[MUSIC]
Adwoa Boateng-Kwakye: Welcome back to Azure AD
Architecture Deep Dive Series. I am Adwoa Boateng-Kwakye
and I’m a Program Manager on the Azure AD Engineering
team at Microsoft.
Adrian Paredes: And my name is Adrian Paredes and I’m
also a Program Manager in the Azure AD Engineering team
at Microsoft.
In this video, we will discuss the mechanics of how Azure AD
works when you access a service connector such as Office 365
or a line of business application or even a third party SaaS app
when you tie it to conditional access policy requiring Azure
MFA.
First, we start with a user attempting to access an application.
Let’s say, for example, a user, Jessica, is trying to access a
file on OneDrive for Business from her iPhone and does not
have a current active token. In this example, let’s assume
they pass the authentication phase and are now completing
the authorization phase.
When a user authenticates, there’s a lot of context. For example,
the cloud application, the IP address of the request, the
client being used and so on.
In addition to that, Azure AD has a lot of signals coming
from the Microsoft Intelligent Security Graph that provides
a risk of a sign-in and all up risk. Customers with proper
licenses can add these risk levels as part of the policies.
Those requests and risk contexts are compared against
all of the conditional access policies. And then all of the
controls that applicable policies will be executed.
Let’s suppose that the policies require Jessica to do MFA
and that she has not done strong auth yet. This sends
back an MFA challenge, a UI response to the user’s device.
Typically, we see this as a message stating that you will
need to complete an MFA challenge first. At the same time,
MFA service is invoked.
Adwoa, now that they passed a conditional access criteria,
how does Azure MFA complete the cycle?
Adwoa: That’s an excellent question, and it depends on how
the administrator configures the available options.
From the user perspective, the authentication services render
an HTTP response to Jessica, so she knows that MFA is
happening. For example, on your device, you’ll be receiving
a phone call or a push notification.
At the same time, the authentication service interacts with
the Azure MFA service, then either calls out to the telco SMS
or phone call or using a push notification, which then handles
the interaction with infrastructure, so you don’t have to.
In the example you mentioned, let’s say Jessica gets a
message saying she will need to complete an MFA challenge
first. Then within seconds receives a notification on her
authenticator app on her iPhone, which she then completes.
After she completes the MFA challenge, the response is sent
back to the authentication services. The authentication service
then issues the token and sends it to Jessica’s client, which
then sends it over to the services, in this case, her file in
OneDrive for Business.
I’d like to again point out that this is the same process for
the process for the Office 365 Microsoft Services as well
as line of business apps and third party SaaS apps or
enterprise apps.
Adrian, what did you take a way from this?
Adrian: I love how well Azure MFA integrates with conditional
access. It really allows you to create and customize more
secure environment for your organization.
Secondly, identity protection adds an extra layer of security,
using the Microsoft Intelligent Security Graph to determine
risk factors in signing in, such as impossible travel,
identifying compromised accounts and more.
Lastly, using the authenticator app with Azure MFA provides
more ease of access without compromising security. However,
we also do have options using SMS and phone calls.
Adwoa: We hope you found this video useful. Please check
our other architecture videos at aka.ms/identityyoutube.
Thank you for joining us.
Adrian: Thank you.
[MUSIC]
