cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DUO 3rd party mfa custom control limitations

Skipster
Copper Contributor

‎Apr 09 2020 06:55 AM - last edited on ‎Jan 14 2022 04:32 PM by

‎Apr 09 2020 06:55 AM - last edited on ‎Jan 14 2022 04:32 PM by

DUO 3rd party mfa custom control limitations

Hello all

 

We are currently evaluating using DUO as a mfa provider in Azure along with staged rollout for password hash sync. Everything appears to be working correctly. However i recently discovered there are some limitations with using 3rd party mfa providers in Azure. I need help understanding  exactly what the below limitations mean?

  • They work only after a password has been entered
  • They don’t serve as MFA for step-up authentication in other key scenarios
  • They don’t integrate with end user or administrative credential management functions

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-co...

5,704 Views
0 Likes
1 Reply
Reply
1 Reply
Joe Stocker

‎May 16 2020 04:46 PM

‎May 16 2020 04:46 PM

Re: DUO 3rd party mfa custom control limitations

"They work only after a password has been entered"
The Microsoft Authenticator app for iOS and Android supports a feature called Passwordless authentication, where a push notification can be sent as the first factor of authentication instead of the 2nd factor. This feature is not supported for 3rd party MFA providers like DUO, so the article is just letting you know you are sacrificing this cool functionality. To learn more about passwordless auth using the MSFT Authenticator app, check the article out here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...

"They don’t serve as MFA for step-up authentication in other key scenarios"
Azure AD Premium P2 has a feature called Azure Identity Protection, which can be used in a way where users only receive MFA prompts when there is a risk like anonymous proxy detection or unfamiliar sign-in properties based on behavioral history. To learn more about the risks that can be mitigated by step-up authentication, read about them here:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protect...
So this article is stating that when you use AIP in this way, it does not support DUO as the step-up authentication. To learn more about Azure Identity Protection policies, check out this article here:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protectio...

"They don’t integrate with end user or administrative credential management functions"
Azure AD Premium P2 has a feature called Azure Privileged Identity Management. This feature does not support 3rd party MFA providers like DUO.
PIM is a 'just-in-time' solution that protects users who are members of Azure and O365 privileged roles such as Global Admin. The concept is the user will be a standard user, and when and only when they need to perform a privileged task, they go to the PIM website and activate their privileged role through an MFA prompt using the Microsoft Authenticator app. Then they will have the advanced role for a period of time (which you can customize, example: 1 hour or 8 hours).

There is also another feature that will not work that the documentation neglects to mention, which is Office 365 ATP Plan 2 Attack Simulator, which requires using the Microsoft MFA App.

If you found this helpful, please reward my time by marking this as the best answer.
Thanks,
Joe
1 Like
Reply