%3CLINGO-SUB%20id%3D%22lingo-sub-1144696%22%20slang%3D%22en-US%22%3EUpcoming%20changes%20to%20Custom%20Controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1144696%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EToday%2C%20I%20would%20like%20to%20update%20you%20on%20our%20work%20to%20enable%20use%20of%20third-party%20multi-factor%20authentication%20(MFA)%20providers%20with%20Azure%20Active%20Directory%20(Azure%20AD).%20Customers%20have%20asked%20to%20use%20their%20existing%20third-party%20MFA%20investments%20with%20Azure%20AD.%20We%20provided%20a%20preview%20of%20this%20capability%20by%20extending%20Conditional%20Access%20through%20custom%20controls.%20Based%20on%20customer%20feedback%2C%20it%20is%20clear%20that%20this%20approach%20is%20too%20limited%2C%20so%20we%20are%20redesigning%20the%20feature%20to%20ensure%20we%20can%20give%20you%20all%20the%20functionality%20you%E2%80%99ve%20asked%20for.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20planning%20to%20replace%20the%20current%20preview%20with%20an%20approach%20which%20will%20allow%20partner-provided%20authentication%20capabilities%20to%20work%20seamlessly%20with%20the%20Azure%20AD%20administrator%20and%20end%20user%20experiences.%20Today%2C%20partner%20MFA%20solutions%20can%20only%20function%20after%20a%20password%20has%20been%20entered%2C%20don%E2%80%99t%20serve%20as%20MFA%20for%20step-up%20authentication%20on%20other%20key%20scenarios%2C%20and%20don%E2%80%99t%20integrate%20with%20end%20user%20or%20administrative%20credential%20management%20functions.%20The%20new%20implementation%20will%20allow%20partner-provided%20authentication%20factors%20to%20work%20alongside%20built-in%20factors%20for%20key%20scenarios%20including%20registration%2C%20usage%2C%20MFA%20claims%2C%20step-up%20authentication%2C%20reporting%2C%20and%20logging.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20current%2C%20limited%20approach%20will%20be%20supported%20in%20preview%20until%20the%20new%20design%20is%20completed%2C%20previews%2C%20and%20reaches%20%E2%80%9CGeneral%20Availability.%E2%80%9D%20At%20that%20point%2C%20we%20will%20provide%20time%20for%20customers%20to%20migrate%20to%20the%20new%20implementation.%20Because%20of%20the%20limitations%20of%20the%20current%20approach%2C%20we%20will%20not%20onboard%20any%20new%20providers%20until%20the%20new%20capabilities%20are%20ready.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20working%20closely%20with%20customers%20and%20providers%20and%20will%20communicate%20timeline%20as%20we%20get%20closer.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20always%20love%20to%20hear%20your%20feedback%20and%20suggestions%20and%20look%20forward%20to%20hearing%20from%20you!%20Let%20us%20know%20what%20you%20think%20in%20the%20comments%20below%20or%20reach%20out%20to%20us%20on%20Twitter%20(%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Fazuread%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40azuread%3C%2FA%3E).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20Regards%2C%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%3CA%20href%3D%22http%3A%2F%2Ftwitter.com%2Falex_a_simons%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40alex_a_simons%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3ECorporate%20Vice%20President%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1144696%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAn%20update%20on%20our%20work%20to%20enable%20use%20of%20third%20party%20MFA%20providers%20with%20Azure%20AD%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22custom_controls.jpg%22%20style%3D%22width%3A%20860px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177896i5F8FA07FDFED0FE7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22custom_controls.jpg%22%20alt%3D%22custom_controls.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1144696%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EProduct%20Announcements%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1243115%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20changes%20to%20Custom%20Controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1243115%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Alex%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAmazing%20future%20capabilities%2C%20love%20the%20possibilities%20that%20will%20take%20us%20away%20from%20the%20old%20static%20approach%20to%20a%20more%20modern%20and%20dynamic%20world.%20Identity%20(even%20I(dentity)a(s)C(ode))%20is%20always%20an%20essential%20part%2C%20done%20right%20it%20will%20have%20the%20future%20impact%20on%20how%20modern%20software%20systems%20are%20developed%2C%20designed%2C%20configured%2C%20deployed%2C%20monitored%2C%20integrated%20and%20how%20they%20utilizes%20modern%20security%20concepts.%20But%20first%20and%20foremost%2C%20this%20will%20probably%20put%20the%20company%20in%20focus%3B%20those%20who%20own%20the%20apartment%20(tenant)%20whether%20it's%20in%20the%20public%20sector%2C%20private%20sector%20or%20international%20organizations.%20We%20need%20even%20better%20possibilities%20to%20stop%20identity%20theft..%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3CBR%20%2F%3EMrSmith%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1546874%22%20slang%3D%22ja-JP%22%3ERe%3A%20Upcoming%20changes%20to%20Custom%20Controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1546874%22%20slang%3D%22ja-JP%22%3E%3CP%3EThank%20You%20Very%20Much%20for%20This%20Information.%26nbsp%3B%26nbsp%3BWe'd%20Like%20to%20Know%20the%20Detail%20When%20It%20Is%20Ready.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhere%20should%20we%20watch%20to%20get%20new%20information%20of%20this%20new%20feature%3F%20%3CBR%20%2F%3E%20Especial%20we'd%20like%20to%20know%20if%20this%20new%20MFA%20approach%20allow%20the%20customer%20to%20use%203rd%20party%20IDp%20via%20standards%20or%20not.%20%3CBR%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F33548755-adding-non-listed-3rd-party-mfa-via-azure-ad-custo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E(https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F33548755-adding-non-listed-3rd-party-mfa-via-azure-ad-custo)%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Registers%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1243584%22%20slang%3D%22en-US%22%3ERe%3A%20Upcoming%20changes%20to%20Custom%20Controls%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1243584%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3Ecan%20you%20give%20an%20example%20for%20where%20this%20capability%20take%20place%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F53477%22%20target%3D%22_blank%22%3E%40Alex%20Simons%20(AZURE)%3C%2FA%3E%26nbsp%3Bplease%20ignore%2C%20I%20found%20one%20%E2%80%94%20greats%20feature!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E

Howdy folks,

 

Today, I would like to update you on our work to enable use of third-party multi-factor authentication (MFA) providers with Azure Active Directory (Azure AD). Customers have asked to use their existing third-party MFA investments with Azure AD. We provided a preview of this capability by extending Conditional Access through custom controls. Based on customer feedback, it is clear that this approach is too limited, so we are redesigning the feature to ensure we can give you all the functionality you’ve asked for.

 

We are planning to replace the current preview with an approach which will allow partner-provided authentication capabilities to work seamlessly with the Azure AD administrator and end user experiences. Today, partner MFA solutions can only function after a password has been entered, don’t serve as MFA for step-up authentication on other key scenarios, and don’t integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios including registration, usage, MFA claims, step-up authentication, reporting, and logging.

 

The current, limited approach will be supported in preview until the new design is completed, previews, and reaches “General Availability.” At that point, we will provide time for customers to migrate to the new implementation. Because of the limitations of the current approach, we will not onboard any new providers until the new capabilities are ready.

 

We are working closely with customers and providers and will communicate timeline as we get closer.

 

We always love to hear your feedback and suggestions and look forward to hearing from you! Let us know what you think in the comments below or reach out to us on Twitter (@azuread). 

 

Best Regards,

Alex Simons (@alex_a_simons)

Corporate Vice President

Microsoft Identity Division

21 Comments
Occasional Contributor

Hi Alex,

Amazing future capabilities, love the possibilities that will take us away from the old static approach to a more modern and dynamic world. Identity (even I(dentity)a(s)C(ode)) is always an essential part, done right it will have the future impact on how modern software systems are developed, designed, configured, deployed, monitored, integrated and how they utilizes modern security concepts. But first and foremost, this will probably put the company in focus; those who own the apartment (tenant) whether it's in the public sector, private sector or international organizations. We need even better possibilities to stop identity theft..

Best regards
MrSmith

New Contributor

.

Regular Visitor

Hi Alex - This is good news.  We have been using custom controls since they came out, we have probably experienced first hand most of the limitations.  Due to some of the current limitations we had put ADFS :( back into the authentication flow, hopefully these improvements will allow ADFS to be removed, while keeping our third party MFA.

 

We added ADFS back in to send a static MFA claim as we hit a problem with Windows hello requiring the user to enrol into MS MFA as the custom control did not satisfy the the "MFA Claim".

New Contributor

This is encouraging news! We have been using the custom controls for over a year now and can relate to some of the challenges mentioned. We'd love to participate in the private preview, whenever you are ready.

Senior Member

Hi Alex,

 

What are the expected timeframe for this new capabilities for 3rd party MFA, to be available for customers? Either as public or private preview?

/Rasmus

Occasional Visitor

Hi @Alex Simons (AZURE) ,

 

I second @Rasmus Andersen's question: when is the plan for this to be available? It is already July and we do not have a timeline.

 

We have a 3rd party Vendor partner that needs access to a feature to MFA Microsoft Azure AD Accounts directly and it would be nice if we could use this product in conjunction with yours the same way companies like DUO already have been able to... The limitations of this method are there but the functionalities for some companies were just fine.

 

Thanks for any info you can give!

 

Hi @Rasmus Andersen@GameGeek126  - I've sent you both a message, please check your inbox and let me know if you would like to chat. 

Occasional Visitor

I am also very interested in timeline for these planned changes. We are developing some new procedures to support our use of Azure Lighthouse and these changes could be impactful for us.

Senior Member

1) Is this new mechanism going to be applicable per-group or per-user, rather than all-or-nothing for the whole tenant? (like AAD Security Defaults does) At the moment we are using a CA custom control + CA policies to enforce Duo for most of our users, and this is done by scoping the CA policies to security groups. However, we have some accounts that are getting Azure MFA, or no MFA and very strict login restrictions, enforced by other CA policies. (Service accounts, admin accounts, etc)

 

If this new mechanism is not equally as granular as requiring a custom control in a CA policy is, then we're about to be in a world of hurt, because it sounds like the ultimate plan is for custom controls to go away period.

 

2) At the moment, when using CA custom controls/policies to enforce Duo, we see that certain things that require MFA (namely, Windows Hello for Business) do not work. Seems that it's because it only supports Azure MFA or AD FS + 3rd party MFA. Anything like setting a sign-in PIN on a HAADJ device won't work because it asks for an Azure MFA code that users simply don't have.

 

Is this one of the scenarios that the new mechanism will now allow to work?

Senior Member

Thanks for this news. We currently use Symantec VIP custom control and is affected by the above mentioned limitations such as the lack of Identity Protection policy support.

 

Is there any further updates or timeline?

Occasional Visitor

Thank you very much for this information.  We'd like to know the detail when it is ready.

 

Where should we watch to get new information of this new feature?
Especially we'd like to know if this new MFA approach allow the customer to use 3rd party IDp via standards or not.
(https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33548755-adding-non-list...)

 

Best Regards,

Regular Visitor

@Inbar Cizer Kobrinsky  Hi Inbar, we are also looking to integrate with this feature as a third party vendor. Can you elaborate on when and how this should be done?

Occasional Visitor

 

We are evaluating to use Conditional Access for our company.

One of the main feature that we would want is :

  defining our own conditional access policy criteria. That is apart from geo-location, ip-addresses ,intune status etc.. we want to have our own criteria which will validate the request by its own logic. 

Example of the logic could be : If the GeoLocation says Japan && Time is off-working hours && Our Anti-Virus says the device has some malware. Block the access 

I can think of 2 way to do this : 

1. Add another option in Conditional Access -> Conditions -> "Custom Policy Check". And have an option to add scripts or pass request to another Validation Proxy Server.

2. In Conditional Access -> Custom controls, allow us to define our own MFA provider. Basically, like DUO and others who do 2FA, we would want to setup our own validation server which does checks for our custom policies.

 

I am not sure if there is already a way to do something like this, I could't find it in docs yet.

Can you direct me to anything which could help us achieve C? Is there a plan in future to have 

Occasional Visitor

Hello Alex & Inbar,

 

We have a unique biometric (handwriting-based) MFA solution and are interested in integrating as a third-party vendor as well.  We have a very large Azure AD customer that is looking to add our MFA capabilities as soon as possible, so we would like to be able to provide a timeline for them. Can you contact me to discuss?  Thanks.

 

Best regards,

Contributor

would love to be part of any private/public preview of this. we are using DUO would love to swap over to make it more seamless for the users for enrollment, password reset etc. 

 

also would love to make sure it works as expected with thick apps on mobile devices. we tried to swap MS Teams apps MFA to DUO and see constant prompts. 

 

we also are using a custom fingerprint based 2fa, which we have setup as a second SAML call to that system. hoping your new method leverages standards like SAML with the ability to choose the attribute you pass.

 

why stop at 2 factor, let us choose our own MFA flow. 

Regular Visitor

@Alex Simons (AZURE) 

 

Custom control doesn't work with Device registration.  We have enabled Custom control with Ping ID and MFA works Ok for accessing Outlook/Teams etc however doesn't work during Device Registration.

During Device Registration user is redirected to Azure MFA page instead of Ping and the process errors out. I have tested with Android and iOS so far. these devices are not enrolled in Intune. we just use Intune-WE.

 

I have also opened support ticket but its beyond support engineers.

 

Wondering if your team are aware of this and if this will be resolved.

 

 

Thanks

Occasional Visitor

Is Okta one of the supported providers now?

 

We are planning to use this for Intune-WE device registrations as well:

 

Thanks for the response in advance!

Occasional Visitor

Do you have details or updates on the timeline to launch this?

Thanks a lot!

Occasional Contributor

Hi Alex,

Looking forward to be even more Ignite'd and it's excellent to see even more of the B2C functionality moving into the main tenant through external identities. In B2C I have utilized the I(dentity)E(xperience)F(ramework) to use other external IDP’s as yet another MFA factor. I just love the flexibility of extending the user journeys; making it possible to do alot more and also handling different external claims, migration and REST calls. The callbacks concepts through the idp_access_token extend the possibilities even further. With also more future oriented possibilities to do even greater conditional access concepts in the clouds, this journey has just started...

I have also tried out some concepts where you have one cloud identity to many different IDP’s going from a static to more dynamic concept where you can be in a privilege role just when you need to: the shortest time similar as the PIM based concepts. I have also addressed some new concepts to pass the access token more securely through an authentication chain or do a more structured logout concept. Just amazing what you can do in future oriented proper clouds…

Best regards
MrSmith
Can'tWaitToSeeWhatYourTeamWillShowDuringIgnite

Senior Member

Are there any Ignite sessions that explain and demonstrate these upcoming changes?  There's been no new info for half a year.

Occasional Visitor

Hi @Alex Simons (AZURE) ,

 

I participated in the Microsoft Ignite Conference, but I am still not sure when the GA is available. We some place using OneLogin MFA, some using DUO. So we developed our own version of MFA. We want to integrate the Azure AD through conditional access / custom control.

 

I have similar like others:  When GA is available?  And how to on board our MFA app to be part of solution provider for MFA?  Thanks.