Jan 03 2019
- last edited on
Jan 14 2022
Is it possible to use Azure Cloud MFA but for certain on Premise Apps which I'm not allowed or able to Publish through Azure App Proxy, use the Azure MFA Server within the same Tenant and same User IDs ? or do I have to choose one or the other ?
Jan 04 2019 02:58 AM
Yes, you can mix and match the on-prem MFA server and Azure MFA enforcement for specific apps, and even bypass or force double-MFA as needed. You will have to take care of the ADFS claims rules configuration though, to avoid some issues.
Jan 04 2019 03:29 AM
Jan 04 2019 09:25 AM - edited Jan 04 2019 09:26 AM
Please try to avoid deploying the MFA Server. This product will be deprecated in the not to distant future.
Have you considered using the Azure MFA NPS extension? I've recently deployed the extension for Citrix 2FA via Netscaler and it works really well. What workloads are you wanting to use MFA for?
Jan 05 2019 10:42 PM
You need to create an ADFS rule that avoids the request for the traffic that not pass ADFS directly, but in this configuration, you may create a lot of maintenance and management issues around this approach.
Try to work with one IDP and point all application and requests to this IDP including on-premises.
Jan 06 2019 01:09 AM
Thanks, that sounds something I will check out more further.
With regards to your Statement. Is there already somewhere a little bit more evidence until when MS will Support MFA Server ?
Jan 06 2019 11:21 AM
at least for 2019, the product will not be retired but from time to time Microsoft deprecated some features
My recommendations to you if you're planning for the long run, it will be better to work with Azure AD as your IDP and manage all identity from one place, of course, you can connect many application, local VPN solutions and another environment to Azure AD and work with one identity.
Jan 06 2019 01:03 PM
@Eli Shlomo – thanks for sharing the links.
@Ueli Zimmermann - the Azure MFA feature program manager has some insightful comments on Reddit:
“There isn't any engineering effort going into MFA server, and eventually it will end of life. All of our work is going into Azure MFA and features like conditional access policy...”
“Eventually, yes, Azure MFA Server will probably be deprecated in favour of the cloud-only Azure MFA service. However, we wouldn't do this until we have feature parity in cloud-only Azure MFA, and a reasonable migration path. We also wouldn't do this without advance notice: I'm not completely sure (I'll find out and report back), but I'm pretty sure this will be at least 1 year. There are still some features we haven't quite finished yet which are only available in Azure MFA Server but not in the cloud-only service (PIN mode, pre-registration, OATH token support, etc.), but we're working on it.”
So I wouldn’t be overly concerned if you’ve already deployed MFA Server, however to avoid migrating in the future, I’d recommend opting for the NPS extension or appliances that support direct Azure MFA integration.
Hope this help,
Jan 06 2019 02:22 PM
Correct information but Reddit is not yet dependable information and not official by Microsoft, so for the different products its recommended to work according to Microsoft lifecycle information.
I recommended avoiding working with NPS because isn't secure enough and it's better to work on top of SAML with Azure AD. (from experience on the field, the integration with NPS will fail on a first pen test because of the NPS itself and not the Azure AD)
Jan 06 2019 03:26 PM - edited Jan 10 2019 11:32 AM
@Eli Shlomo Sorry, I'll have to politely disagree :)
Looking at authentication from an architectural perspective, now that basic authentication can be blocked using conditional access, customers can start to move away from ADFS and start using Password Hash Sync…. but that's a topic for another thread :)
Righty hoo, NPS - completely agree the documentation is a little cryptic and if implemented incorrectly, could lead to credentials being sent over the wire in clear text.
There’s a few more things to tweak on Netscaler and Windows which I’ll post in a blog later this week.
Jan 07 2019 12:50 AM
its ok to disagree.
You cannot compare the reference between Reddit and Microsoft Premier, because Microsoft premier its official and can provide an official reference behind it.
It's better and more secure to work with SAML against the radius because of radius its portiantlyconfiguration that you can break into.
Azure AD with SAML and ADFS can provide more benefits and more security built-in without breaches.
Jan 08 2019 11:13 AM
Thank you Both for this Discussion it helped me certainly to see the different Options and I probably will go back to the drawing Board :)
We also have another Identity Workshop with MS around Feb 2019 so I will certainly follow your lead and also ask the PFE for such Options and what could be best for our Case.
Jan 10 2019 11:30 AM - edited Jan 10 2019 11:33 AM
Great stuff, a chalk and talk will certainly help breakdown your scenario :)
I'd also suggest asking about guidance around moving away from ADFS to PHS combined with blocking basic authentication using conditional access. Both are recommend by the product group as best practise.