May 07 2019
- last edited on
Jan 14 2022
Does any one know if App Passwords work in a federated tenant using ADFS and on-premises Azure MFA Server? As per my understanding, app passwords are a cloud only account feature and do not work for federated accounts.
For federated accounts, authentication is handled by ADFS which has no knowledge of app password.
Is this correct?
May 07 2019 10:42 PM
Yes and no. App passwords basically bypass AD FS, as authentication happens directly against Azure AD.
May 08 2019 03:33 PM
Thanks @Vasil Michev. This is not a very well documented scenario by Microsoft. Most of the documentation states that AAD first does home-realm-discovery and then redirects the user to federated STS for authentication.
With App Passwords, then AAD must also be doing a check if authentication request is with an app password and thus don't redirect to federated STS. I guess that's what they mean 'App passwords are verified using cloud authentication, so they bypass federation. '
Do you think this assumption (I am calling this assumption as can't find it documented anywhere) is what happens in practice i.e. AAD checks if auth request is with an app password and thus don't redirect to federated STS?
May 08 2019 11:15 PMSolution
Yes, that's pretty much it. You can easily confirm it by checking the event logs on the AD FS server. where you should see no requests coming at all associated with the user using app password. Which is just one of the many reasons you should not be using app passwords...