Forum Discussion
Is it possible to use Password Hash Sync with Seamless SSO and DUO MFA?
Is it possible to have applications published in Azure Enterprise Applications and use Azure AD password hash sync for authentication but pass off the MFA piece to DUO?
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
It states "What are the multifactor authentication options". Password has sync + Seamless SSO supports Azure MFA and Custom Controls with condtional access.
And Federation with ADFS supports "Third-party MFA" as well as the custom controls with conditonal access.
When I initially read this, I expected that DUO MFA is only supported with a ADFS federation. However, upon reading more on the custom controls, it appears that the MFA can be handed off to DUO for MFA and still use the Password Hash sync/Seamless SSO as the authentication?
Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.
- doewebCopper Contributor
Hi there,
So you have no ADFS federation, all of it is configured with a Seamless SSO w/password hash sync? Have you experienced any limitations in regards to user experiences?
- SkipsterCopper Contributor
doewebWe are currently testing using staged rollout for password hash sync. We are using DUO as an MFA provider in Azure, and we are using conditional access policies to force MFA using DUO provider. Its working, however im a little unclear what the limitations are? I read the article you posted, but what scenario would limitations mentioned in the article apply to?
Yes, it should be possible, although the experience is somewhat limited. And they're going to replace it with a new method, so read here in case you haven't seen it already: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new#upcoming-changes-to-custom-controls
- doewebCopper Contributor
Thank you Vasil, I did see another posting after I posted this question: https://dirteam.com/sander/2020/03/25/announced-azure-mfa-to-offer-more-3rd-party-mfa-features/ . I'm still in question why/what it means exactly that ADFS is a requirement for 3rd party MFA while Seamless SSO with Hash Sync supports the custom controls. I guess it's because the Seamless SSO with custom controls and 3rd party MFA isn't truly seamless as dirteam pointed out?
Today, 3rd-party MFA solutions face the following limitations:
- They work only after a password has been entered
- They don’t serve as MFA for step-up authentication in other key scenarios
- They don’t integrate with end user or administrative credential management functions
Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.