Forum Discussion

Copper Contributor

Apr 07, 2020

Solved

Is it possible to use Password Hash Sync with Seamless SSO and DUO MFA?

Is it possible to have applications published in Azure Enterprise Applications and use Azure AD password hash sync for authentication but pass off the MFA piece to DUO? Reference: https://docs....

Identity Management

VasilMichev
Apr 08, 2020
Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.

doeweb

Copper Contributor

Apr 08, 2020

Thank you Vasil, I did see another posting after I posted this question: https://dirteam.com/sander/2020/03/25/announced-azure-mfa-to-offer-more-3rd-party-mfa-features/ . I'm still in question why/what it means exactly that ADFS is a requirement for 3rd party MFA while Seamless SSO with Hash Sync supports the custom controls. I guess it's because the Seamless SSO with custom controls and 3rd party MFA isn't truly seamless as dirteam pointed out?

Today, 3rd-party MFA solutions face the following limitations:

They work only after a password has been entered
They don’t serve as MFA for step-up authentication in other key scenarios
They don’t integrate with end user or administrative credential management functions

VasilMichev

MVP

Apr 08, 2020

Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.

Skipster
Copper Contributor
Apr 09, 2020
VasilMichev doeweb

Hello
We are also evaluating staged rollout of password hash sync and duo as a mfa provider in Azure. So far everything appears to be working , however i see there are some known limitations with the current feature in Azure. Can you please help me understand what the below limitations mean? In what scenario would we notice the current limitations ?

They work only after a password has been entered
They don’t serve as MFA for step-up authentication in other key scenarios
They don’t integrate with end user or administrative credential management functions
- doeweb
  Copper Contributor
  Apr 09, 2020
  SkipsterI opened up a proactive case with MS and asked those specific questions and he didn't quite understand that comment from that blog. Check out this URL and look towards the bottom of some people having issues with the Windows Hello requiring the user to enroll with MS MFA instead of the existing 3rd party MFA, which they ended up having to resort back to ADFS.
  
  https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696