Understanding Azure MFA TOTP Options and Pricing

Azure MFA TOTP is a simple yet effective way to add an extra layer of security to your online accounts.

You can use a time-based one-time password (TOTP) app, such as Google Authenticator or Microsoft Authenticator, to generate a unique code that changes every 30 seconds.

Azure MFA TOTP supports both QR code and secret key setup methods, giving you flexibility in how you set up the service.

With Azure MFA TOTP, you can protect your online accounts without having to remember a password.

To configure Azure MFA, you'll need to navigate to your account settings page in Microsoft, which can be found at account.microsoft.com or myaccount.microsoft.com, depending on whether you have a personal or business account.

You'll then need to turn on two-factor authentication (2FA) by selecting the Two-step verification Turn on button or Add sign-in method button and choosing Authenticator app from the dropdown.

If you're using a business account, you may need to select Security info first. Once you've turned on 2FA, you can proceed to set up the authenticator app.

To use a different authenticator app, such as Bitwarden Password Manager, you'll need to follow the steps outlined in the Azure and Office 365 section.

Here's a summary of the steps:

If you're using Microsoft Azure and Office 365, you'll need to take a few extra steps to configure MFA.

Microsoft Azure and Office 365 accounts expect the use of Microsoft Authenticator for TOTPs by default. To use Bitwarden Password Manager integrated authentication instead, you'll need to follow these steps.

Navigate to your account settings page in Microsoft, which can be found at account.microsoft.com or myaccount.microsoft.com, depending on whether you have a personal or business account.

To turn on 2FA, you'll need to select the Two-step verification option from your Security dashboard or Security info page. If you're using the Security dashboard, you'll also need to select Two-step verification from that screen.

You'll then need to select the Authenticator app option and choose the verification method. During the setup procedure, you'll see a dropdown menu for the verification method - select Authenticator App or An app.

To configure this setting, you can use the Azure portal or the Graph API. If you choose to use the Graph API, make sure you have proper permissions to change the setting. You'll need to consent to the Policy.ReadWrite.AuthenticationMethod permission.

You can run the following query in the Graph Explorer tool to get the current state of the setting: we're looking for the systemCredentialPreferences setting.

If you're looking for a free version of Microsoft Entra multifactor authentication, you can enable security defaults in the Microsoft Entra ID Free tier. This will enable all users for multifactor authentication using the Microsoft Authenticator app.

Security defaults don't allow for text message or phone verification, only the Microsoft Authenticator app can be used.

Azure Multi-Factor Authentication (MFA) provides several options to enhance security for users.

One of the options is Azure Authenticator, a mobile app that generates Time-Based One-Time Passwords (TOTPs) for authentication.

Azure MFA also supports Microsoft Authenticator, another mobile app that can be used for authentication.

SafeID/Anytime is a button-less OTP token that displays one-time password on the screen at all times.

It's a time-based solution, compliant with OATH/TOTP standards. This means it's secure and reliable, always providing a fresh password.

SafeID/Anytime is always on, so you don't need to press a button to get a new code. This makes it a convenient option for users who need to access their accounts frequently.

The SafeID/Diamond is a programmable OTP token that can be used to replace soft tokens like Microsoft Authenticator or Google Authenticator.

It's time-based and OATH/TOTP compliant, which is a big deal for security.

This token is a great option for those who want a more secure alternative to traditional soft tokens.

It's a hardware token that can provide an extra layer of security for your accounts.

Entra ID OATH Tokens offer a convenient and secure way to generate one-time passwords.

These tokens are time-based and OATH/TOTP compliant, meaning they meet industry standards for security.

SafeID/Anytime, a button-less OTP token, displays one-time passwords on the screen at all times.

SafeID/Diamond, on the other hand, is a programmable OTP token that can replace soft tokens like Microsoft Authenticator or Google Authenticator.

One of the benefits of Entra ID OATH Tokens is their ability to create OTP tokens that can be used for authentication.

Self-service support for hardware (OATH) tokens in Entra ID is also available, making it easy to manage your tokens.

To manage Azure MFA, you'll need to navigate to your account settings page in Microsoft, which can be found at account.microsoft.com or myaccount.microsoft.com, depending on whether it's a personal or business account.

To enable 2FA, you'll need to turn it on, which can be done by selecting the Two-step verification Turn on button or Add sign-in method button and choosing Authenticator app from the dropdown.

If you're using a business account, you may need to select Security info first, and then Two-step verification.

You can create a per-user or per-authentication MFA provider, and your organization's Azure subscription will be billed monthly based on usage.

This billing model is similar to how Azure bills for usage of virtual machines and Web Apps.

You only pay the annual license fee for each user if you purchase a subscription for Microsoft Entra multifactor authentication.

MFA licenses and Microsoft 365, Microsoft Entra ID P1 or P2, or Enterprise Mobility + Security bundles are billed this way, with a single annual license fee per user.

Azure User Data Handling is a crucial aspect of Azure MFA Management. Azure Multi-Factor Authentication Server stores user data only on on-premises servers.

No persistent user data is stored in the cloud, ensuring your users' sensitive information remains secure. This approach provides an added layer of protection against potential data breaches.

To authenticate users, the Multi-Factor Authentication Server sends data to the Microsoft Entra multifactor authentication cloud service over a secure connection using SSL or TLS over port 443. This ensures all communication is encrypted and protected.

The following data fields are included in two-step verification logs:

These optional fields can be configured in Multi-Factor Authentication Server to suit your organization's specific needs.

Microsoft Entra multifactor authentication does throttle user sign-ins in certain cases, typically involving repeated authentication requests in a short time window.

This throttling is designed to protect telecommunication networks, mitigate MFA fatigue-style attacks, and safeguard Microsoft's own systems for the benefit of all customers.

The throttling limits are based around reasonable usage, but Microsoft doesn't share specific limits.

Billing for Azure MFA is based on the number of users configured to use multifactor authentication, regardless of whether they performed two-step verification that month.