cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Hybrid Azure AD MFA with password sync, so on-prem MFA server plus cloud

Han Valk
Copper Contributor

‎Jul 27 2017 06:52 AM - last edited on ‎Jan 14 2022 05:30 PM by

‎Jul 27 2017 06:52 AM - last edited on ‎Jan 14 2022 05:30 PM by

Hybrid Azure AD MFA with password sync, so on-prem MFA server plus cloud

I want to use Azure AD MFA for users in the following way:

Users including password hashes are synced to Azure AD using AAD Connect.

There is no ADFS trust between on-prem ADFS en Azure AD.

On-prem resources are secured using on-prem MFA server in combination with Azure AD, ADFS, Netscaler, RADIUS, etc.

Cloud resources, like Office 365 and other Azure AD integrated applications, are secured purely using the Azure AD MFA cloud service.

 

So John Doe accesses e.g. Office 365 related services and the on-prem MFA server is not used, can even be down and still John is authenticated properly because his password hash in in Azure AD and the on-prem facility is not used.

 

Now John Doe accesses an on-prem resource and MFA is done through the on-prem MFA server together with Azure AD to perform calling, texting-ing, etc.

 

Can this be done, a hybrid Azure AD MFA?

The obvious disadvantage is that there is no SSO like with ADFS, I don't want to use Seamless SSO, correct assumption?

Any other disadvantages?

 

 

 

8,397 Views
0 Likes
2 Replies
Reply
2 Replies
Michael Van Horenbeeck

‎Jul 27 2017 09:45 AM

‎Jul 27 2017 09:45 AM

Re: Hybrid Azure AD MFA with password sync, so on-prem MFA server plus cloud

Not sure what the real question is. But if you're asking if you can do MFA in the cloud without having to use MFA on-premises, the answer is yes. You could, as you suggested, use the MFA server to have on-premises resources authenticate using Azure MFA.

 

Cheers,

 

-Michael

1 Like
Reply
Vasil Michev

‎Jul 27 2017 11:04 AM

‎Jul 27 2017 11:04 AM

Re: Hybrid Azure AD MFA with password sync, so on-prem MFA server plus cloud

Yup, you can mix and match the on-prem and cloud MFA enforcement, and even bypass or force double-MFA as needed. You will have to take care of the AD FS claims rules configuration though, to avoid some issues. Read about the -SupportsMFA switch for example here: https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-instal...

0 Likes
Reply