Azure MFA Server vs. Azure AD MFA: What’s the difference?

With Microsoft’s announcement to discontinue MFA via the Microsoft MFA server and a rebranding to Microsoft Entra ID (formerly Azure AD), many organizations are at a crossroads: embrace the cloud-based Azure AD (now Microsoft Entra ID) MFA or maintain on-premise authentication.

This decision isn’t one-size-fits-all. While cloud migration may be the ideal path for some, others need an on-premise authentication solution to meet regulatory requirements, fit existing infrastructure, or address security concerns.

In this article, we’ll clarify the differences between Azure Multi-Factor Authentication (MFA) and the old MFA server. Additionally, we’ll delve into the reasons why organizations might want to maintain MFA on-premises and how third-party solutions like UserLock MFA can help.

What is Azure AD MFA?

Azure AD MFA, now known as Microsoft Entra ID MFA, provides an extra layer of security on the user level. Azure AD MFA operates by necessitating the usage of at least two authentication methods concurrently. These methods involve using a password, a trusted device like a mobile phone, and biometric verification techniques like fingerprint recognition or facial scanning.

Microsoft Entra ID leverages the power of the cloud to provide MFA for users. This means that authentication processes are no longer confined to on-premise servers. Users can authenticate from anywhere with an internet connection.

When you use the on-premises MFA Server, you keep user data within your local servers so it isn’t stored in the cloud. For 2-step verification, the MFA Server communicates with the Azure MFA cloud service to carry out the verification process.

Microsoft Entra ID offers a variety of authentication methods, including push notifications, phone calls, text messages, and authenticator apps. This diversity ensures that users can choose the method that best suits their preferences and security needs.

In terms of pricing, Microsoft Entra ID offers different pricing tiers to accommodate organizations of various sizes and needs. The cost for MFA services varies, with options such as the Microsoft Entra ID P1 plan at $6/user/month and the Microsoft Entra ID P2 plan at $9/user/month.

Differences between AD MFA vs. Azure AD MFA

AD MFA and Azure AD MFA are both security features from Microsoft to enhance the authentication process for users accessing resources in an organization’s environment. But they differ in several ways:

Scope

• AD MFA: AD MFA primarily focuses on securing on-premises Active Directory environments. It’s often used in conjunction with VPNs, Remote Desktop Services, and other on-premises services.

• Azure AD MFA: Azure AD MFA is designed for securing cloud-based resources and services, so it’s more cloud-centric and integrates seamlessly with Azure AD.

Deployment location

• AD MFA: It’s an on-premise solution that you install and manage within your own on-premises data center. It allows you to use MFA for applications and services hosted on-premises.

• Azure AD MFA: This is a cloud-based service that doesn’t require on-premises hardware or third-party solutions — it’s managed through the Azure portal.

Integration with on-premises resources

• AD MFA: It can be integrated with a wide range of on-premise applications and services that support RADIUS, LDAP, or other standard authentication protocols.

• Azure AD MFA: Primarily focused on cloud-based applications and services, Azure AD can be used with on-premise resources through Azure AD Application Proxy or VPN solutions. Even so, it may not provide the same level of integration and flexibility as Azure MFA server for on-premise systems.

Scalability

• AD MFA: Since AD MFA is limited to the capacity of on-premises infrastructure, it may require additional investment for scaling.

• Azure AD MFA: Scalable to accommodate a larger number of users and can handle increased workloads as your organization grows.

Customization

• AD MFA: You have more control over the customization of MFA policies and settings, making it suitable for organizations with specific security requirements.

• Azure AD MFA: Some customization of access policies is possible but advanced capabilities such as conditional access policies may require additional licensing.

User experience

• AD MFA: Users may need to use separate authentication methods for on-premises and cloud resources. This may lead to a disjointed user experience.

• Azure AD MFA: Offers a unified authentication experience for both on-premises and cloud resources, making it easier for users.

Licensing

• AD MFA: Requires separate licensing and is typically not included in Azure AD or Office 365 licenses.

• Azure AD MFA: Azure AD MFA may be included with certain Microsoft 365 and Azure AD licensing plans, but additional licensing may be required for certain advanced features.

When to consider a third-party solution

Here are the four primary reasons why organizations may think about the adoption of a third-party on-premises MFA solution.

1. Time-efficiency

Managing a separate directory within Azure AD can be a time-consuming endeavor. In an era where cost-saving measures are paramount, and IT resources are in high demand, additional administrative overhead is something most organizations strive to avoid.

Third-party on-premises MFA solutions can offer streamlined management while still securing access to cloud resources through secure single sign-on (SSO).

2. Cost considerations

Azure AD can be financially demanding. If an organization neither uses nor requires Azure for other purposes, investing solely for MFA can lead to a significant cost burden. Third-party MFA solutions often provide cost-effective alternatives.

3. Security concerns

While cloud-based authentication offers convenience, it also introduces certain vulnerabilities that on-premises environments do not contend with.

Moreover, Azure AD may not support MFA on all connection types, leaving potential security gaps. On-premises Windows MFA solutions can bolster security measures and tailor authentication to specific needs, securing all connection types.

4. Compliance obligations

Certain industries and government organizations must comply with stringent regulatory requirements that require authentication to stay on-premises. For these entities, compliance obligations make it impossible to consider cloud-based MFA solutions.

Third-party on-premise MFA solutions provide a pathway to support compliance while still allowing secure access to cloud resources.

Why UserLock is a perfect solution for Windows MFA

When evaluating Windows MFA solutions, you’re looking for one that aligns with your organization’s unique needs. With its granular controls, UserLock allows you to decide how to best balance security and productivity for your organization.

One of the standout benefits of UserLock is its ability to integrate with your existing AD seamlessly. This means it builds on existing investment in AD, without adding more administrative work. In fact, UserLock enhances native Active Directory monitoring and auditing for network access, resulting in significant time saving for IT teams.

Read a case study on how UserLock simplifies IT’s work by reducing between 70% to 90% the time spent monitoring and auditing user network access.

Secondly, UserLock's cost-effective MFA solution makes it a good fit for small and large organizations alike.

Last but not least, UserLock excels in providing granular MFA capabilities across all connection types. It empowers administrators to fine-tune when and under what circumstances to prompt users for MFA. This flexible approach ensures enhanced security without slowing down productivity.

For organizations navigating the complexities of compliance, including industry-specific regulations that demand on-premises authentication, UserLock is here to support. It helps you achieve the highest levels of compliance, ensuring your authentication practices align with regulatory standards.

In fact, UserLock supports compliance with major regulations such as GDPR, PCI, SOX, HIPAA, ISO 27001, and NIST.