MFA Overview
Start course
1h 41m

This Designing for Azure Identity Management course will guide you through the theory and practice of recognizing, implementing, and deploying the services on offer within your enterprise. Learn how to better the protection of your organization by designing advanced identity management solutions. Recommended for those who already have some experience with the subject, this course is comprised of 24 lectures, including demos, and expertly instructed by one of our MS Azure subject matter experts.

Learning Objectives

  • Study and understand what Azure AD Domain Services do and what they can offer
  • Learn to create and manage hybrid identities via Azure AD Connect 
  • Understand the principles of Azure MFA and SSO, and how to enable them
  • Recognize and deploy the key principles of Azure AD B2B and B2C 
  • Learn and utilize Privileged Identity Management

Intended Audience

This course is intended for:

  • IT professionals who are interested in getting certified with MS Azure
  • Those looking to become Azure architects and/or tasked with designing identity management solutions


  • A mid-range knowledge of MS Azure is recommended before starting this course
  • An understanding of identity management concepts

Related Training Content

For more courses related to MS Azure, visit our dedicated Content Training Library.





Two-step verification provides a layered approach to security. Even the most enterprising attacker would have problems compromising multiple authentication factors, because, even if the attacker obtains a user's password, the password would be useless without also being in possession of the additional authentication method, a mobile phone, for example. Multi-factor authentication works by requiring two or more authentication methods, which typically include something like a password that the user knows, something the user owns, typically a mobile phone, and something the user is, biometrics, for example. Azure MFA offers the ability to safeguard access to apps and data while maintaining a simple end-user experience. By providing additional security via a second form of authentication, MFA provides much sought after security for end-user authentication, and it does so via a range of easy to use authentication methods, including passwords, security questions, email address, application, OATH hardware token, SMS, voice call, and app passwords. Multi-Factor Authentication comes as part of Azure AD Premium.

 A subset of MFA capabilities is also available as part of an Office 365 subscription and as a means to protect Global Administrator accounts. As part of Azure AD Premium, Azure MFA is offered in two flavors, including the Azure Multi-Factor Authentication Service, which is cloud-based, and the Azure MFA Server option, which is a good option for organizations who have deployed ADFS and that want to or need to manage MFA on-prem. Because most users are used to using only passwords to authenticate to applications and services, it's critical that an organization communicate with the user base when rolling out an MFA solution. Doing so will invariably reduce the number of helpdesk calls that come in during any MFA rollout. Now, despite the best laid plans and deployments, there will be times when you may need to disable MFA in a one-off scenario. For example, if a user can't sign in because he has lost access to his authentication methods, a lost phone, for example, in such a case, you could use a conditional access policy for Azure MFA. 

With a conditional access policy in place, you can create a user group that is excluded from the policy that requires MFA. Placing the user in the excluded group would temporarily allow access until MFA functionality or access can be restored. A way to temporarily bypass MFA for Azure MFA Server users is to allow them to authenticate without two-step verification. Such a bypass can be configured but it expires after a specified number of seconds. Two-step verification prompts can be minimized for users that are on the local network. This can be accomplished with trusted IPs or named locations. By leveraging this features, an administrator for a managed or federated tenant can bypass two-step verification for users that are signing in from a trusted network location.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.