#AzureAD Mailbag: MFA Q&A, Round 6!

All right, it’s time for some  more mandatory fun!

Chad here again kicking off 2017 and ready with another MFA mailbag. In the last couple months, I’ve been having a lot of conversations with customers around Azure MFA Server licenses requirements, billing, and split configurations. In this mailbag, I’ve taken some of these “What if….” and “How does this work?” questions that you implementers can get stuck on and will hopefully provide the answers you need to get started on your deployment. Also our team has really grown lately and some of these faces are going to join in on our blogging efforts. Check back on Fridays for a new posts.

 

Question 1:

I know when I use the text message option of Azure MFA, I get a 6 digit code texted to me. How long is that code good for? Can I change the length of the code and the length time the code is valid?

Answer 1:

When using Azure MFA Server, the default timeout is 5 minutes. There is no UX to configure it. It can be configured via a registry key setting.

When using (cloud-based) Azure MFA, the timeout is 3 minutes; this is not configurable. The length of the code (6 digits) is not configurable.

 

Questions 2:

Does the downloadable MFA SDK used for Azure MFA Server supports texting and calling to international numbers? Is there any additional cost associated with doing so?

Answer 2:

Yes, the downloadable SDKs supports both texting & phone calls to international calls. However, users may incur charges for receiving or replying to international calls and texts depending on the terms of their cellular plan and carrier.

 

Question 3:

Can you explain to me about how billing works for Azure MFA Server?

Answer 3:

There are several options for billing:

  1. Per-User Consumption: Create a per-user MFA Provider in an Azure subscription. MFA Server reports the number of users marked as “Enabled” to our cloud service. The cloud service reports the number of users to the Commerce system to bill the Azure subscription for the number of users enabled.
  2. Per-Authentication Consumption: Create a per-authentication MFA provider in an Azure subscription. The cloud service reports the number of verification requests that have occurred daily to the Commerce system to bill the Azure subscription.
  3. License: Purchase standalone MFA, Azure AD Premium and/or EMS licenses. MFA Server reports the number of users marked as “Enabled” to the cloud service. The customer needs enough licenses to cover the number of users enabled. While we encourage licenses to be assigned to AAD users, the MFA system only looks at the total count of users enabled for MFA.

You can mix options 1 and 3 by creating a per-user MFA Provider in an Azure subscription that is linked to your Azure AD tenant that has your MFA, AAD Premium and/or EMS licenses. The Azure subscription will only be billed for the number of users enabled for MFA that exceed the number of licenses owned. For more information, please visit our Multi-Factor Authentication Pricing documentation. For more information, please visit our Multi-Factor Authentication Pricing documentation.

 

Question 4:

I want to understand if there are charges for failed authentications? Also, can I use a hybrid model with some users set as pay per user per month and others set up to pay per authentication?

Answer 4:

The only way to do a hybrid where some are per-user and other are per-authentication would be to have two separate MFA Providers that are used with two different environments or user groups. Another option would be to use Azure MFA (cloud) and a MFA Provider that is configured per auth. Azure MFA today only works for cloud-based resources and when using AD FS 2016. For per-authentication billing, we bill for each authentication attempt, including failed attempts.

 

Question 5:

Can my organization switch between per-user and per-authentication consumption billing models at any time?

Answer 5:

If you are using an Azure MFA Provider that is linked to your Azure AD tenant, you can safely delete the current provider and recreate it with the other usage model as long as you link the new one to that same Azure AD tenant. There are only issues deleting and recreating MFA Providers that aren’t linked to an Azure AD tenant.

 

And that finishes up your Azure MFA FAQ’s for the week! We hope you took away something new or had an “ah ha” moment 🙂 Keep the feedback coming to the GTP Team.

 

For any questions you can reach us at
AskAzureADBlog@microsoft.com, the Microsoft Forums and on Twitter @AzureAD, @MarkMorow and @Alex_A_Simons

 

Chad Hasbrook, Mark Morowczynski, Shawn Bishop, Todd Gugler