cost for MFA services varies, with options such as the Microsoft Entra ID P1 plan at $6/user/month and the Microsoft Entra ID P2 plan at $9/user/month.
Differences between AD MFA vs. Azure AD MFA
AD MFA and Azure AD MFA are both security features from Microsoft to enhance the authentication process for users accessing resources in an organization’s environment. But they differ in several ways:
- AD MFA: AD MFA primarily focuses on securing on-premises Active Directory environments. It’s often used in conjunction with VPNs, Remote Desktop Services, and other on-premises services.
- Azure AD MFA: Azure AD MFA is designed for securing cloud-based resources and services, so it’s more cloud-centric and integrates seamlessly with Azure AD.
- AD MFA: It’s an on-premise solution that you install and manage within your own on-premises data center. It allows you to use MFA for applications and services hosted on-premises.
- Azure AD MFA: This is a cloud-based service that doesn’t require on-premises hardware or third-party solutions — it’s managed through the Azure portal.
Integration with on-premises resources
- AD MFA: It can be integrated with a wide range of on-premise applications and services that support RADIUS, LDAP, or other standard authentication protocols.
- Azure AD MFA: Primarily focused on cloud-based applications and services, Azure AD can be used with on-premise resources through Azure AD Application Proxy or VPN solutions. Even so, it may not provide the same level of integration and flexibility as Azure MFA server for on-premise systems.
- AD MFA: Since AD MFA is limited to the capacity of on-premises infrastructure, it may require additional investment for scaling.
- Azure AD MFA: Scalable to accommodate a larger number of users and can handle increased workloads as your organization grows.
- AD MFA: You have more control over the customization of MFA policies and settings, making it suitable for organizations with specific security requirements.
- Azure AD MFA: Some customization of access policies is possible but advanced capabilities such as conditional access policies may require additional licensing.
- AD MFA: Users may need to use separate authentication methods for on-premises and cloud resources. This may lead to a disjointed user experience.
- Azure AD MFA: Offers a unified authentication experience for both on-premises and cloud resources, making it easier for users.
- AD MFA: Requires separate licensing and is typically not included in Azure AD or Office 365 licenses.
- Azure AD MFA: Azure AD MFA may be included with certain Microsoft 365 and Azure AD licensing plans, but additional licensing may be required for certain advanced features.
When to consider a third-party solution?
Here are the four primary reasons why organizations may think about the adoption of a third-party on-premises MFA solution.
Managing a separate directory within Azure AD can be a time-consuming endeavor. In an era where cost-saving measures are paramount, and IT resources are in high demand, additional administrative overhead is something most organizations strive to avoid.
Third-party on-premises MFA solutions can offer streamlined management while still securing access to cloud resources through secure single sign-on (SSO).
2. Cost considerations
Azure AD can be financially demanding. If an organization neither uses nor requires Azure for other purposes, investing solely for MFA can lead to a significant cost burden. Third-party MFA solutions often provide cost-effective alternatives.
3. Security concerns
While cloud-based authentication offers convenience, it also introduces certain vulnerabilities that on-premises environments do not contend with.
Moreover, Azure AD may not support MFA on all connection types, leaving potential security gaps. On-premises Windows MFA solutions can bolster security measures and tailor authentication to specific needs, securing all connection types.
4. Compliance obligations
Certain industries and government organizations must comply with stringent regulatory requirements that require authentication to stay on-premises. For these entities, compliance obligations make it impossible to consider cloud-based MFA solutions.
Third-party on-premise MFA solutions provide a pathway to support compliance while still allowing secure access to cloud resources.
Why is UserLock a perfect solution for Windows MFA?
When evaluating Windows MFA solutions, you’re looking for one that aligns with your organization’s unique needs. With its granular controls, UserLock allows you to decide how to best balance security and productivity for your organization.
One of the standout benefits of UserLock is its ability to integrate with your existing AD seamlessly. This means it builds on existing investment in AD, without adding more administrative work. In fact, UserLock enhances native Active Directory monitoring and auditing for network access, resulting in significant time saving for IT teams.
Read a case study on how UserLock simplifies IT’s work by reducing between 70% to 90% the time spent monitoring and auditing user network access.
Secondly, UserLock offers a cost-effective MFA solution developed to accommodate organizations of all sizes. Unlike investing solely in Azure AD, UserLock provides budget-friendly MFA options that ensure cost efficiency without compromising security. You can request a quote here.
Last but not least, UserLock excels in providing granular MFA capabilities across all connection types. It empowers administrators to fine-tune when and under what circumstances to prompt users for MFA. This flexible approach ensures enhanced security without slowing down productivity.
For organizations navigating the complexities of compliance, including industry-specific regulations that demand on-premises authentication, UserLock is here to support. It helps you achieve the highest levels of compliance, ensuring your authentication practices align with regulatory standards.
In fact, UserLock supports compliance with GDPR, PCI, SOX, HIPAA, ISO 27001, and NIST. You can learn more about how UserLock supports compliance here.
Final thoughts on Azure MFA Server vs. Azure AD MFA
As Microsoft phases out the MFA Server, organizations relying on Microsoft MFA will need to evaluate whether Azure AD MFA will meet their needs. For organizations seeking an alternative, UserLock offers a seamless and effective MFA solution tailored for on-premises or hybrid Active Directory environments.
As you explore your options for Windows MFA, you can see for yourself just how straightforward and efficient MFA can be with UserLock. Sign up for a free trial today.