Skip to main content

How have others, or what is the best practice for protecting IFS Enterprise Explorer with Multi-Factor Authentication when exposed to the web via reverse proxy?

Aurena is very straight forward, as you can just configure a Conditional Access policy for it to enforce MFA and target the Aurena apps.

When configured as per the documentation we were given when setting up Apps 10 for O365 authentication, the Enterprise Explorer app doesn’t come up in the list of apps meaning there’s no obvious way to enable MFA for enterprise explorer, thus exposing IFS to the public internet with no MFA.

One option looks like Azure App Proxy but interested to see how/what others use.

Hi @Garak,
Thank you for contacting IFS Community, I hope you have gone through the following but incase it may help I would like to share the following;

Multi Factor Authentication: ADFS and Azure AD Identity providers support multi factor authentication where additional parameter(s) will be requested from the user during authentication in addition to the user name and password. No additional configuration is required on IFS Applications to support multi factor authentication, but either ADFS or Azure AD must be used as the Identity Provider for such requirement.

Please read User Authentication and Authentication Configuration for more details :)

Best Regards,
Yasas


Hi @Yasas_AK Yes we have Azure AD authentication set up and MFA enabled on our Tenant, however we’re able to set up a Conditional Access policy in Azure to force MFA to be required in order to access IFS.

We can set up the Conditional Access policy to enforce MFA on Aurena as they’re “App Registrations”, but since the Enterprise Explorer seems to be set up as an Azure Enterprise Application, it doesn’t come up in the list of applications able to have MFA enforced against and I haven’t found a way yet to enforce it.

I can enforce MFA at the user level but then that affects all users regardless of application, whereas with the Policy I want to be able to enforce MFA to access it regardless of whether MFA is enabled on the users account or not (effectively blocking off access unless the user has MFA; otherwise, Azure will only require MFA if its enabled on the user’s account, which isn’t good enough for us).


Reply