Home

MFA via app on Sharepoint Online

%3CLINGO-SUB%20id%3D%22lingo-sub-242609%22%20slang%3D%22en-US%22%3EMFA%20via%20app%20on%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242609%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20already%20protected%20our%20Netscaler%20login%20with%20MFA%20(MFA%20server%20on-prem)%20and%20the%20users%20authenticate%20by%20using%20the%20mobile%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20we're%20ready%20for%20the%20next%20step%20-%20to%20protect%20Sharepoint%20Online%20with%20MFA%20when%20accessing%20from%20external%20networks.%3C%2FP%3E%3CP%3EI%20know%20it's%20possible%20to%20use%20MFA%20by%20configure%20conditional%20access%20policies%20to%20accomplish%20that%26nbsp%3Bbut%20it%20seems%20like%20that%20only%20gives%20me%20MFA%20via%20OTP.%20Am%20I%20missing%20something%20or%20can%20I%20use%20the%20MFA%20server%20that%20I%20already%20have%20on-prem%20and%26nbsp%3Bforce%20users%20to%20authenticate%20by%20using%20the%26nbsp%3Bmobile%20app%20as%20they%20already%20know%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-242609%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-244403%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20via%20app%20on%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-244403%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20no%2C%20that's%20just%20my%20%22expectation%22%2C%20Microsoft%20has%20not%20said%20anything%20about%20deprecation%20yet%2C%20and%20even%20if%20they%20do%2C%20you%20will%20probably%20have%20few%20years%20of%20support%20left.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKeep%20in%20mind%20that%20the%20available%26nbsp%3Bprimary%2Fsecondary%20auth%20factor%20options%20will%20differ%20depending%20on%20the%20use.%20Afaik%20those%20are%20limited%20for%20the%20RADIUS%20scenario%2C%20similarly%20if%20you%20want%20to%20configure%20Azure%20MFA%20as%20primary%20auth%20when%20using%20AD%20FS%20you%20are%20only%20given%20a%20single%20option.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242969%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20via%20app%20on%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242969%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F603%22%20target%3D%22_blank%22%3E%40Adam%20Ochs%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bfor%20your%20answers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EActually%20we%20do%20have%20ADFS%20in%20place%20already.%3C%2FP%3E%3CP%3EGood%20to%20know%20that%20the%20full%20MFA%20server%20is%20about%20to%20be%20deprecated.%20Maybe%20it's%20not%20a%20good%20idea%20to%20put%20a%20lot%20of%20work%20into%20it%20if%20we%20need%20to%20move%20the%20service%20later.%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20understand%20Azure%20MFA%20is%20also%20supporting%20the%20mobile%20app%20as%20a%20second%20factor%2C%20right%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-whichversion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-whichversion%3C%2FA%3E%3C%2FP%3E%3CP%3EBut%20I%20haven't%20found%20anywhere%20to%20configure%20that.%20So%20at%20the%20moment%20users%20are%20using%20the%20mobile%20app%20to%20logon%20via%20Netscaler%20to%20the%20Citrix%20Environment%20and%20then%20using%20OTP%20to%20logon%20to%20Sharepoint%20online%20(only%20one%20test%20user%20so%20far).%20But%20if%20we%20just%20can%20use%20the%20mobile%20app%20instead%20of%20OTP%20-%20that%20would%20be%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242893%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20via%20app%20on%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242893%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20MFA%20server%20actually%20supports%20more%20methods%20than%20Azure%20MFA%2C%20including%20using%20the%20mobile%20app.%20It's%20also%20possible%20to%20configure%20it%20for%20true%20%22passwordless%22%20login%2C%20however%20as%20Adam%20mentioned%20below%20you%20will%20need%20to%26nbsp%3Bdeploy%20AD%20FS%20in%20order%20to%20use%20it%20with%20O365%20resources.%20If%20you%20don't%20have%20AD%20FS%20in%20place%2C%20this%20means%20additional%20cost%20for%20deployment%2Foperation%2C%20as%20a%20minimum%20configuration%20would%20require%202%2B2%20servers%20when%20done%20properly.%20On%20the%20other%20hand%2C%20Conditional%20access%20requires%20Azure%20AD%20Premium%20licenses%20for%20each%20user%2C%20and%20if%20you%20aren't%20paying%20for%20AAD%20Prem%2FEMS%20yet%2C%20the%20costs%20there%20might%20be%20even%20higher%20in%20the%20long%20run.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt's%20also%20important%20to%20note%20that%20Microsoft%20is%20slowly%2C%20but%20surely%20moving%20towards%20deprecating%20the%20full%20MFA%20server%20version%20and%20replacing%20it%20with%20Azure%20MFA%2C%20and%20although%20they%20haven't%20actually%20announced%20anything%20yet%2C%20I%20fully%20expect%20this%20to%20happen%20in%20the%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-242736%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20via%20app%20on%20Sharepoint%20Online%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-242736%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144477%22%20target%3D%22_blank%22%3E%40Erik%20Lundgren%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20have%20ADFS%20setup%20locally%2C%20you%20could%20do%20the%20equivalent%20of%20conditional%20access%20policies%20you%20see%20in%20Azure%20AD%20through%20the%20ADFS%20server%20that%20would%20force%20MFA.%20You%20would%20just%20need%20to%20setup%20the%20proper%20claims%20rules%20through%20ADFS%20to%20get%20this%20accomplished.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F01%2Foffice-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F01%2Foffice-365-customers-who-have-adfs-installed-can-do-simple-filtered-mfa-using-adfs-claim-rules%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20that%20said%2C%20it%20is%20much%20more%20nuanced%20and%20in%20my%20opinion%20a%20bit%20more%20complicated%20to%20do%20this%2C%20than%20what%20Azure%20AD%20allows%20you%20to%20do%20through%20a%20few%20GUI%20based%20steps.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUltimately%20though%20YES%20you%20can%20do%20what%20you%20are%20asking%2C%20but%20you%20need%20ADFS%20and%20someone%20who%20understands%20the%20claims%20rule%20setup%20enough%20to%20be%20able%20to%20properly%20configure%20one%20to%20require%20MFA%20for%20SharePoint%20based%20on%20IP%20address.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20my%20old%20job%2C%20we%20in%20essence%20had%20the%20reveres%2C%20where%20we%20allowed%20IMAP%20connections%20and%20therefore%20ignored%20modern%20auth%20for%20users%20coming%20from%20our%20local%20offices%2C%20as%20our%20linux%20technicians%20were%20still%20running%20an%20old%20version%20of%20Thunderbird%20for%20their%20email%20and%20couldn't%20modern%20auth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPersonally%20I%20normally%20with%20my%20clients%20just%20do%20the%20AzureAD%20conditional%20access%20for%20that%20as%20it%20is%20much%20easier%2C%20but%20I%20can%20completely%20understand%20not%20wanting%20to%20switch%20from%20a%20current%20setup.%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Ftechnical-reference%2Fthe-role-of-claim-rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Ftechnical-reference%2Fthe-role-of-claim-rules%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGoodluck!%3C%2FP%3E%3CP%3EAdam%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Erik Lundgren
New Contributor

We have already protected our Netscaler login with MFA (MFA server on-prem) and the users authenticate by using the mobile app.

 

Now we're ready for the next step - to protect Sharepoint Online with MFA when accessing from external networks.

I know it's possible to use MFA by configure conditional access policies to accomplish that but it seems like that only gives me MFA via OTP. Am I missing something or can I use the MFA server that I already have on-prem and force users to authenticate by using the mobile app as they already know? 

4 Replies

Hey @Erik Lundgren,

 

If you have ADFS setup locally, you could do the equivalent of conditional access policies you see in Azure AD through the ADFS server that would force MFA. You would just need to setup the proper claims rules through ADFS to get this accomplished.

 

https://blogs.technet.microsoft.com/bulentozkir/2016/05/01/office-365-customers-who-have-adfs-instal...

 

With that said, it is much more nuanced and in my opinion a bit more complicated to do this, than what Azure AD allows you to do through a few GUI based steps. 

 

Ultimately though YES you can do what you are asking, but you need ADFS and someone who understands the claims rule setup enough to be able to properly configure one to require MFA for SharePoint based on IP address.

 

At my old job, we in essence had the reveres, where we allowed IMAP connections and therefore ignored modern auth for users coming from our local offices, as our linux technicians were still running an old version of Thunderbird for their email and couldn't modern auth.

 

Personally I normally with my clients just do the AzureAD conditional access for that as it is much easier, but I can completely understand not wanting to switch from a current setup. - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claim...

 

Goodluck!

Adam

 

 

The MFA server actually supports more methods than Azure MFA, including using the mobile app. It's also possible to configure it for true "passwordless" login, however as Adam mentioned below you will need to deploy AD FS in order to use it with O365 resources. If you don't have AD FS in place, this means additional cost for deployment/operation, as a minimum configuration would require 2+2 servers when done properly. On the other hand, Conditional access requires Azure AD Premium licenses for each user, and if you aren't paying for AAD Prem/EMS yet, the costs there might be even higher in the long run.

 

It's also important to note that Microsoft is slowly, but surely moving towards deprecating the full MFA server version and replacing it with Azure MFA, and although they haven't actually announced anything yet, I fully expect this to happen in the future.

Thank you @Adam Ochs and @Vasil Michev for your answers.

 

Actually we do have ADFS in place already.

Good to know that the full MFA server is about to be deprecated. Maybe it's not a good idea to put a lot of work into it if we need to move the service later.

As far as I understand Azure MFA is also supporting the mobile app as a second factor, right?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion

But I haven't found anywhere to configure that. So at the moment users are using the mobile app to logon via Netscaler to the Citrix Environment and then using OTP to logon to Sharepoint online (only one test user so far). But if we just can use the mobile app instead of OTP - that would be fine.

 

No no, that's just my "expectation", Microsoft has not said anything about deprecation yet, and even if they do, you will probably have few years of support left.

 

Keep in mind that the available primary/secondary auth factor options will differ depending on the use. Afaik those are limited for the RADIUS scenario, similarly if you want to configure Azure MFA as primary auth when using AD FS you are only given a single option.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Discussion - Updating our interface with Fluent touches
Elliot Kirk in Discussions on
102 Replies