It's time for another Azure AD Mailbag. This time Chad Hasbrook from our Customer Success Team has the pen and he's answering questions about configuring Azure MFA.
I hope you'll find it useful!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Products and Services
My name is Chad Hasbrook and one of the Customer Success Team PMs that are helping write our mailbag series. During the time I've spent with customers, I have found a very large interest in Azure Multi-Factor Authentication so I've decided to share some of the common questions people are talking about when they begin to deploy Azure MFA. Have a question not listed? Share it in the comments below and we will include those for the next mailbag. Let's get started.
Question: Is there a way to customize the phone number that is displayed when users choose the Phone Call option for MFA?
Answer: Yes, you can for US phone numbers only. By default the Caller ID is a Microsoft number. Caller ID customization is an advanced feature that is only available if you have the full version of Azure MFA which is obtained either by creating a Multi-Factor Auth Provider and linking it to your directory, or by purchasing Azure MFA, Azure AD Premium or Enterprise Mobility Suite licenses. To modify the phone number, either follow the steps in the question above to get to the MFA service settings page and click the "Go to the portal" link at the bottom of the page, or if you have a Multi-Factor Auth Provider, select the provider and click the Manage button. This will redirect you to the MFA Management Portal where you can customize advanced MFA options. Click Settings in the left navigation, edit the Caller ID Phone Number and click Save.
Note: This is for US phone numbers only.
Question: I'm using the Azure MFA on-premises server to provide MFA for an internal application. What happens to the access of this application if our Internet is down or unable to contact the Azure MFA service?
Answer: There are two modes for this scenario, Fail Authentication and Succeed Authentication. Fail Authentication is the default behavior. This means users are unable to get to the application until connectivity is restored. Succeed Authentication will allow the user to continue to login without having to go through MFA. You can change this setting in the Azure MFA Server by clicking on the Company Settings icon. On the General tab, change the "When internet is not accessible" option at the top of the page.
Question: Do I have to have Azure AD Premium or EMS license to use Azure MFA? Can I use Azure MFA if I have Azure AD Free or Azure AD Basic?
Answer: A version of Azure MFA with limited functionality is available for Azure administrators and for Office 365 users at no additional charge for protecting access to Microsoft online resources. You can also purchase the full version of Azure Multi-Factor Authentication through a licensing model or a consumption model. For the licensing model, purchase Azure Multi-Factor Authentication licenses and assign those licenses to your users. For the consumption model, you'll need to do a few things. First you'll need to have an Azure Subscription. Once you log into the portal, you'll click NEW at the bottom, App Services, Active Directory, Multi-Factor Auth Provider, Quick Create. You'll then have the ability to pick either a Per Enabled User or a Per Authentication usage model.
For specifics of the billing please see this https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
Question: What happens if I created an MFA provider and then later purchased Azure MFA, Azure AD Premium or EMS licenses, will I still be charged?
Answer: It depends. If you have purchased enough licenses to cover the number of users enabled for MFA then you would not. Also, the per-user Azure Multi-Factor Auth Provider must also be linked to the directory that contains the licenses for the licenses to be recognized. Let's give an example. I have 50 users today using MFA on a per-user consumption model. I purchase 40 Azure AD Premium licenses and assign them to 40 users. Once the 40 licenses are purchased, my Azure subscription will start getting billed just for the 10 unlicensed users instead of all 50.
Note: The per-authentication consumption model is not compatible with the licensing model. All authentications are billed, even if users are assigned an MFA, Azure AD Premium or EMS license.
We hope you've found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons
-Chad Hasbrook, Mark Morowczynski and Shawn Bishop