Two-step verification should be standard across your organization. In this lab, we will review how to configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace.

Make sure to catch up this series' previous posts first!

 

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) means adding two-step verification to secure the access to data. This enhanced security requires at least two of the following:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

For this lab, we will use Azure AD credentials (something you know) and a phone (something you have).

You can read the official documentation from Microsoft about MFA in Azure.

Microsoft offers 2 options to setup MFA with Azure:

  • MFA in the Cloud (as a Service)
  • MFA Server

You can read the documentation available here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion to find more details about the best solution for you.

Microsoft offers basic two-step verification features to Office 365 and Azure Active Directory (Azure AD) Administrators for no extra cost. For example, users assigned the Azure AD Global Administrator role in Azure AD tenants can enable two-step verification for free. But you still need to purchase licenses for standard users. However, if you wish to take advantage of advanced features then you should purchase the full version of Azure Multi-Factor Authentication (MFA).

Note: You can test that Azure MFA is working for you by opening a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com.

You can take one of two approaches for requiring two-step verification. The first option (and the one we will use in this lab) is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on). The second option is to set up a conditional access policy that requires two-step verification under certain conditions (Source: Microsoft).

Getting started

For this lab, you need the following:

Configure MFA with Azure AD and Citrix Workspace

Requirements in Citrix Cloud

Go to Citrix Cloud > Identity Management and make sure that Azure Active Directory is configured and enabled. You must connect Citrix Cloud to Azure, check this post if you need more info: Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD.

Citrix Cloud - Azure Active Directory
Citrix Cloud – Azure Active Directory

Go to Citrix Cloud > Workspace Configuration and select Azure Active Directory.

Citrix Cloud - Workspace Authentication
Citrix Cloud – Workspace Authentication

Note: by enabling Azure Active Directory in Workspace Configuration, you will enforce Azure AD and prevent any other type of authentication.

Requirements in Microsoft Azure

In Microsoft Azure, go to Home > Default Directory > Users – All users and select Multi-factor Authentication.

You will be redirected to another URL (https://account.activedirectory.windowsazure.com) to manage MFA configuration for your users.

Microsoft Azure - MFA Service configuration
Microsoft Azure – MFA Service configuration

You can select 1 or multiple users to configure MFA. In this example, I’ve selected my [email protected] user. Click on Enable to Turn On MFA for this user.

Enable MFA for a user in Azure
Enable MFA for a user in Azure

Select Enable Multi-Factor Auth to confirm.

Enable MFA for a user in Azure - Confirm
Enable MFA for a user in Azure – Confirm

MFA is enabled.

Enable MFA for a user in Azure - Enabled
Enable MFA for a user in Azure – Enabled

Now next logon, you will be prompted to configure MFA for this user.

Test Multi-factor authentication with Citrix Workspace

Logon to Citrix Workspace with an account that has MFA enabled. Here we will use [email protected]

Citrix Workspace - MFA configuration Logon
Citrix Workspace – MFA configuration Logon

Enter your password.

Citrix Workspace - MFA configuration Password
Citrix Workspace – MFA configuration Password

First logon? Microsoft will require more information to configure MFA.

Citrix Workspace - MFA First logon configuration
Citrix Workspace – MFA First logon configuration

Configure how you want the verification to be done. Here we will pick phone authentication.

Citrix Workspace - MFA security verification
Citrix Workspace – MFA security verification

You will be prompted to enter the code sent by text to validate the phone number.

Citrix Workspace - MFA phone validation
Citrix Workspace – MFA phone validation

App password if needed for some apps.

Citrix Workspace - MFA app password
Citrix Workspace – MFA app password

Now you can logon for real.

Citrix Workspace - MFA logon
Citrix Workspace – MFA logon

Select Stay signed-in to avoid future prompts.

Citrix Workspace - MFA stay signed-in
Citrix Workspace – MFA stay signed-in

Citrix Workspace will take a little time to logon. I’ve noticed that with MFA, the logon is slower.

Citrix Workspace MFA logon
Citrix Workspace MFA logon

Then you are logged in with Citrix Workspace.

Citrix Workspace - logged in with MFA
Citrix Workspace – logged in with MFA

That’s all to configure basic Multi-factor authentication (MFA) with Citrix Workspace and Microsoft Azure AD. I hope it helped. You can learn about enhanced features available with Azure MFA like trusted IPs, custom voice messages, and fraud alerts, see the article Configure Azure Multi-Factor Authentication settings.

Cheers.

Make sure to catch up this series' previous posts first!