Home

Hybrid Azure AD MFA with password sync, so on-prem MFA server plus cloud

%3CLINGO-SUB%20id%3D%22lingo-sub-90824%22%20slang%3D%22en-US%22%3EHybrid%20Azure%20AD%20MFA%20with%20password%20sync%2C%20so%20on-prem%20MFA%20server%20plus%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90824%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20use%20Azure%20AD%20MFA%20for%20users%20in%20the%20following%20way%3A%3C%2FP%3E%3CP%3EUsers%20including%20password%20hashes%20are%20synced%20to%20Azure%20AD%20using%20AAD%20Connect.%3C%2FP%3E%3CP%3EThere%20is%20%3CSTRONG%3Eno%3C%2FSTRONG%3E%20ADFS%20trust%20between%20on-prem%20ADFS%20en%20Azure%20AD.%3C%2FP%3E%3CP%3EOn-prem%20resources%20are%20secured%20using%20%3CSTRONG%3Eon-prem%3C%2FSTRONG%3E%20MFA%20server%20in%20combination%20with%20Azure%20AD%2C%20ADFS%2C%20Netscaler%2C%20RADIUS%2C%20etc.%3C%2FP%3E%3CP%3ECloud%20resources%2C%26nbsp%3Blike%20Office%20365%20and%20other%20Azure%20AD%20integrated%20applications%2C%26nbsp%3Bare%20secured%20%3CSTRONG%3Epurely%3C%2FSTRONG%3E%20using%20the%20Azure%20AD%20MFA%20cloud%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20John%20Doe%20accesses%20e.g.%20%3CSTRONG%3EOffice%20365%3C%2FSTRONG%3E%20related%20services%20and%20the%20on-prem%20MFA%20server%20is%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20used%2C%20can%20even%20be%20down%20and%20still%20John%20is%20authenticated%20properly%20because%20his%20password%20hash%20in%20in%20Azure%20AD%20and%20the%20on-prem%20facility%20is%20%3CSTRONG%3Enot%3C%2FSTRONG%3E%20used.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20John%20Doe%20accesses%20an%20%3CSTRONG%3Eon-prem%3C%2FSTRONG%3E%20%3CSTRONG%3Eresource%3C%2FSTRONG%3E%20and%20MFA%20is%20done%20through%20the%20%3CSTRONG%3Eon-prem%20MFA%20server%3C%2FSTRONG%3E%20together%20with%26nbsp%3BAzure%20AD%20to%20perform%20calling%2C%20texting-ing%2C%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20this%20be%20done%2C%20a%20hybrid%20Azure%20AD%20MFA%3F%3C%2FP%3E%3CP%3EThe%20obvious%20disadvantage%20is%20that%20there%20is%20no%20SSO%20like%20with%20ADFS%2C%20I%20don't%20want%20to%20use%20Seamless%20SSO%2C%20correct%20assumption%3F%3C%2FP%3E%3CP%3EAny%20other%20disadvantages%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-90824%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90925%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20MFA%20with%20password%20sync%2C%20so%20on-prem%20MFA%20server%20plus%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90925%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20you%20can%20mix%20and%20match%20the%20on-prem%20and%20cloud%20MFA%20enforcement%2C%20and%20even%20bypass%20or%20force%20double-MFA%20as%20needed.%20You%20will%20have%20to%20take%20care%20of%20the%20AD%20FS%20claims%20rules%20configuration%20though%2C%20to%20avoid%20some%20issues.%20Read%20about%20the%20-SupportsMFA%20switch%20for%20example%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F01%2Foffice-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F01%2Foffice-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-90889%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20AD%20MFA%20with%20password%20sync%2C%20so%20on-prem%20MFA%20server%20plus%20cloud%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-90889%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20the%20real%20question%20is.%20But%20if%20you're%20asking%20if%20you%20can%20do%20MFA%20in%20the%20cloud%20without%20having%20to%20use%20MFA%20on-premises%2C%20the%20answer%20is%20yes.%26nbsp%3BYou%20could%2C%20as%20you%20suggested%2C%20use%20the%20MFA%20server%20to%20have%20on-premises%20resources%20authenticate%20using%20Azure%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Michael%3C%2FP%3E%3C%2FLINGO-BODY%3E
Han Valk
Occasional Contributor

I want to use Azure AD MFA for users in the following way:

Users including password hashes are synced to Azure AD using AAD Connect.

There is no ADFS trust between on-prem ADFS en Azure AD.

On-prem resources are secured using on-prem MFA server in combination with Azure AD, ADFS, Netscaler, RADIUS, etc.

Cloud resources, like Office 365 and other Azure AD integrated applications, are secured purely using the Azure AD MFA cloud service.

 

So John Doe accesses e.g. Office 365 related services and the on-prem MFA server is not used, can even be down and still John is authenticated properly because his password hash in in Azure AD and the on-prem facility is not used.

 

Now John Doe accesses an on-prem resource and MFA is done through the on-prem MFA server together with Azure AD to perform calling, texting-ing, etc.

 

Can this be done, a hybrid Azure AD MFA?

The obvious disadvantage is that there is no SSO like with ADFS, I don't want to use Seamless SSO, correct assumption?

Any other disadvantages?

 

 

 

2 Replies

Not sure what the real question is. But if you're asking if you can do MFA in the cloud without having to use MFA on-premises, the answer is yes. You could, as you suggested, use the MFA server to have on-premises resources authenticate using Azure MFA.

 

Cheers,

 

-Michael

Yup, you can mix and match the on-prem and cloud MFA enforcement, and even bypass or force double-MFA as needed. You will have to take care of the AD FS claims rules configuration though, to avoid some issues. Read about the -SupportsMFA switch for example here: https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-instal...

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies