Modern information security is built on a layered defense. Each layer supports the others and presents additional obstacles to threat actors. From patch management to perimeter firewalls, each layer makes it more difficult for attackers to compromise your network. Multifactor authentication (MFA) is one of these layers. MFA has many flavors, but all involve a combination of:
- Something you have, such as a smartphone or hard token
- Something you know, such as a password
- Something you are, such as a fingerprint or other biometric data
Given the prevalence of phishing, weak passwords, and stolen credentials being bought and sold online, implementing MFA for Active Directory can provide additional defense against attacks.
Related reading: What is Active Directory Security?
How does MFA for Active Directory work?
MFA elevates the protections against identity-based attacks. For Active Directory, which sits at the heart of your identity infrastructure, MFA provides a level of assurance that legitimate users are the ones logging in and accessing your IT resources.
Protecting Active Directory environment on premises with MFA is challenging. Active Directory provides native support for MFA only via smartcard authentication—not to be confused with MFA for Active Directory Federation Services (AD FS), which provides a second authentication factor for AD FS-integrated applications.
In the absence of direct MFA support for Active Directory, organizations can integrate MFA solutions, such as Windows Hello for Business or Cisco Duo, into their PC or administrative (i.e., jump) server endpoints. Doing so can strengthen access to these typical Active Directory access points for interactive logons or RDP. Other tools are available to analyze Active Directory authentication requests and enforce MFA as determined by the organization’s policy.
How can you implement MFA for Active Directory in hybrid identity environments?
Because of cloud adoption, many enterprises need an MFA approach that spans both their on-premises Active Directory environment and cloud identity service providers such as Entra ID. To support this type of hybrid environment, organizations can use Microsoft Entra Connect (formerly Azure AD Connect) to synchronize identities between Active Directory and the Entra tenant.
Within Entra ID, security defaults are provided to Entra tenants regardless of whether they have premium licenses. Missing from the free version of Entra ID, however, is the “conditional access” feature, which enables you to configure rules with actions for specific sign-in scenarios.
Conditional access policies offer a more granular approach to controlling access for conditions that you specify, such as prompting MFA for anyone accessing a service when not on a corporate network. This feature is included in the premium plans. Similarly, all Microsoft 365 plans allow organizations to implement MFA using security defaults. Microsoft 365 for Business and other plans have additional capabilities.
Both Microsoft 365 and Office 365 support MFA via the following methods:
- A text message, sent to the user’s phone, that requires the user to enter a verification code
- A voice call
- Microsoft Authenticator
Like Microsoft 365, Entra ID supports multiple forms of verification:
- Microsoft Authenticator
- Authenticator Lite (in Outlook)
- Windows Hello for Business
- FIDO2 security keys
- OATH hardware tokens
- OATH software tokens
- SMS
- A voice call
Applications that authenticate directly with Entra ID and have modern authentication, such as OpenID Connect, can use conditional access policies. However, legacy and on-premises applications that do not authenticate directly with Entra ID need to be integrated using Entra ID Application proxy or network policy services (NPS).
In September 2022, Microsoft notified customers that it was deprecating Azure MFA Server. Starting September 30, 2024, Azure MFA Server deployments will no longer service MFA requests. To avoid any authentication failures, organizations should migrate users’ authentication data to the cloud-based Entra ID MFA service using the Migration Utility provided by Microsoft.
What about adaptive authentication?
MFA protections are evolving to provide more granular and adequate security. Adaptive authentication takes the traditional approach of MFA and adds another layer based on risk detection.
In this model, the user is forced to undergo a higher level of authentication based on dynamic criteria. For example, a user might have specific characteristics, such as a role, device type, or geographic location. If that user suddenly attempts to log in from a different device or country, the risk associated with the attempt can be used to justify an MFA prompt. Conversely, this model can lessen user friction by reducing the number of times that users need to reauthenticate when operating according to their normal behavior.
Entra ID Protection (formerly Azure Identity Protection) is a service that performs adaptive authentication based on user and sign-in risk. If a risk is detected, remediation actions include forcing users to reset their passwords or blocking access until an administrator is involved. Adaptive authentication raises another barrier against threat actors who attempt to penetrate your environment.
Is MFA for Active Directory the best defense?
Implementing MFA for Active Directory can help to reduce the threat posed by credential theft. When beginning your MFA deployment, the most obvious place to start are accounts with privileged access rights. These accounts are the most attractive to attackers because they can be used to broaden attackers’ foothold and persist in your environment without detection.
Other accounts might have value because of the employee’s role in the business. For example, breaching the identity of a key software engineering team member or the human resources department leader can offer attackers the chance to get their hands on valuable information.
Implementing security capabilities like MFA can add an extra barrier between attackers and your environment. But by itself, MFA is not a sufficient defense.
Strengthen Active Directory security
Truly securing the identities in your environment takes a comprehensive approach. To harden Active Directory:
- Identify and patch vulnerabilities.
- Identify and correct potential misconfigurations.
- Monitor Active Directory (and services such as Okta or Entra ID, in hybrid environments) for suspicious activity.
- If possible, automate the remediation or rollback of risky changes.
- Test and maintain a backup of Active Directory and critical identity resources, separate from operating system or data backups.
- Include a specific Active Directory recovery plan as part of your disaster recovery strategy.
Additional tools, including endpoint, MFA, and log- or event-based solutions, can be worthwhile additions to your identity threat detection and response (ITDR) strategy. A layered defense that focuses on securing Active Directory and other critical systems and services is the best way to strengthen your organization’s operational resilience.