SOLVED
Home

App passwords in a federated tenant using ADFS and Azure MFA server

%3CLINGO-SUB%20id%3D%22lingo-sub-544751%22%20slang%3D%22en-US%22%3EApp%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-544751%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20any%20one%20know%20if%20App%20Passwords%20work%20in%20a%20federated%20tenant%20using%20ADFS%20and%20on-premises%20Azure%20MFA%20Server%3F%20As%20per%20my%20understanding%2C%20app%20passwords%20are%20a%20cloud%20only%20account%20feature%20and%20do%20not%20work%20for%20federated%20accounts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20federated%20accounts%2C%20authentication%20is%20handled%20by%20ADFS%20which%20has%20no%20knowledge%20of%20app%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-544751%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Passwords%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-544782%22%20slang%3D%22en-US%22%3ERe%3A%20App%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-544782%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20and%20no.%20App%20passwords%20basically%20bypass%20AD%20FS%2C%20as%20authentication%20happens%20directly%20against%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fmulti-factor-authentication-get-started-adfs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fmulti-factor-authentication-get-started-adfs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-550379%22%20slang%3D%22en-US%22%3ERe%3A%20App%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-550379%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E.%20This%20is%20not%20a%20very%20well%20documented%20scenario%20by%20Microsoft.%20Most%20of%20the%20documentation%20states%20that%20AAD%20first%20does%20home-realm-discovery%20and%20then%20redirects%20the%20user%20to%20federated%20STS%20for%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20App%20Passwords%2C%20then%20AAD%20must%20also%20be%20doing%20a%20check%20if%20authentication%20request%20is%20with%20an%20app%20password%20and%20thus%20don't%20redirect%20to%20federated%20STS.%20I%20guess%20that's%20what%20they%20mean%20'%3CSPAN%3E%3CEM%3EApp%20passwords%20are%20verified%20using%20cloud%20authentication%2C%20so%20they%20%3CSTRONG%3Ebypass%20federation.%3C%2FSTRONG%3E%3C%2FEM%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20think%20this%20assumption%20(I%20am%20calling%20this%20assumption%20as%20can't%20find%20it%20documented%20anywhere)%20is%20what%20happens%20in%20practice%20i.e.%20AAD%20checks%20if%20auth%20request%20is%20with%20an%20app%20password%20and%20thus%20don't%20redirect%20to%20federated%20STS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-551189%22%20slang%3D%22en-US%22%3ERe%3A%20App%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-551189%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that's%20pretty%20much%20it.%20You%20can%20easily%20confirm%20it%20by%20checking%20the%20event%20logs%20on%20the%20AD%20FS%20server.%20where%20you%20should%20see%20no%20requests%20coming%20at%20all%20associated%20with%20the%20user%20using%20app%20password.%20Which%20is%20just%20one%20of%20the%20many%20reasons%20you%20should%20not%20be%20using%20app%20passwords...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Gurdev Singh
Contributor

Does any one know if App Passwords work in a federated tenant using ADFS and on-premises Azure MFA Server? As per my understanding, app passwords are a cloud only account feature and do not work for federated accounts. 

 

For federated accounts, authentication is handled by ADFS which has no knowledge of app password.

 

Is this correct?

 

 

3 Replies

Yes and no. App passwords basically bypass AD FS, as authentication happens directly against Azure AD. 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-g...

Thanks @Vasil Michev. This is not a very well documented scenario by Microsoft. Most of the documentation states that AAD first does home-realm-discovery and then redirects the user to federated STS for authentication.

 

With App Passwords, then AAD must also be doing a check if authentication request is with an app password and thus don't redirect to federated STS. I guess that's what they mean 'App passwords are verified using cloud authentication, so they bypass federation. '

 

Do you think this assumption (I am calling this assumption as can't find it documented anywhere) is what happens in practice i.e. AAD checks if auth request is with an app password and thus don't redirect to federated STS?

Solution

Yes, that's pretty much it. You can easily confirm it by checking the event logs on the AD FS server. where you should see no requests coming at all associated with the user using app password. Which is just one of the many reasons you should not be using app passwords...

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies