Azure AD Mailbag: MFA Q&A, Round 2!
Published Sep 06 2018 08:48 PM 1,896 Views

First published on CloudBlogs on Feb, 16 2016

Howdy folks,


Happy Tuesday. I hope all of you in the US enjoyed the President's Day holiday! As a history buff, it's one of my favorites. We're kicking off the week with a new Azure AD Mailbag post, this one going over a second round of Q&A for our MFA service. Hopefully you'll find it useful!


Best regards,

Alex Simons

(Twitter: @Alex_A_Simons )

Director of Program Management Microsoft Identity Products and Services



Hey y'all,


Mark Morowczynski here with another Azure AD Mailbag. We got some good feedback on our previous post on Azure MFA we thought we'd do another round. If there are topics and areas you'd like us to cover let us know on Twitter at @AzureAD , @MarkMorow and @Alex_A_Simons .


On to the questions!


Question: Can I use "insert VPN appliance name here" with Azure MFA Server on-premises? How do I configure it?

Answer: If the VPN appliance supports LDAP or RADIUS then yes. A key thing to keep in mind is being able to configure the timeout value (how long the VPN waits for a response from the MFA Server) or long enough to wait for the MFA to complete.


Please see


Question: Is there a way to extend the timeout interval after the voice greeting?

Answer: Sort of. There is no configurable option to input a phone call timeout. The system waits 10 seconds with no user input after the voice greeting is done playing before timing out. You can record your own voice greeting and leave some blank time in your recording. Then the 10 seconds will start after your message is done. You would have to do this for each language you wanted to extend the timeout for as well.


Question: Is it supported to use Azure MFA with Direct Access?

Answer: I think you are missing the point of Direct Access. The system is supposed to create the access tunnel without any user intervention. But to answer your direct question, no, it is not supported to use with Direct Access.


Question: I have multiple SaaS apps in the Azure AD my apps portal. I'm using conditional access to require MFA authentication for a subset of those applications. If the user launches application 1, completes the MFA challenge response then clicks on application 2 that also requires MFA. Will they have another MFA challenge for the 2nd application?

Answer: No they will not. After completing the first MFA challenge, an MFA claim is added to your access token. That claim is then used to satisfy the MFA requirement for other applications that require MFA during that session.


Question: I have configured the conditional access for an application in Azure AD to require MFA only for that application. However, the user reports to me that every time they authenticate to they are being challenged for an MFA prompt. What's going on?

Answer: You've probably configured the user for MFA. The per-user MFA will overwrite any conditional access MFA you have in place.


Question: We are using the Azure Authenticator application. Is there any way to do custom branding of the app?

Answer: No we do not allow any custom branding of the Azure Authentication application.


We hope you've found this post and this series to be helpful. For any questions you can reach us at, the Microsoft Forums and on Twitter @AzureAD , @MarkMorow and @Alex_A_Simons


-Mark Morowczynski and Shawn Bishop

Version history
Last update:
‎Jul 24 2020 02:06 AM
Updated by: