Forum Discussion

doeweb's avatar
doeweb
Copper Contributor
Apr 07, 2020

Is it possible to use Password Hash Sync with Seamless SSO and DUO MFA?


Is it possible to have applications published in Azure Enterprise Applications and use Azure AD password hash sync for authentication but pass off the MFA piece to DUO?

 

Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

It states "What are the multifactor authentication options". Password has sync + Seamless SSO supports Azure MFA and Custom Controls with condtional access.

And Federation with ADFS supports "Third-party MFA" as well as the custom controls with conditonal access.

When I initially read this, I expected that DUO MFA is only supported with a ADFS federation. However, upon reading more on the custom controls, it appears that the MFA can be handed off to DUO for MFA and still use the Password Hash sync/Seamless SSO as the authentication?

  • Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.

  • Skipster's avatar
    Skipster
    Copper Contributor

    doewebYes this is possible. We are doing this now. We have DUO in Azure AD and are using password hash sync

    • doeweb's avatar
      doeweb
      Copper Contributor

      Skipster 

      Hi there,

      So you have no ADFS federation, all of it is configured with a Seamless SSO w/password hash sync? Have you experienced any limitations in regards to user experiences?

      • Skipster's avatar
        Skipster
        Copper Contributor

        doewebWe are currently testing using staged rollout for password hash sync. We are using DUO as an MFA provider in Azure, and we are using conditional access policies to force MFA using DUO provider. Its working, however im a little unclear what the limitations are? I read the article you posted, but what scenario would limitations mentioned in the article apply to?

    • doeweb's avatar
      doeweb
      Copper Contributor

      Thank you Vasil, I did see another posting after I posted this question: https://dirteam.com/sander/2020/03/25/announced-azure-mfa-to-offer-more-3rd-party-mfa-features/ . I'm still in question why/what it means exactly that ADFS is a requirement for 3rd party MFA while Seamless SSO with Hash Sync supports the custom controls. I guess it's because the Seamless SSO with custom controls and 3rd party MFA isn't truly seamless as dirteam pointed out? 

      Today, 3rd-party MFA solutions face the following limitations:

      • They work only after a password has been entered
      • They don’t serve as MFA for step-up authentication in other key scenarios
      • They don’t integrate with end user or administrative credential management functions
      • Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.

Resources