Home

Azure enterprise application with Azure MFA and not our ADFS server

%3CLINGO-SUB%20id%3D%22lingo-sub-195435%22%20slang%3D%22en-US%22%3EAzure%20enterprise%20application%20with%20Azure%20MFA%20and%20not%20our%20ADFS%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195435%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20this%20possible%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20our%20domain%20federated%20with%20ADFS%2C%20this%20is%20for%20our%20O365%20users.%20So%20when%20logging%20on%20to%20O365%20home%20realm%20discovery%20pushes%20us%20to%20ADFS%20for%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20want%20to%20use%20SAML%2FAzure%20MFA%20against%20an%20enterprise%20application%20which%20we%20have%20created%20in%20Azure.%20When%20our%20enterprise%20application%20redirects%20users%20to%20Azure%20for%20authentication%2C%20rather%20than%20being%20authenticated%20with%20Azure%20MFA%20we%20enter%20our%20email%20address%20and%20again%20home%20realm%20discovery%20pushes%20us%20to%20ADFS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20have%20it%20that%20O365%20is%20auth%20with%20ADFS%2C%20but%20our%20enterprise%20application%20uses%20Azure%20MFA%20and%20doesn't%20redirect%20to%20ADFS%20via%20HRD%3F%20Do%20I%20need%20conditional%20access%20policy%20set%20against%20enterprise%20application%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-saas-custom-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-saas-custom-apps%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-195435%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196006%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20enterprise%20application%20with%20Azure%20MFA%20and%20not%20our%20ADFS%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196006%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Pedro%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20don't%20think%20this%20is%20possible.%20If%20your%20domain%20is%20federated%20with%20AD%20FS%2C%20then%20the%201st%20authentication%20factor%20will%20be%20redirected%20to%20your%20on-premises%20AD%2C%20regardless%20if%20it's%20an%20enterprise%20app%20or%20not.%20MFA%20is%20triggered%20after%20a%20successful%20authentication%20token%20is%20granted%20(whether%20on%20premises%20or%20AAD).%20CA%20does%20have%20the%20option%20to%20not%20offer%20MFA%20in%20some%20conditions%2C%20but%20I'm%20not%26nbsp%3Bsure%20you%20want%20to%20do%20that.%20Are%20you%20enterprise%20applications%20users%20coming%20in%20from%20the%20Intranet%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Pedro Lingual
Occasional Visitor

Is this possible

 

We have our domain federated with ADFS, this is for our O365 users. So when logging on to O365 home realm discovery pushes us to ADFS for authentication.

 

Now I want to use SAML/Azure MFA against an enterprise application which we have created in Azure. When our enterprise application redirects users to Azure for authentication, rather than being authenticated with Azure MFA we enter our email address and again home realm discovery pushes us to ADFS.

 

How can I have it that O365 is auth with ADFS, but our enterprise application uses Azure MFA and doesn't redirect to ADFS via HRD? Do I need conditional access policy set against enterprise application?

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

Thanks

1 Reply

Hello Pedro,

 

I don't think this is possible. If your domain is federated with AD FS, then the 1st authentication factor will be redirected to your on-premises AD, regardless if it's an enterprise app or not. MFA is triggered after a successful authentication token is granted (whether on premises or AAD). CA does have the option to not offer MFA in some conditions, but I'm not sure you want to do that. Are you enterprise applications users coming in from the Intranet? 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies