Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Upcoming changes to Custom Controls
Published Mar 20 2020 09:00 AM 38.5K Views

Howdy folks,

 

Today, I would like to update you on our work to enable use of third-party multi-factor authentication (MFA) providers with Azure Active Directory (Azure AD). Customers have asked to use their existing third-party MFA investments with Azure AD. We provided a preview of this capability by extending Conditional Access through custom controls. Based on customer feedback, it is clear that this approach is too limited, so we are redesigning the feature to ensure we can give you all the functionality you’ve asked for.

 

We are planning to replace the current preview with an approach which will allow partner-provided authentication capabilities to work seamlessly with the Azure AD administrator and end user experiences. Today, partner MFA solutions can only function after a password has been entered, don’t serve as MFA for step-up authentication on other key scenarios, and don’t integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios including registration, usage, MFA claims, step-up authentication, reporting, and logging.

 

The current, limited approach will be supported in preview until the new design is completed, previews, and reaches “General Availability.” At that point, we will provide time for customers to migrate to the new implementation. Because of the limitations of the current approach, we will not onboard any new providers until the new capabilities are ready.

 

We are working closely with customers and providers and will communicate timeline as we get closer.

 

We always love to hear your feedback and suggestions and look forward to hearing from you! Let us know what you think in the comments below or reach out to us on Twitter (@azuread). 

 

Best Regards,

Alex Simons (@alex_a_simons)

Corporate Vice President

Microsoft Identity Division

59 Comments
Bronze Contributor

Hi Alex,

Amazing future capabilities, love the possibilities that will take us away from the old static approach to a more modern and dynamic world. Identity (even I(dentity)a(s)C(ode)) is always an essential part, done right it will have the future impact on how modern software systems are developed, designed, configured, deployed, monitored, integrated and how they utilizes modern security concepts. But first and foremost, this will probably put the company in focus; those who own the apartment (tenant) whether it's in the public sector, private sector or international organizations. We need even better possibilities to stop identity theft..

Best regards
MrSmith

Brass Contributor

.

Copper Contributor

Hi Alex - This is good news.  We have been using custom controls since they came out, we have probably experienced first hand most of the limitations.  Due to some of the current limitations we had put ADFS :( back into the authentication flow, hopefully these improvements will allow ADFS to be removed, while keeping our third party MFA.

 

We added ADFS back in to send a static MFA claim as we hit a problem with Windows hello requiring the user to enrol into MS MFA as the custom control did not satisfy the the "MFA Claim".

Brass Contributor

This is encouraging news! We have been using the custom controls for over a year now and can relate to some of the challenges mentioned. We'd love to participate in the private preview, whenever you are ready.

Copper Contributor

Hi Alex,

 

What are the expected timeframe for this new capabilities for 3rd party MFA, to be available for customers? Either as public or private preview?

/Rasmus

Copper Contributor

Hi @Alex Simons (AZURE) ,

 

I second @Rasmus Andersen's question: when is the plan for this to be available? It is already July and we do not have a timeline.

 

We have a 3rd party Vendor partner that needs access to a feature to MFA Microsoft Azure AD Accounts directly and it would be nice if we could use this product in conjunction with yours the same way companies like DUO already have been able to... The limitations of this method are there but the functionalities for some companies were just fine.

 

Thanks for any info you can give!

 

Hi @Rasmus Andersen@GameGeek126  - I've sent you both a message, please check your inbox and let me know if you would like to chat. 

Copper Contributor

I am also very interested in timeline for these planned changes. We are developing some new procedures to support our use of Azure Lighthouse and these changes could be impactful for us.

Steel Contributor

1) Is this new mechanism going to be applicable per-group or per-user, rather than all-or-nothing for the whole tenant? (like AAD Security Defaults does) At the moment we are using a CA custom control + CA policies to enforce Duo for most of our users, and this is done by scoping the CA policies to security groups. However, we have some accounts that are getting Azure MFA, or no MFA and very strict login restrictions, enforced by other CA policies. (Service accounts, admin accounts, etc)

 

If this new mechanism is not equally as granular as requiring a custom control in a CA policy is, then we're about to be in a world of hurt, because it sounds like the ultimate plan is for custom controls to go away period.

 

2) At the moment, when using CA custom controls/policies to enforce Duo, we see that certain things that require MFA (namely, Windows Hello for Business) do not work. Seems that it's because it only supports Azure MFA or AD FS + 3rd party MFA. Anything like setting a sign-in PIN on a HAADJ device won't work because it asks for an Azure MFA code that users simply don't have.

 

Is this one of the scenarios that the new mechanism will now allow to work?

Copper Contributor

Thanks for this news. We currently use Symantec VIP custom control and is affected by the above mentioned limitations such as the lack of Identity Protection policy support.

 

Is there any further updates or timeline?

Copper Contributor

Thank you very much for this information.  We'd like to know the detail when it is ready.

 

Where should we watch to get new information of this new feature?
Especially we'd like to know if this new MFA approach allow the customer to use 3rd party IDp via standards or not.
(https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33548755-adding-non-list...)

 

Best Regards,

Copper Contributor

@Inbar Cizer Kobrinsky  Hi Inbar, we are also looking to integrate with this feature as a third party vendor. Can you elaborate on when and how this should be done?

Copper Contributor

 

We are evaluating to use Conditional Access for our company.

One of the main feature that we would want is :

  defining our own conditional access policy criteria. That is apart from geo-location, ip-addresses ,intune status etc.. we want to have our own criteria which will validate the request by its own logic. 

Example of the logic could be : If the GeoLocation says Japan && Time is off-working hours && Our Anti-Virus says the device has some malware. Block the access 

I can think of 2 way to do this : 

1. Add another option in Conditional Access -> Conditions -> "Custom Policy Check". And have an option to add scripts or pass request to another Validation Proxy Server.

2. In Conditional Access -> Custom controls, allow us to define our own MFA provider. Basically, like DUO and others who do 2FA, we would want to setup our own validation server which does checks for our custom policies.

 

I am not sure if there is already a way to do something like this, I could't find it in docs yet.

Can you direct me to anything which could help us achieve C? Is there a plan in future to have 

Copper Contributor

Hello Alex & Inbar,

 

We have a unique biometric (handwriting-based) MFA solution and are interested in integrating as a third-party vendor as well.  We have a very large Azure AD customer that is looking to add our MFA capabilities as soon as possible, so we would like to be able to provide a timeline for them. Can you contact me to discuss?  Thanks.

 

Best regards,

Brass Contributor

would love to be part of any private/public preview of this. we are using DUO would love to swap over to make it more seamless for the users for enrollment, password reset etc. 

 

also would love to make sure it works as expected with thick apps on mobile devices. we tried to swap MS Teams apps MFA to DUO and see constant prompts. 

 

we also are using a custom fingerprint based 2fa, which we have setup as a second SAML call to that system. hoping your new method leverages standards like SAML with the ability to choose the attribute you pass.

 

why stop at 2 factor, let us choose our own MFA flow. 

Copper Contributor

@Alex Simons (AZURE) 

 

Custom control doesn't work with Device registration.  We have enabled Custom control with Ping ID and MFA works Ok for accessing Outlook/Teams etc however doesn't work during Device Registration.

During Device Registration user is redirected to Azure MFA page instead of Ping and the process errors out. I have tested with Android and iOS so far. these devices are not enrolled in Intune. we just use Intune-WE.

 

I have also opened support ticket but its beyond support engineers.

 

Wondering if your team are aware of this and if this will be resolved.

 

 

Thanks

Copper Contributor

Is Okta one of the supported providers now?

 

We are planning to use this for Intune-WE device registrations as well:

 

Thanks for the response in advance!

Copper Contributor

Do you have details or updates on the timeline to launch this?

Thanks a lot!

Bronze Contributor

Hi Alex,

Looking forward to be even more Ignite'd and it's excellent to see even more of the B2C functionality moving into the main tenant through external identities. In B2C I have utilized the I(dentity)E(xperience)F(ramework) to use other external IDP’s as yet another MFA factor. I just love the flexibility of extending the user journeys; making it possible to do alot more and also handling different external claims, migration and REST calls. The callbacks concepts through the idp_access_token extend the possibilities even further. With also more future oriented possibilities to do even greater conditional access concepts in the clouds, this journey has just started...

I have also tried out some concepts where you have one cloud identity to many different IDP’s going from a static to more dynamic concept where you can be in a privilege role just when you need to: the shortest time similar as the PIM based concepts. I have also addressed some new concepts to pass the access token more securely through an authentication chain or do a more structured logout concept. Just amazing what you can do in future oriented proper clouds…

Best regards
MrSmith
Can'tWaitToSeeWhatYourTeamWillShowDuringIgnite

Steel Contributor

Are there any Ignite sessions that explain and demonstrate these upcoming changes?  There's been no new info for half a year.

Copper Contributor

Hi @Alex Simons (AZURE) ,

 

I participated in the Microsoft Ignite Conference, but I am still not sure when the GA is available. We some place using OneLogin MFA, some using DUO. So we developed our own version of MFA. We want to integrate the Azure AD through conditional access / custom control.

 

I have similar like others:  When GA is available?  And how to on board our MFA app to be part of solution provider for MFA?  Thanks. 

Copper Contributor

Do you have any new update on this? We are looking at PingID for MFA so would like to get a sense of timing/roadmap for this before making a decision. 

 

Many thanks.

Copper Contributor

HI @Alex Simons (AZURE) 

 

Any update on the status of this new functionality?  I haven't seen it in the portal, or seen any new announcements about it.

 

Thanks in advance,

Ed

 

Copper Contributor

Any updates?

 

we have a 3rd party provider (WatchGuard AuthPoint) that is required to do things using federation until Microsoft comes out with this “new method” or until they allow WatchGuars as a Authenticatjng service in custom control until the service comes out...

 

Prohibiting 3rd party vendors after giving access to vendors like Duo and then allowing DUO to work while others can’t even get into the mew program causes steep issues with inequitable competition to those who come out with newer competitive products and allows products like DUO to have an edge in competitors just because they were around longer.

 

Copper Contributor

Hello Alex,

 

We understand that COVID threw a wrench in the development efforts on this project, but we would appreciate an update on the status. It has been almost 10 months since you announced this upcoming capability and our mutual customers have repeatedly been asking us when this will be available. MFA is critical for improving security, but not all MFA's are equally secure (as noted by Alex Wienert in his blog post "It's Time to Hang Up on Phone Transports for Authentication" on 11/20/2020) and pushing users to the limited other MFA providers (like MSFT's Authenticator App) is frustrating and seems to be anti-competitive. 

 

Is there either a timeline or guidance on a workaround to incorporate other MFA systems? 

 

Thanks in advance for your reply.

Copper Contributor

Echoing the sentiments above, we are eagerly awaiting more details on this announcement.

 

We are currently utilizing PingID for MFA against Office 365 and have been looking to extend this into other areas of Azure to replace dependencies on the native MFA service. To know that something was in the works to address the limitations with the current preview functionality was great, but it has been frustrating to be in limbo awaiting more details for close to a year now.

 

Any foresight or guidance on when we might expect to hear more would be greatly appreciated.

Copper Contributor

Hi MS Team, almost a year... nothing new...  other vendors still using the preview version creating a non competitive environment. 

Copper Contributor

Is there any status to this or ?

 

It definitely feels like you are trying to make it harder for vendors to compete with Microsoft MFA and DUO rather than have a integrated solution with partners....

Copper Contributor

I would also like to request a status update on this. We were told by Microsoft that custom controls would become available to our GCC tenant once the JEDI contact was in motion but ever since that has been put on hold we have been waiting for an answer. Now our MFA provider provided me with this article as an "update" but it hasn't been updated in over a year.

Copper Contributor

Hello @Alex Simons (AZURE),

 

I read on 5/19/21 that Nomidio announced an integration of its web-based MFA system with Microsoft Azure Active Directory (Azure AD). My company similarly has a web-based, biometric authentication solution that we would like to integrate via OpenID Connect with Azure AD.  We have a number of customers who have been asking for this, but we have been on hold waiting for an announcement on how to go about this.  Can you tell us what steps Nomidio went through to become integrated? 

 

Thanks in advance for your response.

Steel Contributor

15 months later, I think the least we can get on this is a brief update. Seem fair enough, yes?

Copper Contributor

Hi @Alex Simons (AZURE) 

 

19 months later, any news for us?

Copper Contributor

21 months later, any news for us?

Brass Contributor

Alex Simons (AZURE) / Microsoft can you please provide an update on this?  Thanks.

Iron Contributor

This thread is laughable now.

They aren’t answering.  This looks like a dead project.

Copper Contributor

 

Waiting too.

Copper Contributor

Hello Alex,

 

We had several requests from our customers regarding the integration of a third-party multi-factor authentication (MFA) provider with Azure Active Directory (Azure AD). As you detailed in this post, Custom Controls is too limited and Microsoft was supposed to be working on a better alternative (that I hope would be equivalent to using Azure MFA).

This has been almost two years now but unfortunately nothing has been announced yet.

I would appreciate to have a clear statement from Microsoft regarding this specific question to know if it is still on the roadmap or not and, in the affirmative, when can we expect a preview?

 

Thanks a lot for reading.

 

Best regards,

Mathieu.

Microsoft

I have created a feedback item on this as it appears there hasn't been any movement on it.  If you are interested in this feature please upvote this feedback item:

 

https://aka.ms/AAfthfq 

Copper Contributor

Hi, NoMoePwds, hope to see some movement about it... But when I click on the feedback item you mentioned, it says that my account does not have access to this feedback.... 

fmansur_0-1645550499636.png

 

Brass Contributor

same for me .. no access to feedback

Copper Contributor

Same for me, no access to feedback, no access to conditional access, no answer when can we expect a preview. 

 

When will it be available? Can you share any news?

 

Thanks.

Copper Contributor

You need to be signed into the feedback hub to be able to upvote / see the content.   I signed in with a personal account to get it to work for me.  @fmansur @FrankBastone @joseironchip 

Copper Contributor

I got the same error message and have no access to the feedback hub

Copper Contributor

Hello, 

Any update on the program, or a link to another program would be appreciated.

Kind regards

 

Philippe

Iron Contributor

+1 customer this would make A HUGE difference for!!!

Copper Contributor

I’m begging for this to release. We haven’t heard anything for two years but I hope they are still working on this. Any sort of update would be very helpful. 

Brass Contributor

Any update on this folks? Is RSA one of the supported auth providers? 

Copper Contributor

Any word on this, or is it a case of Microsoft waiting for the 'land grab' to plateau before opening it up to potential competition?

Copper Contributor

How many years is it going to take for you to open this up to others or provide the ability to customize login flows with Azure AD like you can with Azure AD B2C?

Steel Contributor

Any updates? We're approaching 3 years here since announcement.

Version history
Last update:
‎Jul 24 2020 01:17 AM
Updated by: