SOLVED

App passwords in a federated tenant using ADFS and Azure MFA server

%3CLINGO-SUB%20id%3D%22lingo-sub-544782%22%20slang%3D%22en-US%22%3ERe%3A%20App%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-544782%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20and%20no.%20App%20passwords%20basically%20bypass%20AD%20FS%2C%20as%20authentication%20happens%20directly%20against%20Azure%20AD.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fmulti-factor-authentication-get-started-adfs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fmulti-factor-authentication-get-started-adfs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-550379%22%20slang%3D%22en-US%22%3ERe%3A%20App%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-550379%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E.%20This%20is%20not%20a%20very%20well%20documented%20scenario%20by%20Microsoft.%20Most%20of%20the%20documentation%20states%20that%20AAD%20first%20does%20home-realm-discovery%20and%20then%20redirects%20the%20user%20to%20federated%20STS%20for%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20App%20Passwords%2C%20then%20AAD%20must%20also%20be%20doing%20a%20check%20if%20authentication%20request%20is%20with%20an%20app%20password%20and%20thus%20don't%20redirect%20to%20federated%20STS.%20I%20guess%20that's%20what%20they%20mean%20'%3CSPAN%3E%3CEM%3EApp%20passwords%20are%20verified%20using%20cloud%20authentication%2C%20so%20they%20%3CSTRONG%3Ebypass%20federation.%3C%2FSTRONG%3E%3C%2FEM%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20think%20this%20assumption%20(I%20am%20calling%20this%20assumption%20as%20can't%20find%20it%20documented%20anywhere)%20is%20what%20happens%20in%20practice%20i.e.%20AAD%20checks%20if%20auth%20request%20is%20with%20an%20app%20password%20and%20thus%20don't%20redirect%20to%20federated%20STS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-551189%22%20slang%3D%22en-US%22%3ERe%3A%20App%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-551189%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that's%20pretty%20much%20it.%20You%20can%20easily%20confirm%20it%20by%20checking%20the%20event%20logs%20on%20the%20AD%20FS%20server.%20where%20you%20should%20see%20no%20requests%20coming%20at%20all%20associated%20with%20the%20user%20using%20app%20password.%20Which%20is%20just%20one%20of%20the%20many%20reasons%20you%20should%20not%20be%20using%20app%20passwords...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-544751%22%20slang%3D%22en-US%22%3EApp%20passwords%20in%20a%20federated%20tenant%20using%20ADFS%20and%20Azure%20MFA%20server%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-544751%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20any%20one%20know%20if%20App%20Passwords%20work%20in%20a%20federated%20tenant%20using%20ADFS%20and%20on-premises%20Azure%20MFA%20Server%3F%20As%20per%20my%20understanding%2C%20app%20passwords%20are%20a%20cloud%20only%20account%20feature%20and%20do%20not%20work%20for%20federated%20accounts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20federated%20accounts%2C%20authentication%20is%20handled%20by%20ADFS%20which%20has%20no%20knowledge%20of%20app%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-544751%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Frequent Contributor

Does any one know if App Passwords work in a federated tenant using ADFS and on-premises Azure MFA Server? As per my understanding, app passwords are a cloud only account feature and do not work for federated accounts. 

 

For federated accounts, authentication is handled by ADFS which has no knowledge of app password.

 

Is this correct?

 

 

3 Replies
Highlighted

Yes and no. App passwords basically bypass AD FS, as authentication happens directly against Azure AD. 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-g...

Highlighted

Thanks @Vasil Michev. This is not a very well documented scenario by Microsoft. Most of the documentation states that AAD first does home-realm-discovery and then redirects the user to federated STS for authentication.

 

With App Passwords, then AAD must also be doing a check if authentication request is with an app password and thus don't redirect to federated STS. I guess that's what they mean 'App passwords are verified using cloud authentication, so they bypass federation. '

 

Do you think this assumption (I am calling this assumption as can't find it documented anywhere) is what happens in practice i.e. AAD checks if auth request is with an app password and thus don't redirect to federated STS?

Highlighted
Best Response confirmed by Gurdev Singh (Frequent Contributor)
Solution

Yes, that's pretty much it. You can easily confirm it by checking the event logs on the AD FS server. where you should see no requests coming at all associated with the user using app password. Which is just one of the many reasons you should not be using app passwords...