Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

App passwords in a federated tenant using ADFS and Azure MFA server

Iron Contributor

Does any one know if App Passwords work in a federated tenant using ADFS and on-premises Azure MFA Server? As per my understanding, app passwords are a cloud only account feature and do not work for federated accounts. 

 

For federated accounts, authentication is handled by ADFS which has no knowledge of app password.

 

Is this correct?

 

 

3 Replies

Yes and no. App passwords basically bypass AD FS, as authentication happens directly against Azure AD. 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-g...

Thanks @Vasil Michev. This is not a very well documented scenario by Microsoft. Most of the documentation states that AAD first does home-realm-discovery and then redirects the user to federated STS for authentication.

 

With App Passwords, then AAD must also be doing a check if authentication request is with an app password and thus don't redirect to federated STS. I guess that's what they mean 'App passwords are verified using cloud authentication, so they bypass federation. '

 

Do you think this assumption (I am calling this assumption as can't find it documented anywhere) is what happens in practice i.e. AAD checks if auth request is with an app password and thus don't redirect to federated STS?

best response confirmed by Gurdev Singh (Iron Contributor)
Solution

Yes, that's pretty much it. You can easily confirm it by checking the event logs on the AD FS server. where you should see no requests coming at all associated with the user using app password. Which is just one of the many reasons you should not be using app passwords...

1 best response

Accepted Solutions
best response confirmed by Gurdev Singh (Iron Contributor)
Solution

Yes, that's pretty much it. You can easily confirm it by checking the event logs on the AD FS server. where you should see no requests coming at all associated with the user using app password. Which is just one of the many reasons you should not be using app passwords...

View solution in original post