SOLVED

Is it possible to use Password Hash Sync with Seamless SSO and DUO MFA?

%3CLINGO-SUB%20id%3D%22lingo-sub-1289953%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289953%22%20slang%3D%22en-US%22%3E%3CP%3E%3CBR%20%2F%3EIs%20it%20possible%20to%20have%20applications%20published%20in%20Azure%20Enterprise%20Applications%20and%20use%20Azure%20AD%20password%20hash%20sync%20for%20authentication%20but%20pass%20off%20the%20MFA%20piece%20to%20DUO%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReference%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fchoose-ad-authn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fchoose-ad-authn%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIt%20states%20%22What%20are%20the%20multifactor%20authentication%20options%22.%20Password%20has%20sync%20%2B%20Seamless%20SSO%20supports%20Azure%20MFA%20and%20Custom%20Controls%20with%20condtional%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20Federation%20with%20ADFS%20supports%20%22Third-party%20MFA%22%20as%20well%20as%20the%20custom%20controls%20with%20conditonal%20access.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EWhen%20I%20initially%20read%20this%2C%20I%20expected%20that%20DUO%20MFA%20is%20only%20supported%20with%20a%20ADFS%20federation.%20However%2C%20upon%20reading%20more%20on%20the%20custom%20controls%2C%20it%20appears%20that%20the%20MFA%20can%20be%20handed%20off%20to%20DUO%20for%20MFA%20and%20still%20use%20the%20Password%20Hash%20sync%2FSeamless%20SSO%20as%20the%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1289953%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1290912%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1290912%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20should%20be%20possible%2C%20although%20the%20experience%20is%20somewhat%20limited.%20And%20they're%20going%20to%20replace%20it%20with%20a%20new%20method%2C%20so%20read%20here%20in%20case%20you%20haven't%20seen%20it%20already%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fwhats-new%23upcoming-changes-to-custom-controls%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fwhats-new%23upcoming-changes-to-custom-controls%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1291776%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291776%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Vasil%2C%20I%20did%20see%20another%20posting%20after%20I%20posted%20this%20question%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F03%2F25%2Fannounced-azure-mfa-to-offer-more-3rd-party-mfa-features%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdirteam.com%2Fsander%2F2020%2F03%2F25%2Fannounced-azure-mfa-to-offer-more-3rd-party-mfa-features%2F%3C%2FA%3E%26nbsp%3B.%20I'm%20still%20in%20question%20why%2Fwhat%20it%20means%20exactly%20that%20ADFS%20is%20a%20requirement%20for%203rd%20party%20MFA%20while%20Seamless%20SSO%20with%20Hash%20Sync%20supports%20the%20custom%20controls.%20I%20guess%20it's%20because%20the%20Seamless%20SSO%20with%20custom%20controls%20and%203rd%20party%20MFA%20isn't%20truly%20seamless%20as%20dirteam%20pointed%20out%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EToday%2C%203rd-party%20MFA%20solutions%20face%20the%20following%20limitations%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EThey%20work%20only%20after%20a%20password%20has%20been%20entered%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EThey%20don%E2%80%99t%20serve%20as%20MFA%20for%20step-up%20authentication%20in%20other%20key%20scenarios%3C%2FLI%3E%3CLI%3EThey%20don%E2%80%99t%20integrate%20with%20end%20user%20or%20administrative%20credential%20management%20functions%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292224%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292224%22%20slang%3D%22en-US%22%3E%3CP%3EYup%2C%20and%20somewhere%20else%20was%20mentioned%20that%20they%20cannot%20satisfy%20the%20MFA%20claim%20either%2C%20which%20is%20important%20for%20some%20scenarios.%20In%20any%20case%2C%20you%20should%20check%20with%20Duo%20support%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292917%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F613415%22%20target%3D%22_blank%22%3E%40doeweb%3C%2FA%3EYes%20this%20is%20possible.%20We%20are%20doing%20this%20now.%20We%20have%20DUO%20in%20Azure%20AD%20and%20are%20using%20password%20hash%20sync%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292948%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292948%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557850%22%20target%3D%22_blank%22%3E%40Skipster%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3ESo%20you%20have%20no%20ADFS%20federation%2C%20all%20of%20it%20is%20configured%20with%20a%20Seamless%20SSO%20w%2Fpassword%20hash%20sync%3F%20Have%20you%20experienced%20any%20limitations%20in%20regards%20to%20user%20experiences%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1293952%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1293952%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F613415%22%20target%3D%22_blank%22%3E%40doeweb%3C%2FA%3EWe%20are%20currently%20testing%20using%20staged%20rollout%20for%20password%20hash%20sync.%20We%20are%20using%20DUO%20as%20an%20MFA%20provider%20in%20Azure%2C%20and%20we%20are%20using%20conditional%20access%20policies%20to%20force%20MFA%20using%20DUO%20provider.%20Its%20working%2C%20however%20im%20a%20little%20unclear%20what%20the%20limitations%20are%3F%20I%20read%20the%20article%20you%20posted%2C%20but%20what%20scenario%20would%20limitations%20mentioned%20in%20the%20article%20apply%20to%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1293960%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1293960%22%20slang%3D%22en-US%22%3E%3CP%3ECheck%20out%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fupcoming-changes-to-custom-controls%2Fba-p%2F1144696%23%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fupcoming-changes-to-custom-controls%2Fba-p%2F1144696%23%3C%2FA%3E%26nbsp%3Bthere%20is%20also%20people%20responding%20to%20some%20issues%20which%20is%20why%20they%20had%20to%20revert%20back%20to%20ADFS.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557850%22%20target%3D%22_blank%22%3E%40Skipster%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1293968%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1293968%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F613415%22%20target%3D%22_blank%22%3E%40doeweb%3C%2FA%3Ei%20just%20saw%20the%20link%20you%20posted.%20Yeah%20doesn't%20look%20like%20its%20possible%20to%20move%203rd%20party%20MFA%20to%20Azure%20until%20the%20new%20features%20are%20rolled%20out.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295642%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295642%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F613415%22%20target%3D%22_blank%22%3E%40doeweb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%3C%2FP%3E%3CP%3EWe%20are%20also%20evaluating%20staged%20rollout%20of%20password%20hash%20sync%20and%20duo%20as%20a%20mfa%20provider%20in%20Azure.%20So%20far%20everything%20appears%20to%20be%20working%20%2C%20however%20i%20see%20there%20are%20some%20known%20limitations%20with%20the%20current%20feature%20in%20Azure.%20Can%20you%20please%20help%20me%20understand%20what%20the%20below%20limitations%20mean%3F%20In%20what%20scenario%20would%20we%20notice%20the%20current%20limitations%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EThey%20work%20only%20after%20a%20password%20has%20been%20entered%3C%2FLI%3E%3CLI%3EThey%20don%E2%80%99t%20serve%20as%20MFA%20for%20step-up%20authentication%20in%20other%20key%20scenarios%3C%2FLI%3E%3CLI%3EThey%20don%E2%80%99t%20integrate%20with%20end%20user%20or%20administrative%20credential%20management%20functions%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1295788%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20use%20Password%20Hash%20Sync%20with%20Seamless%20SSO%20and%20DUO%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1295788%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557850%22%20target%3D%22_blank%22%3E%40Skipster%3C%2FA%3EI%20opened%20up%20a%20proactive%20case%20with%20MS%20and%20asked%20those%20specific%20questions%20and%20he%20didn't%20quite%20understand%20that%20comment%20from%20that%20blog.%20Check%20out%20this%20URL%20and%20look%20towards%20the%20bottom%20of%20some%20people%20having%20issues%20with%20the%20Windows%20Hello%20requiring%20the%20user%20to%20enroll%20with%20MS%20MFA%20instead%20of%20the%20existing%203rd%20party%20MFA%2C%20which%20they%20ended%20up%20having%20to%20resort%20back%20to%20ADFS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fupcoming-changes-to-custom-controls%2Fba-p%2F1144696%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fupcoming-changes-to-custom-controls%2Fba-p%2F1144696%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor


Is it possible to have applications published in Azure Enterprise Applications and use Azure AD password hash sync for authentication but pass off the MFA piece to DUO?

 

Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

It states "What are the multifactor authentication options". Password has sync + Seamless SSO supports Azure MFA and Custom Controls with condtional access.

And Federation with ADFS supports "Third-party MFA" as well as the custom controls with conditonal access.

When I initially read this, I expected that DUO MFA is only supported with a ADFS federation. However, upon reading more on the custom controls, it appears that the MFA can be handed off to DUO for MFA and still use the Password Hash sync/Seamless SSO as the authentication?

10 Replies
Highlighted

Yes, it should be possible, although the experience is somewhat limited. And they're going to replace it with a new method, so read here in case you haven't seen it already: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new#upcoming-changes-to-c... 

Highlighted

Thank you Vasil, I did see another posting after I posted this question: https://dirteam.com/sander/2020/03/25/announced-azure-mfa-to-offer-more-3rd-party-mfa-features/ . I'm still in question why/what it means exactly that ADFS is a requirement for 3rd party MFA while Seamless SSO with Hash Sync supports the custom controls. I guess it's because the Seamless SSO with custom controls and 3rd party MFA isn't truly seamless as dirteam pointed out? 

Today, 3rd-party MFA solutions face the following limitations:

  • They work only after a password has been entered
  • They don’t serve as MFA for step-up authentication in other key scenarios
  • They don’t integrate with end user or administrative credential management functions
Highlighted
Solution

Yup, and somewhere else was mentioned that they cannot satisfy the MFA claim either, which is important for some scenarios. In any case, you should check with Duo support as well.

Highlighted

@doewebYes this is possible. We are doing this now. We have DUO in Azure AD and are using password hash sync

Highlighted

@Skipster 

Hi there,

So you have no ADFS federation, all of it is configured with a Seamless SSO w/password hash sync? Have you experienced any limitations in regards to user experiences?

Highlighted

@doewebWe are currently testing using staged rollout for password hash sync. We are using DUO as an MFA provider in Azure, and we are using conditional access policies to force MFA using DUO provider. Its working, however im a little unclear what the limitations are? I read the article you posted, but what scenario would limitations mentioned in the article apply to?

Highlighted

Check out: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-co... there is also people responding to some issues which is why they had to revert back to ADFS. @Skipster 

Highlighted

@doewebi just saw the link you posted. Yeah doesn't look like its possible to move 3rd party MFA to Azure until the new features are rolled out.

Highlighted

@Vasil Michev @doeweb 

 

Hello

We are also evaluating staged rollout of password hash sync and duo as a mfa provider in Azure. So far everything appears to be working , however i see there are some known limitations with the current feature in Azure. Can you please help me understand what the below limitations mean? In what scenario would we notice the current limitations ?

 

  • They work only after a password has been entered
  • They don’t serve as MFA for step-up authentication in other key scenarios
  • They don’t integrate with end user or administrative credential management functions
Highlighted

@SkipsterI opened up a proactive case with MS and asked those specific questions and he didn't quite understand that comment from that blog. Check out this URL and look towards the bottom of some people having issues with the Windows Hello requiring the user to enroll with MS MFA instead of the existing 3rd party MFA, which they ended up having to resort back to ADFS.

 

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-co...