SharePoint MFA: Secure access to SharePoint on-premise and online
Simplify SharePoint MFA implementation with UserLock — a single MFA solution based on-premise that extends access security to SharePoint Online and SharePoint On-Premise.
Published November 6, 2024Organizations today are using more applications than ever before. As SaaS platform adoption grows, so does the number of credentials each user needs to manage. With more credentials comes increased risk, leading to more security compromises and data breaches. Enabling a multi-factor authentication (MFA) solution for access to applications like SharePoint helps stop unwanted access.
Teams use Microsoft SharePoint as a vital platform for content management, automation, and business analytics, which makes SharePoint data a treasure trove of documents, calendars, contact lists, and more. Naturally, this value makes SharePoint an attractive target for attackers looking to set up a data breach or ransomware attack.
This importance also means security teams have their work cut out defending it. As with so many of today’s application platforms, SharePoint’s main vulnerability is compromised credentials. For an attacker, exploiting the trusted status of a legitimate user is always the quickest way to get behind any defenses.
Attackers routinely obtain credentials through phishing or brute force attacks, sometimes combined with exploiting unpatched vulnerabilities in SharePoint. While both are effective ways to compromise SharePoint, stealing credentials is arguably more dangerous because it can succeed even in organizations that regularly patch their software.
Once attackers gain access, they can steal data for ransom or, as with email servers, use that access as a launching pad for further attacks. These can involve sending phishing emails from a legitimate SharePoint server address or distributing malware that targets the organization or its partners.
To secure SharePoint, security teams must start with managing employee access. This includes setting correct permissions and securing account and/or SSO credentials.
But SharePoint is also used to share documents with partners, which brings additional risks. Overshared documents, misconfigured permissions, or guest account credential compromise can give attackers access to the wider SharePoint environment.
SharePoint MFA adds an extra layer of security by requiring SharePoint users to verify their identities with two or more factors before granting access. This makes it significantly harder for unauthorized users to access a Microsoft SharePoint account or use that access to move laterally through your network
Many organizations using SharePoint struggle to adapt to today’s application and credential sprawl. This is especially true for organizations that keep their identity and access management on-premise.
First, it's important to note that organizations don't all use SharePoint the same way. SharePoint itself has a "hybrid" identity, with two applications:
The first is SharePoint Online, a cloud-based service available as part of a Microsoft 365 subscription.
The second is SharePoint in its traditional on-premise version.
No doubt, SharePoint Online offers a lot of convenience compared to on-premise SharePoint and requires fewer discrete licenses.
But the appeal of the on-premise approach is that the organization remains in control of its data security, which is hugely important for some organizations.
The advantage of running SharePoint on-premise is that organizations remain fully in control of their data. The downside of course is that they must do the hard work of defending the server, as well as the IIS infrastructure through which it functions, on their own.
Regardless of whether the organization uses SharePoint On-Premise, SharePoint Online, or both, some SharePoint security measures have become second nature: implementing secure password policies, provisioning and de-provisioning users properly, and segmenting SharePoint within the network. However, technologies like MFA and single sign-on (SSO), now essential in a multi-application environment, can be complex to implement.
The problem is finding an MFA solution designed for on-premise systems in an era defined by cloud services.
This is especially true for Microsoft applications, which increasingly assume that organizations have migrated identity and authentication functions from on-premise Active Directory (AD) to Entra ID (formerly Azure AD).
For on-premise networks, MFA options are often limited. They typically involve adding extra infrastructure to support MFA or partially migrating to a cloud-based identity provider (IdP). While these solutions work from a technical perspective, they don't meet the real-world needs of organizations that must keep identity and authentication within their own data center to maintain visibility and control.
All this means that organizations that use on-premise AD for identity and authentication face ongoing challenges when they try to implement MFA on SharePoint Online access, or on both SharePoint Online and SharePoint On-Premise.
Since Microsoft’s environment is increasingly directed towards its cloud services, on-premise AD customers are often left to solve security and integration problems for themselves. The biggest of these problems is that on-premise AD lacks native support for security layers such as MFA and SSO. This forces organizations to invest in additional infrastructure, which often adds complexity and cost.
In this case, the recommended solution is to implement additional Microsoft middleware, Active Directory Federation Services (AD FS), which connects to Microsoft’s cloud-based Entra ID (formerly Azure AD), and a synchronization tool, Entra Connect.
Hypothetically, this solution works. But in the real world, some organizations can’t or don’t want to go down the half out, half in cloud route.
For one, some organizations need authentication to SharePoint data to happen using the on-premise AD identity to meet cybersecurity compliance or data sovereignty requirements, or simply to control over secure access to data.
Then there’s also the reality that an efficient on-premise network should be as simple as possible, keeping management overhead to a minimum. Anything that adds complexity or additional configuration makes more work for already-stretched security teams.
UserLock MFA offers a simple alternative to implementing MFA and SSO. Built specifically to solve a range of security challenges for on-premise AD customers, UserLock supports MFA and SSO across a range of authentication scenarios.
UserLock takes a multi-layer approach to access security, combining user control, monitoring, and identity verification. Seamlessly integrating with the existing on-prem AD, UserLock does this without the need for complex additional servers or setups. Unlike alternative MFA solutions that require an external directory service, UserLock MFA can be implemented using policies already configured in AD (and syncs with AD every 5 minutes).
With UserLock, configuring MFA for SharePoint is quick and easy. First, the UserLock agent is deployed on the IIS server hosting SharePoint. This agent intercepts all authentication requests to SharePoint and passes this request back to the UserLock server, where the request is checked against the AD policies governing that user, group or operational unit (OU).
UserLock also allows administrators to offer multiple MFA methods to end users, including authentication apps, push notifications, or programmable hardware tokens such as YubiKey or Token2.
Of course, SharePoint is only one scenario for MFA, and UserLock applies the same security to a wide range of applications.
These include other IIS applications such as Outlook on the Web (formerly OWA) and RD Web, RDP remote access, and also VPN connections, SaaS applications, and user account control (UAC) prompts. Importantly, while UserLock can secure access to external services, it doesn't require a connection to an external platform.
Your on-premise AD identities remain the single source of truth for authentication to on-premise and cloud resources. Plus, thanks to UserLock's on-premise first design, UserLock maintains MFA with 360-degree coverage: even when users logon to machines that are disconnected from the LAN, or when they logon to machines that aren't connected to the internet.
Defending SharePoint is near the top of the security to-do list for any security team. As a collaboration platform, it makes a perfect target for attackers, looking either to steal data or use it as a distribution or phishing hub as part of a wider compromise. This makes MFA and SSO must-haves.
For organizations managing on-premise AD environments, security must be effective yet simple. UserLock offers a straightforward identity and access management (IAM) solution, integrating essential controls — MFA, SSO, user access control, contextual security and access event logs — into a single console without the need for an additional cloud-based identity.