Simplify on-premise management for Microsoft 365 MFA
There are many reasons why organizations based on-premise look to manage a single on-premise MFA solution across Windows MFA and Microsoft 365 MFA. Here's how UserLock can help.
Published October 8, 2024)
The arrival of cloud platforms 15 years ago created a huge technological disruption that organizations still struggle with today. Before the cloud, organizations ran their infrastructure in a data center model we now call “on-premise.” The cloud offered them the alternative of hosting some or all of this on a service provider’s network. UserLock helps on-premise organizations looking to manage a single on-premises multi-factor authentication (MFA) solution across local Windows access and Microsoft 365 MFA.
Today, many organizations are stuck in a hybrid state between two poles: on-premise and cloud. This can create huge complexity.
And nowhere is this truer than when implementing Active Directory MFA and access controls across access to both on-premise Active Directory and cloud resources.
At one extreme are the organizations adopting hybrid access. They want to migrate to the cloud wholesale and abandon their on-premise infrastructure over time.
At the other extreme are organizations committed to on-premise networks. These organizations must continue to run their own data centers for regulatory reasons or to support legacy applications that can’t be migrated.
Few organizations today can (or want to) avoid the cloud completely. The use of cloud software-as-a-service (SaaS) platforms such as Microsoft 365 forces IT teams to find a way to integrate these services within an on-premise setup.
This is not as easy as it should be. On-premise Microsoft environments are designed to work with the local Active Directory (AD) directory service at their core.
It follows that on-premise MFA and access controls are enforced using the on-premise Active Directory identity.
Microsoft 365, by contrast, is oriented towards the cloud directory, Entra ID (formerly Azure AD). In cloud land, MFA and access controls are enforced using the Microsoft Entra ID identity.
Any organization wanting to preserve on-premise systems while using SaaS applications must work out how to integrate two different environments.
The biggest challenge: to manage and secure both.
Aware of this issue, Microsoft offers a few tools to integrate on-premise AD with its cloud platform. Active Directory Federated Services (AD FS) is an older on-premise tool, and Microsoft Entra Connect (Formerly Azure AD Connect) is a newer suite of tools oriented towards cloud and SaaS integration with Microsoft Entra ID.
From an on-premise perspective, working out the best option can be confusing.
Compounding this confusion is that by default Microsoft 365 (hosted in the cloud) uses Microsoft Entra ID as its identity and access management (IAM) system. For on-premise environments built on AD, this creates more issues.
These organizations must accept to:
Give up control of IAM: Using Entra ID is a non-starter for any organization that wants to retain control over IAM.
Depend on an Internet connection: Adopting Entra ID as an IAM system requires (or rather, assumes) that all computers authenticating via Entra ID always have Internet connectivity, which is difficult to guarantee in some environments.
Implement cloud-based security for legacy application access: Most legacy applications were built to work with on-premise AD and aren't compatible with Entra ID.
The whole point of on-premise networking is to retain control over core functions, especially security, identity, authentication, and access control.
For many organizations with infrastructure built around on-premise Active Directory, handing priority of these core functions to an external platform such as Entra ID runs counter to this.
While Microsoft’s tools can ease integration between on-premise and its SaaS services, they come with pros and cons of their own in terms of additional infrastructure and expense.
AD FS is designed for on-premise networks but can be complex and expensive to manage. There are also technical limitations, especially when it comes to implementing Microsoft 365 MFA.
AD FS allows organizations to continue using their on-premise AD identity while federating and synchronizing with Entra ID and Microsoft 365 through a single SSO credential. AD FS’s advantage is that it is an on-premise tool, which means that it integrates well with an organization’s existing on-prem AD.
Unfortunately, there's a reason why AD FS has a reputation for being complex and clunky to manage. It’s difficult to troubleshoot when problems occur. In terms of authentication, it is also limited because its preferred service, Azure MFA Server, was recently deprecated.
Microsoft Entra Connect is built around the needs of cloud-based applications, which brings complexities of its own.
Microsoft Entra Connect packages AD FS with more advanced tools including Entra Connect Sync for user, passwords, and group synchronization with Entra ID.
Although included as part of Entra ID subscriptions, Microsoft Entra Connect can also be complex to administer. It’s not simple to set up and manage synchronization between the on-premise AD and cloud Entra ID directories.
To ensure that access to the network remains as seamless and secure as possible, admins can deploy a simple single sign-on (SSO) password credential secured by MFA.
For this to work, synchronization and identity management between the two domains (users, groups, passwords, and conditional monitoring) must work perfectly.
Day to day, this can create significant management overhead. Any failure to get this right every time can result in on-premise or remote users being locked out of Microsoft 365.
Over time, cloud platforms and SaaS continue to replace many functions of on-premise networking. Despite this, many organizations continue to run on-premise Microsoft infrastructure to support a wide range of use cases:
Support important legacy applications that can’t be migrated to the cloud.
Comply with regulations that require organizations to retain full control over sensitive data without depending on external providers.
Maximize cost savings since SaaS platforms can be expensive, and many organizations prefer to get value from their existing on-premise infrastructure.
Many organizations don’t want to be completely locked out of the cloud, so they pursue a hybrid approach that combines the best elements of both worlds.
The difficulty is that this requires IT to build a more complex environment encompassing internal and external applications, synchronized with one another.
A hybrid network prioritizing on-premise control often results in an uneasy compromise between older on-premise systems and newer ones oriented towards the cloud.
Organizations must address several issues:
Integration: Integrating on-premise with cloud and SaaS can be complex and expensive, requiring additional infrastructure.
Attack surface: Two networks increase the attack surface, especially where remote users come into the equation as they now often do in SaaS deployments. In an era of zero trust, implementing multi-layered security on access is paramount, especially protections such as MFA.
Credential sprawl: Inevitably, SaaS means more logins. More logins equal more credentials, which negatively affects the user experience. To avoid this, integration needs to consider how to implement single sign-on (SSO).
While the cloud brings advantages to many organizations, it can make life more difficult for IT teams at organizations that want to remain on-premise first. For one, it isn't easy to set up MFA and access controls for SaaS. The whole process is full of hidden traps.
There's a real-world problem that IT teams are looking to solve here: the need to keep things as simple as possible.
More often than not, this means IT wants to (or needs to) manage as much as possible within their network.
But the additional complexity of SaaS seems to work against this.
Too often, adding hybrid access security to on-prem networks means putting up with extra complexity and expense.
That’s because the IAM solution industry has moved on to the cloud, leaving on-premise and hybrid networks to solve the problem of integration and security on their own.
UserLock brings a clear advantage to on-premise and hybrid environments: the ability to keep things simple.
That's because UserLock is designed around the principle that on-premise networks should retain as much control as possible. This allows IT to retain the centralization and control that is so important in on-premise environments.
Through UserLock, organizations can continue to use existing on-premise AD identity while securely integrating access to Microsoft 365 and other SaaS applications.
UserLock combines SAML-based single sign-on (SSO) with MFA and access controls to cover the main use cases in on-premise and hybrid networking. So there's no need for complex middleware riddled with hidden compromises.
Read more: How SAML works with Active Directory
Since UserLock SSO is hosted on-premise, IT can retain Active Directory as the authoritative Identity Provider (IdP). For secure access to Microsoft 365, the end user authenticates with their existing on-premise credentials.
Depending on if the admin has set up MFA for Microsoft 365 access, and under what conditions, the end users may also receive an MFA prompt.
)
Read more: UserLock and Microsoft 365 in on-premise Active Directory
UserLock SSO can also be hosted on a virtual network and use Entre ID as the authoritative identity provider. For access to SaaS applications, the user is authenticated with their Entra ID credentials. Users may also receive a prompt for MFA, depending on the conditions that IT has set.
)
Read more: UserLock and Microsoft 365 with Microsoft Entra ID Domain Services
In place of complexity, UserLock provides multi-factor authentication (MFA), access controls, user monitoring, and single sign-on (SSO) from a single, integrated platform.
Simplicity for admins: Admins manage one identity and access management platform that unifies access for multiple types of connectivity, including SaaS, IIS applications, VPNs, and RDP under a single console.
Simplicity for end-users: Users get the ease of a single credential and up to two authentication options, including authenticator apps, hardware tokens, and push notifications.
UserLock is different. It makes on-premise the focus for user and security management. Through UserLock, on-premise administrators can get the best of both worlds — on-premise and the cloud — without compromising simplicity.