Azure Multi-factor Authentication

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins by requiring the following verification methods:

• Something you know (typically a password)

• Something you have (a trusted device that is not easily duplicated, like a phone)

The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the trusted device. Should the user lose the device, the person who finds it won't be able to use it unless he or she also knows the user's password.

Azure Multi-factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of easy verification options —phone call, text message, mobile app notification or verification code.

Alemba® use Azure Multi-factor Authentication* in conjunction with the Alemba® SSO integration module, to provide connectivity to Azure Active Directory* with SAML authentication (for further information see the SSO Technical Reference Guide).

*Azure Services are not provided as part of the Alemba® Cloud offering, pricing and further information on Azure can be found at

Multi-factor Authentication User Transaction Steps for ASM

The ASM User or Analyst makes a request to access the application by loading an appropriate ASM URL in a Browser. The ASM app will detect this request and generate a SAML request, ASM then redirects the User/Analyst’s browser to the Azure Portal URL.

The Azure Authentication Service detects that the user has been configured to use the Multi-factor Authentication Service and the user is directed to a configuration page. The Users selects from a predefined set of verification methods:

• Phone call

• Text message

• Mobile app notification – allowing users to choose the method they prefer

• Mobile app verification code

Once the user has chosen and configured their preferred verification method the setup of MFA is complete. The user is then able to login and verify their account with the method selected. User Configuration of MFA is only required on the User/Analyst first login with Azure Multi-factor authentication.

Azure Multi-Factor Authentication authenticates the User/Analyst. The SAML Response is then passed back to the User/Analyst’s Browser which is then sent to the ASM URL, once ASM verifies this response the User/Analyst is logged into the ASM app.

Multi-Factor Authentication Technical Transaction Steps for ASM

The User/Analyst browser requests the ASM url to login to the application. ASM SSO intercepts the request and redirects the User/Analyst browser to the Azure portal login. The Azure portal login accepts the User/Analyst AD credentials and request multi-factor authentication from the User/Analyst. At the same time the Azure MFA service provides the User/Analyst with the method for multi-factor authentication.

The User/Analyst supplies the multi-factor authentication to the Azure portal login, which is then passed to the MFA service. Once the MFA verification is authorized, the Azure AD service will generate a SAML assertion which is passed back to the User/Analyst browser. This in turn is passed back to the ASM Core SSO service for verification. Once the SAML assertion is verified the User/Analyst is logged in and redirected to the ASM Core application.