Hello again, tech tribe! 👋
This is my third blog on Identity Management, and today we're tackling Multi-Factor Authentication (MFA) — an essential security measure to protect against credential theft, phishing, and unauthorized access.
Whether you’re managing systems on-prem or in the cloud, MFA is your front-line defense. Let’s break it down for Windows Server, Linux, and Azure AD.
🔍 What is MFA?
Multi-Factor Authentication (MFA) requires users to present two or more verification methods to gain access. It’s usually a combination of:
- Something you know (password or PIN)
- Something you have (smartphone, OTP device)
- Something you are (biometric, fingerprint, face)
💼 MFA on Windows Server
While older versions of Windows Server do not have native MFA, you can integrate MFA with RDP (Remote Desktop Protocol) and other services.
🛠️ Options:
Microsoft Authenticator with NPS Extension: Install the NPS Extension for Azure MFA on your Network Policy Server.
Use third-party tools like Duo Security, RSA SecureID, or Okta.
🧩 Key Integration Use-Cases:
RDP access to critical servers
VPN access with NPS authentication
🔧 Quick Guide: Azure MFA via NPS
Install NPS Server and NPS Extension for Azure MFA.
Register your tenant using AzureMfaNpsExtnConfigSetup.ps1.
Test using radtest or RADIUS clients.
🐧 MFA on Linux Server
MFA is not as “plug-and-play” on Linux, but very much possible and powerful.
🛠️ Options:
Google Authenticator PAM Module
Duo Unix for SSH logins
YubiKey integration via PAM
🔧 Quick Setup: Google Authenticator for SSH
bash
sudo apt install libpam-google-authenticator
google-authenticator
Update /etc/pam.d/sshd:
swift
auth required pam_google_authenticator.so
Update /etc/ssh/sshd_config:
nginx
ChallengeResponseAuthentication yes
💡 Time-Saver:
Use configuration management tools (e.g., Ansible, Chef) to roll out MFA setup to multiple servers.
☁️ MFA in Azure Active Directory
This is the easiest and most powerful environment to enforce MFA at scale.
🛠️ Options:
Microsoft Authenticator app
SMS or Phone Call
FIDO2 Security Keys / Windows Hello
🔧 Quick Setup:
Go to Azure Portal → Azure AD → Security → MFA.
Enable Per-user MFA or better, use Conditional Access Policies.
Set requirements: location, device platform, app sensitivity.
💡 Bonus:
Use Identity Protection to trigger MFA for risky logins or unknown devices.
🧠 Developer/IT Time-Saving Benefits
🔐 Quick Real-World Use Cases
A developer logging into GitLab self-hosted on Linux via SSH? → Enforce Google Authenticator.
A system admin accessing a production Windows VM via RDP? → Enforce Duo or Azure MFA.
A cloud engineer logging into Azure Portal? → Enforce Conditional Access MFA policies with geolocation filters.
🧩 Troubleshooting Common Issues
“MFA not working after SSH config” → Check for ChallengeResponseAuthentication and UsePAM yes.
“Users not receiving MFA prompts” in Azure AD → Ensure user registration is complete and push notifications are enabled.
“Breaking RDP” after MFA → Always test on a dev server or allow backup local access during rollout.
📍 Conclusion
MFA isn’t just a feature — it’s a necessity. It’s your low-hanging fruit to instantly boost identity security across all platforms. With minimal setup, you protect your servers, apps, and cloud environment from 90% of credential-based attacks.
👉 Next up: Privileged Access Management (PAM): Protecting Admin Accounts Like Fort Knox!
